commit 509ddeea0dba767ed9606488f3821ec1e1a120da
Author: root <root@global-nginx.f7cloud.ru>
Date:   Thu Mar 12 04:58:10 2026 +0000

    Инициализация NGINX

diff --git a/install.sh b/install.sh
new file mode 100755
index 0000000..3365293
--- /dev/null
+++ b/install.sh
@@ -0,0 +1,80 @@
+#!/bin/bash
+set -e
+
+# Переменные (передаются через окружение или аргументы)
+# client_f7cloud    - домен для клиента
+# ip_client_f7cloud  - IP адрес клиента
+# hpb_f7cloud       - домен для HPB
+# ip_hpb_f7cloud    - IP адрес HPB
+# certbot_email     - почта для получения сертификатов через certbot
+
+usage() {
+    echo "Использование: $0"
+    echo "Переменные (обязательно задать через экспорт или перед вызовом):"
+    echo "  client_f7cloud    - домен для клиента"
+    echo "  ip_client_f7cloud - IP адрес клиента"
+    echo "  hpb_f7cloud       - домен для HPB"
+    echo "  ip_hpb_f7cloud    - IP адрес HPB"
+    echo "  certbot_email     - почта для сертификатов certbot"
+    echo ""
+    echo "Пример:"
+    echo "  client_f7cloud=client.example.com ip_client_f7cloud=10.0.0.1 \\"
+    echo "  hpb_f7cloud=hpb.example.com ip_hpb_f7cloud=10.0.0.2 \\"
+    echo "  certbot_email=admin@example.com $0"
+    exit 1
+}
+
+for var in client_f7cloud ip_client_f7cloud hpb_f7cloud ip_hpb_f7cloud certbot_email; do
+    if [ -z "${!var}" ]; then
+        echo "Ошибка: не задана переменная $var"
+        usage
+    fi
+done
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+NGINX_SITES="/etc/nginx/sites-enabled"
+NGINX_SNIPPETS="/etc/nginx/snippets"
+
+echo "Установка nginx..."
+apt-get update
+apt-get install -y nginx
+
+echo "Установка certbot..."
+apt-get install -y certbot python3-certbot-nginx
+
+echo "Копирование конфигов с подстановкой переменных..."
+
+# Копируем sites-enabled (с заменой плейсхолдеров)
+mkdir -p "$NGINX_SITES"
+rsync -a --delete "$SCRIPT_DIR/sites-enabled/" "$NGINX_SITES/"
+for f in "$NGINX_SITES"/*.conf; do
+    [ -f "$f" ] || continue
+    sed -i \
+        -e "s|__CLIENT_F7CLOUD__|$client_f7cloud|g" \
+        -e "s|__IP_CLIENT_F7CLOUD__|$ip_client_f7cloud|g" \
+        -e "s|__HPB_F7CLOUD__|$hpb_f7cloud|g" \
+        -e "s|__IP_HPB_F7CLOUD__|$ip_hpb_f7cloud|g" \
+        "$f"
+done
+
+# Копируем snippets (с заменой плейсхолдеров)
+mkdir -p "$NGINX_SNIPPETS"
+rsync -a --delete "$SCRIPT_DIR/snippets/" "$NGINX_SNIPPETS/"
+for f in "$NGINX_SNIPPETS"/*.conf; do
+    [ -f "$f" ] || continue
+    sed -i \
+        -e "s|__CLIENT_F7CLOUD__|$client_f7cloud|g" \
+        -e "s|__IP_CLIENT_F7CLOUD__|$ip_client_f7cloud|g" \
+        -e "s|__HPB_F7CLOUD__|$hpb_f7cloud|g" \
+        -e "s|__IP_HPB_F7CLOUD__|$ip_hpb_f7cloud|g" \
+        "$f"
+done
+
+echo "Проверка конфигурации nginx..."
+nginx -t
+
+echo "Перезагрузка nginx..."
