initial release

root/defaults/authelia-location.conf

@@ -0,0 +1,11 @@
+## Version 2020/05/31 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/authelia-location.conf
+# Make sure that your authelia container is in the same user defined bridge network and is named authelia
+# Make sure that the authelia configuration.yml has 'path: "authelia"' defined
+
+auth_request /authelia/api/verify;
+auth_request_set $target_url $scheme://$http_host$request_uri;
+auth_request_set $user $upstream_http_remote_user;
+auth_request_set $groups $upstream_http_remote_groups;
+proxy_set_header Remote-User $user;
+proxy_set_header Remote-Groups $groups;
+error_page 401 =302 https://$http_host/authelia/?rd=$target_url;

root/defaults/authelia-server.conf

@@ -0,0 +1,48 @@
+## Version 2020/05/31 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/authelia-server.conf
+# Make sure that your authelia container is in the same user defined bridge network and is named authelia
+
+location ^~ /authelia {
+    include /config/nginx/proxy.conf;
+    resolver 127.0.0.11 valid=30s;
+    set $upstream_authelia authelia;
+    proxy_pass http://$upstream_authelia:9091;
+}
+
+location = /authelia/api/verify {
+    internal;
+    resolver 127.0.0.11 valid=30s;
+    set $upstream_authelia authelia;
+    proxy_pass_request_body off;
+    proxy_pass http://$upstream_authelia:9091;
+    proxy_set_header Content-Length "";
+
+    # Timeout if the real server is dead
+    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
+
+    # [REQUIRED] Needed by Authelia to check authorizations of the resource.
+    # Provide either X-Original-URL and X-Forwarded-Proto or
+    # X-Forwarded-Proto, X-Forwarded-Host and X-Forwarded-Uri or both.
+    # Those headers will be used by Authelia to deduce the target url of the user.
+    # Basic Proxy Config
+    client_body_buffer_size 128k;
+    proxy_set_header Host $host;
+    proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $remote_addr; 
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Forwarded-Host $http_host;
+    proxy_set_header X-Forwarded-Uri $request_uri;
+    proxy_set_header X-Forwarded-Ssl on;
+    proxy_redirect  http://  $scheme://;
+    proxy_http_version 1.1;
+    proxy_set_header Connection "";
+    proxy_cache_bypass $cookie_session;
+    proxy_no_cache $cookie_session;
+    proxy_buffers 4 32k;
+
+    # Advanced Proxy Config
+    send_timeout 5m;
+    proxy_read_timeout 240;
+    proxy_send_timeout 240;
+    proxy_connect_timeout 240;
+}

