Fijxu/etc-configs
1
1
Fork 1
Code Issues Pull requests Projects Releases Packages Wiki Activity

Big refactor and shit in the nginx configs

Browse source
This commit is contained in:
Fijxu 2022-12-03 02:47:57 -03:00
parent c33be03583
commit 078be3cb59
23 changed files with 226 additions and 174 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
nginx/configs/general.conf Normal file
View file

@ -0,0 +1,11 @@
# gzip
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
# brotli
#brotli on;
#brotli_comp_level 6;
#brotli_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;

20
nginx/configs/proxyheaders.conf Normal file
View file

@ -0,0 +1,20 @@
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
# Proxy SSL
proxy_ssl_server_name on;
# Proxy headers
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Forwarded $proxy_add_forwarded;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
# Proxy timeouts
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;

13
nginx/configs/securityheaders.conf Normal file
View file

@ -0,0 +1,13 @@
# security headers
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "sameorigin" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
#add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always;
add_header Permissions-Policy "interest-cohort=()" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# . files
location ~ /\.(?!well-known) {
deny all;
}

109
nginx/nginx.conf
View file

@ -1,68 +1,53 @@
user www-data;
worker_processes auto;
worker_rlimit_nofile 65535;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
include /etc/nginx/conf.d/*.conf;
events {
worker_connections 768;
# multi_accept on;
worker_connections 65535;
multi_accept on;
}
http {
# Basic Settings
# Basic Settings
charset utf-8;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
log_not_found off;
types_hash_max_size 4096;
types_hash_bucket_size 64;
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
server_tokens off;
# MIME
include mime.types;
default_type application/octet-stream;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
# SSL
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
ssl_prefer_server_ciphers off;
#
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Diffie-Hellman parameter for DHE ciphersuites
ssl_dhparam /etc/nginx/dhparam.pem;
# SSL Settings
ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers off;
# HTTP2 Settings
http2_max_field_size 64k;
http2_max_header_size 512k;
# Logging Settings
# Virtual Host Configs
include /etc/nginx/sites-enabled/*;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
# Gzip Settings
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
# HTTP2 Settings
http2_max_field_size 64k;
http2_max_header_size 512k;
# Virtual Host Configs
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
# Headers ,XSS protection and security
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Permissions-Policy "interest-cohort=()" always;
#add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
# DDOS Protection
limit_conn_zone $binary_remote_addr zone=perip:10m;
# DDOS Protection
limit_conn_zone $binary_remote_addr zone=perip:10m;
limit_conn perip 100;
limit_req_zone $binary_remote_addr zone=engine:10m rate=2r/s;
@ -78,4 +63,32 @@ http {
keepalive_timeout 65s;
# maximum time between packets nginx is allowed to pause when sending the client data
send_timeout 10s;
# Connection header for WebSocket reverse proxy
map $http_upgrade $connection_upgrade {
default upgrade;
"" close;
}
map $remote_addr $proxy_forwarded_elem {
# IPv4 addresses can be sent as-is
~^[0-9.]+$ "for=$remote_addr";
# IPv6 addresses need to be bracketed and quoted
~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\"";
# Unix domain socket names cannot be represented in RFC 7239 syntax
default "for=unknown";
}
map $http_forwarded $proxy_add_forwarded {
# If the incoming Forwarded header is syntactically valid, append to it
"~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
# Otherwise, replace it
default "$proxy_forwarded_elem";
}
}

0
nginx/sites-available/bapi.conf → nginx/sites-available-archive/bapi.conf
View file

0
nginx/sites-available/boards.conf → nginx/sites-available-archive/boards.conf
View file

0
nginx/sites-available/booyahtv.conf → nginx/sites-available-archive/booyahtv.conf
View file

0
nginx/sites-available/default → nginx/sites-available-archive/default
View file

0
nginx/sites-available/default.bak → nginx/sites-available-archive/default.bak
View file

0
nginx/sites-available/i2.conf → nginx/sites-available-archive/i2.conf
View file

0
nginx/sites-available/ii.conf → nginx/sites-available-archive/ii.conf
View file

0
nginx/sites-available/logstemp.conf → nginx/sites-available-archive/logstemp.conf
View file

0
nginx/sites-available/shorturl.conf → nginx/sites-available-archive/shorturl.conf
View file

0
nginx/sites-available/vanced.conf → nginx/sites-available-archive/vanced.conf
View file