+systemctl reload nginx
+
+echo "Готово. Certbot установлен. Для получения сертификатов используйте:"
+echo "  certbot --nginx -d $client_f7cloud -d $hpb_f7cloud --email $certbot_email --agree-tos"
diff --git a/sites-enabled/default b/sites-enabled/default
new file mode 120000
index 0000000..ad35b83
--- /dev/null
+++ b/sites-enabled/default
@@ -0,0 +1 @@
+/etc/nginx/sites-available/default
\ No newline at end of file
diff --git a/sites-enabled/f7cloud.ru.conf b/sites-enabled/f7cloud.ru.conf
new file mode 100644
index 0000000..bb6919b
--- /dev/null
+++ b/sites-enabled/f7cloud.ru.conf
@@ -0,0 +1,40 @@
+server {
+    server_name __CLIENT_F7CLOUD__;
+
+
+
+    server_tokens off;
+
+    location ^~ /.well-known/acme-challenge/ {
+        root /var/www/html;
+        try_files $uri =404;
+    }
+    location / {
+    proxy_pass http://__IP_CLIENT_F7CLOUD__:80;
+    proxy_http_version 1.1;
+
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto https;
+    proxy_set_header X-Forwarded-Host $host;
+    proxy_set_header X-Forwarded-Port 443;
+
+    proxy_read_timeout 3600;
+    proxy_send_timeout 3600;
+    proxy_connect_timeout 60;
+
+    proxy_buffering off;
+    proxy_request_buffering off;
+}
+
+    access_log /var/log/nginx/__CLIENT_F7CLOUD___access.log;
+    error_log  /var/log/nginx/__CLIENT_F7CLOUD___error.log;
+
+    listen [::]:80;
+    listen 80; 
+
+}
+
+
+
diff --git a/sites-enabled/hpb.f7cloud.ru.conf b/sites-enabled/hpb.f7cloud.ru.conf
new file mode 100644
index 0000000..6ad60ff
--- /dev/null
+++ b/sites-enabled/hpb.f7cloud.ru.conf
@@ -0,0 +1,35 @@
+include /etc/nginx/snippets/signaling-upstream-servers.conf;
+
+server {
+  listen 0.0.0.0:80;
+  listen [::]:80 ipv6only=on;
+
+  server_name __HPB_F7CLOUD__;
+  server_tokens off;
+
+  location ^~ /.well-known/acme-challenge/ {
+      root /var/www/html;
+      try_files $uri =404;
+  }
+
+  location / {
+    rewrite ^ https://$host$request_uri? permanent;
+  }
+  include /etc/nginx/snippets/signaling-forwarding.conf;
+  access_log /var/log/nginx/__HPB_F7CLOUD___access.log;
+  error_log  /var/log/nginx/__HPB_F7CLOUD___error.log;
+}
+
+stream {
+    upstream coturn_backend {
+        server __IP_HPB_F7CLOUD__:5349;
+    }
+
+    server {
+        listen 5349;       # TCP для TURN
+        listen 5349 udp;   # UDP для звонков (ВАЖНО!)
+        proxy_pass coturn_backend;
+        proxy_timeout 1h;
+        proxy_connect_timeout 5s;
+    }
+}
diff --git a/snippets/fastcgi-php.conf b/snippets/fastcgi-php.conf
new file mode 100644
index 0000000..467a9e7
--- /dev/null
+++ b/snippets/fastcgi-php.conf
@@ -0,0 +1,13 @@
+# regex to split $uri to $fastcgi_script_name and $fastcgi_path
+fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+
+# Check that the PHP script exists before passing it
+try_files $fastcgi_script_name =404;
+
+# Bypass the fact that try_files resets $fastcgi_path_info
+# see: http://trac.nginx.org/nginx/ticket/321
+set $path_info $fastcgi_path_info;
+fastcgi_param PATH_INFO $path_info;
+
+fastcgi_index index.php;
+include fastcgi.conf;
diff --git a/snippets/headers.conf b/snippets/headers.conf
new file mode 100644
index 0000000..446d28a
--- /dev/null
+++ b/snippets/headers.conf
@@ -0,0 +1,8 @@
+add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload;" always;
+add_header X-Content-Type-Options "nosniff" always;
+add_header X-XSS-Protection "1; mode=block" always;
+add_header X-Robots-Tag none always;
+add_header X-Download-Options noopen always;
+add_header X-Permitted-Cross-Domain-Policies none always;
+add_header Referrer-Policy no-referrer always;
+add_header X-Frame-Options "SAMEORIGIN" always;
diff --git a/snippets/signaling-forwarding.conf b/snippets/signaling-forwarding.conf
new file mode 100644
index 0000000..f6dbbce
--- /dev/null
+++ b/snippets/signaling-forwarding.conf
@@ -0,0 +1,56 @@
+location /standalone-signaling/ {
+    proxy_pass http://signaling/;
+    proxy_http_version 1.1;
+
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Forwarded-Host $host;
+
+    proxy_buffering off;
+    proxy_request_buffering off;
+
+    proxy_read_timeout 3600;
+    proxy_send_timeout 3600;
+    proxy_connect_timeout 60;
+}
+
+location /standalone-signaling/spreed {
+    proxy_pass http://signaling/spreed;
+    proxy_http_version 1.1;
+
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Forwarded-Host $host;
+
+    proxy_buffering off;
+    proxy_request_buffering off;
+
+    proxy_read_timeout 3600;
+    proxy_send_timeout 3600;
+    proxy_connect_timeout 60;
+}
+
+location = /standalone-signaling {
+    proxy_pass http://signaling/;
+    proxy_http_version 1.1;
+
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Forwarded-Host $host;
+
+    proxy_buffering off;
+    proxy_request_buffering off;
+
+    proxy_read_timeout 3600;
+    proxy_send_timeout 3600;
+    proxy_connect_timeout 60;
+}
diff --git a/snippets/signaling-upstream-servers.conf b/snippets/signaling-upstream-servers.conf
new file mode 100644
index 0000000..fced3b4
--- /dev/null
+++ b/snippets/signaling-upstream-servers.conf
@@ -0,0 +1,4 @@
+upstream signaling {
+    server __IP_HPB_F7CLOUD__:8080;
+    keepalive 32;
+}
diff --git a/snippets/snakeoil.conf b/snippets/snakeoil.conf
new file mode 100644
index 0000000..ad26c3e
--- /dev/null
+++ b/snippets/snakeoil.conf
@@ -0,0 +1,5 @@
+# Self signed certificates generated by the ssl-cert package
+# Don't use them in a production server!
+
+ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
+ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;