root/defaults/default

@@ -0,0 +1,147 @@
+## Version 2020/05/23 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/default
+
+# redirect all traffic to https
+server {
+	listen 80 default_server;
+	listen [::]:80 default_server;
+	server_name _;
+	return 301 https://$host$request_uri;
+}
+
+# main server block
+server {
+	listen 443 ssl http2 default_server;
+	listen [::]:443 ssl http2 default_server;
+
+	root /config/www;
+	index index.html index.htm index.php;
+
+	server_name _;
+
+	# enable subfolder method reverse proxy confs
+	include /config/nginx/proxy-confs/*.subfolder.conf;
+
+	# all ssl related config moved to ssl.conf
+	include /config/nginx/ssl.conf;
+
+	# enable for ldap auth
+	#include /config/nginx/ldap.conf;
+
+	# enable for Authelia
+	#include /config/nginx/authelia-server.conf;
+
+	client_max_body_size 0;
+
+	location / {
+		try_files $uri $uri/ /index.html /index.php?$args =404;
+	}
+
+	location ~ \.php$ {
+		fastcgi_split_path_info ^(.+\.php)(/.+)$;
+		fastcgi_pass 127.0.0.1:9000;
+		fastcgi_index index.php;
+		include /etc/nginx/fastcgi_params;
+	}
+
+# sample reverse proxy config for password protected couchpotato running at IP 192.168.1.50 port 5050 with base url "cp"
+# notice this is within the same server block as the base
+# don't forget to generate the .htpasswd file as described on docker hub
+#	location ^~ /cp {
+#		auth_basic "Restricted";
+#		auth_basic_user_file /config/nginx/.htpasswd;
+#		include /config/nginx/proxy.conf;
+#		proxy_pass http://192.168.1.50:5050/cp;
+#	}
+
+}
+
+# sample reverse proxy config without url base, but as a subdomain "cp", ip and port same as above
+# notice this is a new server block, you need a new server block for each subdomain
+#server {
+#	listen 443 ssl http2;
+#	listen [::]:443 ssl http2;
+#
+#	root /config/www;
+#	index index.html index.htm index.php;
+#
+#	server_name cp.*;
+#
+#	include /config/nginx/ssl.conf;
+#
+#	client_max_body_size 0;
+#
+#	location / {
+#		auth_basic "Restricted";
+#		auth_basic_user_file /config/nginx/.htpasswd;
+#		include /config/nginx/proxy.conf;
+#		proxy_pass http://192.168.1.50:5050;
+#	}
+#}
+
+# sample reverse proxy config for "heimdall" via subdomain, with ldap authentication
+# ldap-auth container has to be running and the /config/nginx/ldap.conf file should be filled with ldap info
+# notice this is a new server block, you need a new server block for each subdomain
+#server {
+#	listen 443 ssl http2;
+#	listen [::]:443 ssl http2;
+#
+#	root /config/www;
+#	index index.html index.htm index.php;
+#
+#	server_name heimdall.*;
+#
+#	include /config/nginx/ssl.conf;
+#
+#	include /config/nginx/ldap.conf;
+#
+#	client_max_body_size 0;
+#
+#	location / {
+#		# the next two lines will enable ldap auth along with the included ldap.conf in the server block
+#		auth_request /auth;
+#		error_page 401 =200 /ldaplogin;
+#
+#		include /config/nginx/proxy.conf;
+#		resolver 127.0.0.11 valid=30s;
+#		set $upstream_app heimdall;
+#		set $upstream_port 443;
+#		set $upstream_proto https;
+#		proxy_pass $upstream_proto://$upstream_app:$upstream_port;
+#	}
+#}
+
+# sample reverse proxy config for "heimdall" via subdomain, with Authelia
+# Authelia container has to be running in the same user defined bridge network, with container name "authelia", and with 'path: "authelia"' set in its configuration.yml
+# notice this is a new server block, you need a new server block for each subdomain
+#server {
+#	listen 443 ssl http2;
+#	listen [::]:443 ssl http2;
+#
+#	root /config/www;
+#	index index.html index.htm index.php;
+#
+#	server_name heimdall.*;
+#
+#	include /config/nginx/ssl.conf;
+#
+#	include /config/nginx/authelia-server.conf;
+#
+#	client_max_body_size 0;
+#
+#	location / {
+#		# the next line will enable Authelia along with the included authelia-server.conf in the server block
+#		include /config/nginx/authelia-location.conf;
+#
+#		include /config/nginx/proxy.conf;
+#		resolver 127.0.0.11 valid=30s;
+#		set $upstream_app heimdall;
+#		set $upstream_port 443;
+#		set $upstream_proto https;
+#		proxy_pass $upstream_proto://$upstream_app:$upstream_port;
+#	}
+#}
+
+# enable subdomain method reverse proxy confs
+include /config/nginx/proxy-confs/*.subdomain.conf;
+# enable proxy cache for auth
+proxy_cache_path cache/ keys_zone=auth_cache:10m;

root/defaults/dns-conf/aliyun.ini

@@ -0,0 +1,6 @@
+# Obtain Aliyun RAM AccessKey
+# https://ram.console.aliyun.com/
+# And ensure your RAM account has AliyunDNSFullAccess permission.
+
+certbot_dns_aliyun:dns_aliyun_access_key = 12345678
+certbot_dns_aliyun:dns_aliyun_access_key_secret = 1234567890abcdef1234567890abcdef

root/defaults/dns-conf/cloudflare.ini

@@ -0,0 +1,9 @@
+# Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-cloudflare/certbot_dns_cloudflare/__init__.py#L20
+# Replace with your values
+
+# With global api key:
+dns_cloudflare_email = cloudflare@example.com
+dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef01234567
+
+# With token (comment out both lines above and uncomment below):
+#dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567