11
nginx/sites-available/donate.zzls.xyz.conf
View file

@ -6,20 +6,13 @@ server {
index index.html index.htm index.nginx-debian.html;
server_name donate.zzls.xyz;
include configs/general.conf;
include configs/securityheaders.conf;
location / {
try_files $uri $uri/ =404;
}
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Permissions-Policy "interest-cohort=()" always;
add_header X-Frame-Options "sameorigin" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/donate.zzls.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/donate.zzls.xyz/privkey.pem; # managed by Certbot

181
nginx/sites-available/files.zzls.xyz.conf
View file

@ -1,96 +1,97 @@
server {
access_log /var/log/nginx/files.access.log combined;
access_log /var/log/nginx/files.access.log combined;
server_name files.zzls.xyz;
#root /var/www/files;
#index index.php /_h5ai/public/index.php;
if ($http_user_agent ~* (google) ) {
return 404;
}
server_name files.zzls.xyz;
include configs/general.conf;
include configs/securityheaders.conf;
#root /var/www/files;
#index index.php /_h5ai/public/index.php;
if ($http_user_agent ~* (google) ) {
return 404;
}
location / {
if ($http_user_agent ~* (google) ) {
return 404;
}
root /mnt/blockstorage/wwwfiles;
index index.html index.php /_h5ai/public/index.php;
dav_ext_methods PROPFIND OPTIONS;
dav_access user:r group:r all:r;
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_param HTTP_PROXY "";
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
location /_h5ai/private {
return 403;
}
}
# location / {
# root /mnt/blockstorage/wwwfiles;
# autoindex on;
# autoindex_format xml;
# autoindex_exact_size off;
# autoindex_localtime on;
# xslt_stylesheet /var/www/html/assets/superbindex.xslt;
# xslt_string_param color-base00 '#18191A';
#
# }
# location /vods {
# alias /mnt/blockstorage/Auto-Stream-Recording-Twitch/vods;
# autoindex on;
# autoindex_format xml;
# autoindex_exact_size on;
# autoindex_localtime on;
# #xslt_stylesheet /var/www/html/assets/superbindex.xslt;
# #xslt_string_param color-base00 '#18191A';
# # #WebDAV
# # auth_basic realm_name;
# # auth_basic_user_file /etc/nginx/.passwords.list;
# # dav_methods PUT DELETE MKCOL COPY MOVE;
# # dav_ext_methods PROPFIND OPTIONS;
# # dav_access user:rw group:rw all:r;
# }
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_param HTTP_PROXY "";
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
location / {
if ($http_user_agent ~* (google) ) {
return 404;
}
root /mnt/blockstorage/wwwfiles;
index index.html index.php /_h5ai/public/index.php;
dav_ext_methods PROPFIND OPTIONS;
dav_access user:r group:r all:r;
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_param HTTP_PROXY "";
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
location /_h5ai/private {
return 403;
}
}
# location / {
# root /mnt/blockstorage/wwwfiles;
# autoindex on;
# autoindex_format xml;
# autoindex_exact_size off;
# autoindex_localtime on;
# xslt_stylesheet /var/www/html/assets/superbindex.xslt;
# xslt_string_param color-base00 '#18191A';
#
# }
# location /vods {
# alias /mnt/blockstorage/Auto-Stream-Recording-Twitch/vods;
# autoindex on;
# autoindex_format xml;
# autoindex_exact_size on;
# autoindex_localtime on;
# #xslt_stylesheet /var/www/html/assets/superbindex.xslt;
# #xslt_string_param color-base00 '#18191A';
# # #WebDAV
# # auth_basic realm_name;
# # auth_basic_user_file /etc/nginx/.passwords.list;
# # dav_methods PUT DELETE MKCOL COPY MOVE;
# # dav_ext_methods PROPFIND OPTIONS;
# # dav_access user:rw group:rw all:r;
# }
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_param HTTP_PROXY "";
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
listen 443 ssl http2; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/files.zzls.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/files.zzls.xyz/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
listen 443 ssl http2; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/files.zzls.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/files.zzls.xyz/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

3
nginx/sites-available/i.zzls.xyz.conf
View file

@ -6,10 +6,13 @@ server {
index index.html index.htm index.nginx-debian.html;
server_name i.zzls.xyz;
include configs/general.conf;
include configs/securityheaders.conf;
location / {
client_max_body_size 51M;
proxy_pass http://127.0.0.1:40007/;
include configs/proxyheaders.conf;
}
#location /upload {

