diff --git a/nginx/nginx.conf b/nginx/nginx.conf index 3e7f7d5..25fce7a 100755 --- a/nginx/nginx.conf +++ b/nginx/nginx.conf @@ -4,8 +4,8 @@ worker_rlimit_nofile 65535; # Include Modules include /etc/nginx/modules-enabled/*.conf; #load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so; -load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so; # for compressing responses on-the-fly -load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so; # for serving pre-compressed files +#load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so; # for compressing responses on-the-fly +#load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so; # for serving pre-compressed files # Include external config include /etc/nginx/conf.d/*.conf; diff --git a/nginx/sites-available/librex.zzls.xyz.conf b/nginx/sites-available/librex.zzls.xyz.conf new file mode 100755 index 0000000..ad613bc --- /dev/null +++ b/nginx/sites-available/librex.zzls.xyz.conf @@ -0,0 +1,61 @@ +server { + access_log /dev/null; + error_log /dev/null; + + server_name librex.zzls.xyz; + include configs/general.conf; + root /var/www/html/librex; + index index.php; + + location ~ \.php$ { + include fastcgi.conf; + fastcgi_pass unix:/run/php/php-fpm.sock; + } + + if ($server_protocol ~* "HTTP/1.0") { + return 444; + } + if ($http_user_agent ~* (python) ) { + return 403; + } + + # Onion Service Header + #add_header Onion-Location http://searxdr3pqz4nydgnqocsia2xbywptxbkympa2emn7zlgggrir4bkfad.onion$request_uri; + + # QUIC + add_header Alt-Svc 'h3=":443"; ma=86400'; + + # CSP + Security Headers + include configs/securityheaders.conf; + #add_header Permissions-Policy "interest-cohort=()" always; + #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + #add_header Content-Security-Policy "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/tiekoetter/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src 'self' https://www.youtube-nocookie.com https://invidious.tiekoetter.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com https://open.spotify.com/" always; + + quic_retry on; + quic_gso on; + ssl_early_data on; + ssl_session_ticket_key /etc/nginx/http3key.key; + + listen 443 http3; + listen 443 ssl http2; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/librex.zzls.xyz/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/librex.zzls.xyz/privkey.pem; # managed by Certbot + #include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + + +} + +server { + if ($host = librex.zzls.xyz) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + listen 80; + + server_name librex.zzls.xyz; + return 404; # managed by Certbot + + + } diff --git a/nginx/streams/dns.conf b/nginx/streams/dns.conf deleted file mode 100644 index 50567ba..0000000 --- a/nginx/streams/dns.conf +++ /dev/null @@ -1,28 +0,0 @@ -# DNS logging. This log file will show the DNS requests geting forwarded to UNBOUND -#log_format dns '$remote_addr [$time_local] $protocol "$dns_qname"'; -#access_log /var/log/nginx/dns-access.log dns; - - # Include the NJS module. Get the file from https://github.com/TuxInvader/nginx-dns/tree/master/njs.d - #js_include /etc/nginx/njs.d/nginx_stream.js; - - # The $dns_qname variable can be populated by preread calls, and can be used for DNS routing - #js_set $dns_qname dns_get_qname; - - -upstream dns { - zone dns 64k; - server 127.0.0.1:53; -} -server { - #listen 853 http3; - listen 853 ssl; # managed by Certbot - ssl_certificate /etc/letsencrypt/live/dns.zzls.xyz/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/dns.zzls.xyz/privkey.pem; # managed by Certbot - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers HIGH:!aNULL:!MD5; - - ssl_handshake_timeout 10s; - ssl_session_cache shared:SSL:20m; - ssl_session_timeout 4h; - proxy_pass dns; -} diff --git a/nginx/streams/dns.conf.bak b/nginx/streams/dns.conf.bak deleted file mode 100644 index fe75fa9..0000000 --- a/nginx/streams/dns.conf.bak +++ /dev/null @@ -1,28 +0,0 @@ -# DNS logging. This log file will show the DNS requests geting forwarded to UNBOUND -log_format dns '$remote_addr [$time_local] $protocol'; -access_log /var/log/nginx/dns-access.log dns; - - # Include the NJS module. Get the file from https://github.com/TuxInvader/nginx-dns/tree/master/njs.d - #js_include /etc/nginx/njs.d/nginx_stream.js; - - # The $dns_qname variable can be populated by preread calls, and can be used for DNS routing - #js_set $dns_qname dns_get_qname; - - -upstream dns-servers { - #zone dns 64k; - server 127.0.0.1:53; -} -server { - #listen 853 http3; - listen 853; # managed by Certbot - ssl_certificate /etc/letsencrypt/live/dns.zzls.xyz/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/dns.zzls.xyz/privkey.pem; # managed by Certbot - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers HIGH:!aNULL:!MD5; - - ssl_handshake_timeout 10s; - ssl_session_cache shared:SSL:20m; - ssl_session_timeout 4h; - proxy_pass dns-servers; -}