root/defaults/dns-conf/cloudxns.ini

@@ -0,0 +1,4 @@
+# Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-cloudxns/certbot_dns_cloudxns/__init__.py#L20
+# Replace with your values
+dns_cloudxns_api_key = 1234567890abcdef1234567890abcdef
+dns_cloudxns_secret_key = 1122334455667788

root/defaults/dns-conf/cpanel.ini

@@ -0,0 +1,6 @@
+# Instructions: https://github.com/badjware/certbot-dns-cpanel#credentials
+# Replace with your values
+# include the scheme and the port number (usually 2083 for https)
+certbot_dns_cpanel:cpanel_url = https://cpanel.example.com:2083
+certbot_dns_cpanel:cpanel_username = username
+certbot_dns_cpanel:cpanel_password = 1234567890abcdef

root/defaults/dns-conf/digitalocean.ini

@@ -0,0 +1,3 @@
+# Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-digitalocean/certbot_dns_digitalocean/__init__.py#L21
+# Replace with your value
+dns_digitalocean_token = 0000111122223333444455556666777788889999aaaabbbbccccddddeeeeffff

root/defaults/dns-conf/dnsimple.ini

@@ -0,0 +1,3 @@
+# Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-dnsimple/certbot_dns_dnsimple/__init__.py#L20
+# Replace with your value
+dns_dnsimple_token = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw

root/defaults/dns-conf/dnsmadeeasy.ini

@@ -0,0 +1,4 @@
+# Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-dnsmadeeasy/certbot_dns_dnsmadeeasy/__init__.py#L20
+# Replace with your values
+dns_dnsmadeeasy_api_key = 1c1a3c91-4770-4ce7-96f4-54c0eb0e457a
+dns_dnsmadeeasy_secret_key = c9b5625f-9834-4ff8-baba-4ed5f32cae55

root/defaults/dns-conf/domeneshop.ini

@@ -0,0 +1,4 @@
+# Instructions: https://github.com/domeneshop/certbot-dns-domeneshop#credentials
+# Replace with your values
+certbot_dns_domeneshop:dns_domeneshop_client_token=1234567890abcdef
+certbot_dns_domeneshop:dns_domeneshop_client_secret=1234567890abcdefghijklmnopqrstuvxyz1234567890abcdefghijklmnopqrs

root/defaults/dns-conf/gandi.ini

@@ -0,0 +1,3 @@
+# Instructions: https://github.com/obynio/certbot-plugin-gandi#usage
+# Replace with your value
+certbot_plugin_gandi:dns_api_key=APIKEY

root/defaults/dns-conf/google.json

@@ -0,0 +1,6 @@
+{
+  "instructions": "https://github.com/certbot/certbot/blob/master/certbot-dns-google/certbot_dns_google/__init__.py",
+  "_comment": "Replace with your values",
+  "type": "service_account",
+  "rest": "..."
+}

root/defaults/dns-conf/inwx.ini

@@ -0,0 +1,6 @@
+# Instructions: https://github.com/oGGy990/certbot-dns-inwx
+# Replace with your values
+certbot_dns_inwx:dns_inwx_url           = https://api.domrobot.com/xmlrpc/
+certbot_dns_inwx:dns_inwx_username      = your_username
+certbot_dns_inwx:dns_inwx_password      = your_password
+certbot_dns_inwx:dns_inwx_shared_secret = your_shared_secret optional

root/defaults/dns-conf/linode.ini

@@ -0,0 +1,3 @@
+# Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-linode/certbot_dns_linode/__init__.py#L25
+# Replace with your values
+dns_linode_key = 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ64

root/defaults/dns-conf/luadns.ini

@@ -0,0 +1,4 @@
+# Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-luadns/certbot_dns_luadns/__init__.py#L20
+# Replace with your values
+dns_luadns_email = user@example.com
+dns_luadns_token = 0123456789abcdef0123456789abcdef

root/defaults/dns-conf/nsone.ini

@@ -0,0 +1,3 @@
+# Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-nsone/certbot_dns_nsone/__init__.py#L20
+# Replace with your value
+dns_nsone_api_key = MDAwMDAwMDAwMDAwMDAw

root/defaults/dns-conf/ovh.ini

@@ -0,0 +1,6 @@
+# Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-ovh/certbot_dns_ovh/__init__.py#L20
+# Replace with your values
+dns_ovh_endpoint = ovh-eu
+dns_ovh_application_key = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
+dns_ovh_application_secret = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
+dns_ovh_consumer_key = MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw

root/defaults/dns-conf/rfc2136.ini

@@ -0,0 +1,11 @@
+# Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-rfc2136/certbot_dns_rfc2136/__init__.py#L20
+# Replace with your values
+# Target DNS server
+dns_rfc2136_server = 192.0.2.1
+# TSIG key name
+dns_rfc2136_name = keyname.
+# TSIG key secret
+dns_rfc2136_secret = 4q4wM/2I180UXoMyN4INVhJNi8V9BCV+jMw2mXgZw/CSuxUT8C7NKKFs \
+AmKd7ak51vWKgSl12ib86oQRPkpDjg==
+# TSIG key algorithm
+dns_rfc2136_algorithm = HMAC-SHA512

root/defaults/dns-conf/route53.ini

@@ -0,0 +1,5 @@
+# Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-route53/certbot_dns_route53/__init__.py#L18
+# Replace with your values
+[default]
+aws_access_key_id=AKIAIOSFODNN7EXAMPLE
+aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

root/defaults/dns-conf/transip.ini

@@ -0,0 +1,6 @@
+# Instructions: https://readthedocs.org/projects/certbot-dns-transip/
+# Convert the key to an RSA key (openssl rsa -in transip.key -out transip-rsa.key)
+# Place .key-file in the same directory as this file. Location "/config/dns-conf" is from within the container
+
+certbot_dns_transip:dns_transip_username = <transip_username>
+certbot_dns_transip:dns_transip_key_file = /config/dns-conf/transip-rsa.key

root/defaults/fail2ban/fail2ban.local

@@ -0,0 +1,4 @@
+[Definition]
+
+logtarget = /config/log/fail2ban/fail2ban.log
+dbfile = /config/fail2ban/fail2ban.sqlite3

root/defaults/fail2ban/filter.d/nginx-badbots.conf

@@ -0,0 +1,21 @@
+# Fail2Ban configuration file
+#
+# Regexp to catch known spambots and software alike. Please verify
+# that it is your intent to block IPs which were driven by
+# above mentioned bots.
+
+
+[Definition]
+
+badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider
+badbots = Atomic_Email_Hunter/4\.0|atSpider/1\.0|autoemailspider|bwh3_user_agent|China Local Browse 2\.6|ContactBot/0\.2|ContentSmartz|DataCha0s/2\.0|DBrowse 1\.4b|DBrowse 1\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\.4b|Educate Search VxB|EmailSiphon|EmailSpider|EmailWolf 1\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Guestbook Auto Submitter|Industry Program 1\.0\.x|ISC Systems iRc Search 2\.1|IUPUI Research Bot v 1\.9a|LARBIN-EXPERIMENTAL \(efp@gmx\.net\)|LetsCrawl\.com/1\.0 \+http\://letscrawl\.com/|Lincoln State Web Browser|LMQueueBot/0\.2|LWP\:\:Simple/5\.803|Mac Finder 1\.0\.xx|MFC Foundation Class Library 4\.0|Microsoft URL Control - 6\.00\.8xxx|Missauga Locate 1\.0\.0|Missigua Locator 1\.9|Missouri College Browse|Mizzu Labs 2\.2|Mo College 1\.9|MVAClient|Mozilla/2\.0 \(compatible; NEWT ActiveX; Win32\)|Mozilla/3\.0 \(compatible; Indy Library\)|Mozilla/3\.0 \(compatible; scan4mail \(advanced version\) http\://www\.peterspages\.net/?scan4mail\)|Mozilla/4\.0 \(compatible; Advanced Email Extractor v2\.xx\)|Mozilla/4\.0 \(compatible; Iplexx Spider/1\.0 http\://www\.iplexx\.at\)|Mozilla/4\.0 \(compatible; MSIE 5\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\.0 efp@gmx\.net|Mozilla/5\.0 \(Version\: xxxx Type\:xx\)|NameOfAgent \(CMS Spider\)|NASA Search 1\.0|Nsauditor/1\.x|PBrowse 1\.4b|PEval 1\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\.0\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\.com|ShablastBot 1\.0|snap\.com beta crawler v0|Snapbot/1\.0|Snapbot/1\.0 \(Snap Shots, \+http\://www\.snap\.com\)|sogou develop spider|Sogou Orion spider/3\.0\(\+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sogou spider|Sogou web spider/3\.0\(\+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\.2|User-Agent\: Mozilla/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)|VadixBot|WebVulnCrawl\.unknown/1\.0 libwww-perl/5\.803|Wells Search II|WEP Search 00
+
+failregex = ^<HOST> -.*"(GET|POST|HEAD).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$
+
+ignoreregex =
+
+# DEV Notes:
+# List of bad bots fetched from http://www.user-agents.org
+# Generated on Thu Nov  7 14:23:35 PST 2013 by files/gen_badbots.
+#
+# Author: Yaroslav Halchenko