5
nginx/sites-available/logs.spanix.xyz.conf
View file

@ -2,11 +2,12 @@ server {
access_log /var/log/nginx/logs.spanix.access.log combined;
server_name logs.spanix.xyz;
include configs/general.conf;
include configs/securityheaders.conf;
location / {
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://127.0.0.1:40004;
include configs/proxyheaders.conf;
}
listen 443 ssl http2; # managed by Certbot

12
nginx/sites-available/logs.zzls.xyz.conf
View file

@ -3,13 +3,12 @@ server {
access_log /var/log/nginx/logs.access.log combined;
server_name logs.zzls.xyz;
include configs/general.conf;
include configs/securityheaders.conf;
location / {
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host; # so Invidious knows domain
proxy_http_version 1.1; # to keep alive
proxy_set_header Connection ""; # to keep alive
proxy_pass http://127.0.0.1:40003;
include configs/proxyheaders.conf;
# location ~ ^/(channel/rubius|channelid/39276140)/ {
# return 401 "Los logs de Rubius han sido deshabilitados";
@ -17,6 +16,7 @@ server {
# location ~ ^/(channel/ibai|channelid/83232866)/ {
# return 401 "Los logs de Ibai han sido deshabilitados";
# }
location ~ ^/(channel/*/user/zonianbot|channelid/*/user/zonianbot|channel/*/userid/670683053|channelid/*/userid/670683053)/ {
return 401 "XD";
}
@ -26,8 +26,8 @@ server {
error_page 502 = @fallback;
proxy_intercept_errors on;
}
}
location @fallback {
root /var/www/logs;
@ -45,7 +45,6 @@ server {
}
server {
access_log /var/log/nginx/notlogs.access.log combined;
server_name notlogs.zzls.xyz;
@ -54,7 +53,6 @@ server {
rewrite ^/(.*)$ https://logs.zzls.xyz/$1 redirect;
}
listen [::]:443 ssl http2; # managed by Certbot
listen 443 ssl http2; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/logs.zzls.xyz/fullchain.pem; # managed by Certbot

18
nginx/sites-available/mail.zzls.xyz.conf
View file

@ -1,11 +1,12 @@
server {
access_log /var/log/nginx/mail.access.log combined;
root /var/www/mail;
root /var/www/mail;
index index.html index.htm index.nginx-debian.html;
server_name mail.zzls.xyz;
include configs/general.conf;
include configs/securityheaders.conf;
location / {
try_files $uri $uri/ =404;
@ -19,7 +20,7 @@ server {
proxy_pass_header Authorization;
}
listen 443 ssl; # managed by Certbot
listen 443 http2 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/mail.zzls.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mail.zzls.xyz/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
@ -29,15 +30,14 @@ server {
server {
if ($host = mail.zzls.xyz) {
return 301 https://$host$request_uri;
} # managed by Certbot
} # managed by Certbot
server_name mail.zzls.xyz;
server_name mail.zzls.xyz;
listen 80;
return 404; # managed by Certbot
listen 80;
return 404; # managed by Certbot
}
}

5
nginx/sites-available/paste.zzls.xyz.conf
View file

@ -1,14 +1,15 @@
server {
access_log /var/log/nginx/paste.access.log combined;
server_name paste.zzls.xyz;
include configs/general.conf;
include configs/securityheaders.conf;
location / {
proxy_pass http://127.0.0.1:40005/;
include configs/proxyheaders.conf;
}
listen 443 ssl http2; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/paste.zzls.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/paste.zzls.xyz/privkey.pem; # managed by Certbot

3
nginx/sites-available/posts.zzls.xyz.conf
View file

@ -1,11 +1,12 @@
server {
access_log /var/log/nginx/posts.access.log combined;
root /var/www/posts;
index index.html index.htm index.nginx-debian.html;
server_name posts.zzls.xyz;
include configs/general.conf;
include configs/securityheaders.conf;
listen 443 ssl http2; # managed by Certbot

9
nginx/sites-available/zzls.xyz.conf
View file

@ -4,6 +4,8 @@ server {
index index.html index.htm index.nginx-debian.html;
server_name zzls.xyz www.zzls.xyz;
include configs/general.conf;
include configs/securityheaders.conf;
location /.well-known/matrix/client {
@ -19,16 +21,11 @@ server {
}
location / {
try_files $uri $uri/ =404;
}
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Permissions-Policy "interest-cohort=()" always;
add_header X-Frame-Options "sameorigin" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
listen 443 ssl http2; # managed by Certbot