root/defaults/fail2ban/filter.d/nginx-deny.conf

@@ -0,0 +1,15 @@
+# fail2ban filter configuration for nginx
+
+
+[Definition]
+
+
+failregex = ^ \[error\] \d+#\d+: \*\d+ (access forbidden by rule), client: <HOST>, server: \S*, request: "\S+ \S+ HTTP\/\d+\.\d+", host: "\S+"(?:, referrer: "\S+")?\s*$
+
+ignoreregex =
+
+datepattern = {^LN-BEG}
+
+# DEV NOTES:
+#
+# Author: Will L (driz@linuxserver.io)

root/defaults/jail.local

@@ -0,0 +1,57 @@
+## Version 2020/05/10 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/jail.local
+# This is the custom version of the jail.conf for fail2ban
+# Feel free to modify this and add additional filters
+# Then you can drop the new filter conf files into the fail2ban-filters
+# folder and restart the container
+
+[DEFAULT]
+
+# Changes the default ban action from "iptables-multiport", which causes issues on some platforms, to "iptables-allports".
+banaction = iptables-allports
+
+# "bantime" is the number of seconds that a host is banned.
+bantime  = 600
+
+# A host is banned if it has generated "maxretry" during the last "findtime"
+# seconds.
+findtime  = 600
+
+# "maxretry" is the number of failures before a host get banned.
+maxretry = 5
+
+
+[ssh]
+
+enabled = false
+
+
+[nginx-http-auth]
+
+enabled  = true
+filter   = nginx-http-auth
+port     = http,https
+logpath  = /config/log/nginx/error.log
+
+
+[nginx-badbots]
+
+enabled  = true
+port     = http,https
+filter   = nginx-badbots
+logpath  = /config/log/nginx/access.log
+maxretry = 2
+
+
+[nginx-botsearch]
+
+enabled  = true
+port     = http,https
+filter   = nginx-botsearch
+logpath  = /config/log/nginx/access.log
+
+[nginx-deny]
+
+enabled  = true
+port     = http,https
+filter   = nginx-deny
+logpath  = /config/log/nginx/error.log

root/defaults/ldap.conf

@@ -0,0 +1,92 @@
+## Version 2020/06/02 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/ldap.conf
+## this conf is meant to be used in conjunction with our ldap-auth image: https://github.com/linuxserver/docker-ldap-auth
+## see the heimdall example in the default site config for info on enabling ldap auth
+## for further instructions on this conf, see https://github.com/nginxinc/nginx-ldap-auth
+
+    location /ldaplogin {
+        resolver 127.0.0.11 valid=30s;
+        set $upstream_auth_app ldap-auth;
+        set $upstream_auth_port 9000;
+        set $upstream_auth_proto http;
+        proxy_pass $upstream_auth_proto://$upstream_auth_app:$upstream_auth_port;
+        proxy_set_header X-Target $request_uri;
+    }
+
+    location = /auth {
+        resolver 127.0.0.11 valid=30s;
+        set $upstream_auth_app ldap-auth;
+        set $upstream_auth_port 8888;
+        set $upstream_auth_proto http;
+        proxy_pass $upstream_auth_proto://$upstream_auth_app:$upstream_auth_port;
+
+        proxy_pass_request_body off;
+        proxy_set_header Content-Length "";
+
+        #Before enabling the below caching options, make sure you have the line "proxy_cache_path cache/ keys_zone=auth_cache:10m;" at the bottom your default site config
+        #proxy_cache auth_cache;
+        #proxy_cache_valid 200 10m;
+        #proxy_cache_key "$http_authorization$cookie_nginxauth";
+
+        # As implemented in nginx-ldap-auth-daemon.py, the ldap-auth daemon
+        # communicates with a LDAP server, passing in the following
+        # parameters to specify which user account to authenticate. To
+        # eliminate the need to modify the Python code, this file contains
+        # 'proxy_set_header' directives that set the values of the
+        # parameters. Set or change them as instructed in the comments.
+        #
+        #    Parameter      Proxy header
+        #    -----------    ----------------
+        #    url            X-Ldap-URL
+        #    starttls       X-Ldap-Starttls
+        #    basedn         X-Ldap-BaseDN
+        #    binddn         X-Ldap-BindDN
+        #    bindpasswd     X-Ldap-BindPass
+        #    cookiename     X-CookieName
+        #    realm          X-Ldap-Realm
+        #    template       X-Ldap-Template
+
+        # (Required) Set the URL and port for connecting to the LDAP server,
+        # by replacing 'example.com'.
+        # Do not mix ldaps-style URL and X-Ldap-Starttls as it will not work.
+        proxy_set_header X-Ldap-URL      "ldap://example.com";
+
+        # (Optional) Establish a TLS-enabled LDAP session after binding to the
+        # LDAP server.
+        # This is the 'proper' way to establish encrypted TLS connections, see
+        # http://www.openldap.org/faq/data/cache/185.html
+        #proxy_set_header X-Ldap-Starttls "true";
+
+        # (Required) Set the Base DN, by replacing the value enclosed in
+        # double quotes.
+        proxy_set_header X-Ldap-BaseDN   "cn=Users,dc=test,dc=local";
+
+        # (Required) Set the Bind DN, by replacing the value enclosed in
+        # double quotes.
+        # If AD, use "root@test.local"
+        proxy_set_header X-Ldap-BindDN   "cn=root,dc=test,dc=local";
+
+        # (Required) Set the Bind password, by replacing 'secret'.
+        proxy_set_header X-Ldap-BindPass "secret";
+
+        # (Required) The following directives set the cookie name and pass
+        # it, respectively. They are required for cookie-based
+        # authentication. Comment them out if using HTTP basic
+        # authentication.
+        proxy_set_header X-CookieName "nginxauth";
+        proxy_set_header Cookie nginxauth=$cookie_nginxauth;
+
+        # (Required if using Microsoft Active Directory as the LDAP server)
+        # Set the LDAP template by uncommenting the following directive.
+        #proxy_set_header X-Ldap-Template "(sAMAccountName=%(username)s)";
+
+        # (Optional if using OpenLDAP as the LDAP server) Set the LDAP
+        # template by uncommenting the following directive and replacing
+        # '(cn=%(username)s)' which is the default set in
+        # nginx-ldap-auth-daemon.py.
+        #proxy_set_header X-Ldap-Template "(cn=%(username)s)";
+
+        # (Optional) Set the realm name, by uncommenting the following
+        # directive and replacing 'Restricted' which is the default set
+        # in nginx-ldap-auth-daemon.py.
+        #proxy_set_header X-Ldap-Realm    "Restricted";
+    }

root/defaults/nginx.conf

@@ -0,0 +1,105 @@
+## Version 2019/12/19 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/nginx.conf
+
+user abc;
+worker_processes 4;
+pid /run/nginx.pid;
+include /etc/nginx/modules/*.conf;
+
+events {
+	worker_connections 768;
+	# multi_accept on;
+}
+
+http {
+
+	##
+	# Basic Settings
+	##
+
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+	keepalive_timeout 65;
+	types_hash_max_size 2048;
+	variables_hash_max_size 2048;
+	large_client_header_buffers 4 16k;
+	
+	# server_tokens off;
+
+	# server_names_hash_bucket_size 64;
+	# server_name_in_redirect off;
+
+	client_max_body_size 0;
+
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	##
+	# Logging Settings
+	##
+
+	access_log /config/log/nginx/access.log;
+	error_log /config/log/nginx/error.log;
+
+	##
+	# Gzip Settings
+	##
+
+	gzip on;
+	gzip_disable "msie6";
+
+	# gzip_vary on;
+	# gzip_proxied any;
+	# gzip_comp_level 6;
+	# gzip_buffers 16 8k;
+	# gzip_http_version 1.1;
+	# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
+
+	##
+	# nginx-naxsi config
+	##
+	# Uncomment it if you installed nginx-naxsi
+	##
+
+	#include /etc/nginx/naxsi_core.rules;
+
+	##
+	# nginx-passenger config
+	##
+	# Uncomment it if you installed nginx-passenger
+	##
+
+	#passenger_root /usr;
+	#passenger_ruby /usr/bin/ruby;
+
+	##
+	# Virtual Host Configs
+	##
+	include /etc/nginx/conf.d/*.conf;
+	include /config/nginx/site-confs/*;
+	lua_load_resty_core off;
+
+}
+
+
+#mail {
+#	# See sample authentication script at:
+#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
+#
+#	# auth_http localhost/auth.php;
+#	# pop3_capabilities "TOP" "USER";
+#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
+#
+#	server {
+#		listen     localhost:110;
+#		protocol   pop3;
+#		proxy      on;
+#	}
+#
+#	server {
+#		listen     localhost:143;
+#		protocol   imap;
+#		proxy      on;
+#	}
+#}
+daemon off;

root/defaults/proxy.conf

@@ -0,0 +1,32 @@
+## Version 2019/10/23 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/proxy.conf
+
+client_body_buffer_size 128k;
+
+#Timeout if the real server is dead
+proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
+
+# Advanced Proxy Config
+send_timeout 5m;
+proxy_read_timeout 240;
+proxy_send_timeout 240;
+proxy_connect_timeout 240;
+
+# TLS 1.3 early data
+proxy_set_header Early-Data $ssl_early_data;
+
+# Basic Proxy Config
+proxy_set_header Host $host;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto https;
+proxy_set_header X-Forwarded-Host $host;
+proxy_set_header X-Forwarded-Ssl on;
+proxy_redirect  http://  $scheme://;
+proxy_http_version 1.1;
+proxy_set_header Connection "";
+#proxy_cookie_path / "/; HTTPOnly; Secure"; # enable at your own risk, may break certain apps
+proxy_cache_bypass $cookie_session;
+proxy_no_cache $cookie_session;
+proxy_buffers 32 4k;
+proxy_headers_hash_bucket_size 128;
+proxy_headers_hash_max_size 1024;

root/defaults/ssl.conf

@@ -0,0 +1,48 @@
+## Version 2020/06/17 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/ssl.conf
+
+### Mozilla Recommendations
+# generated 2020-06-17, Mozilla Guideline v5.4, nginx 1.18.0-r0, OpenSSL 1.1.1g-r0, intermediate configuration
+# https://ssl-config.mozilla.org/#server=nginx&version=1.18.0-r0&config=intermediate&openssl=1.1.1g-r0&guideline=5.4
+
+ssl_session_timeout 1d;
+ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+ssl_session_tickets off;
+
+# intermediate configuration
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ssl_prefer_server_ciphers off;
+
+# OCSP stapling
+ssl_stapling on;
+ssl_stapling_verify on;
+
+
+### Linuxserver.io Defaults
+
+# Certificates
+ssl_certificate /config/keys/letsencrypt/fullchain.pem;
+ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
+# verify chain of trust of OCSP response using Root CA and Intermediate certs
+ssl_trusted_certificate /config/keys/letsencrypt/fullchain.pem;
+
+# Diffie-Hellman Parameters
+ssl_dhparam /config/nginx/dhparams.pem;
+
+# Resolver
+resolver 127.0.0.11 valid=30s; # Docker DNS Server
+
+# Enable TLS 1.3 early data
+ssl_early_data on;
+
+# HSTS, remove # from the line below to enable HSTS
+#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+
+# Optional additional headers
+#add_header Content-Security-Policy "upgrade-insecure-requests";
+#add_header X-Frame-Options "SAMEORIGIN" always;
+#add_header X-XSS-Protection "1; mode=block" always;
+#add_header X-Content-Type-Options "nosniff" always;
+#add_header X-UA-Compatible "IE=Edge" always;
+#add_header Cache-Control "no-transform" always;
+#add_header Referrer-Policy "same-origin" always;