diff --git a/nginx/configs/general.conf b/nginx/configs/general.conf new file mode 100644 index 0000000..cbd0161 --- /dev/null +++ b/nginx/configs/general.conf @@ -0,0 +1,11 @@ +# gzip +gzip on; +gzip_vary on; +gzip_proxied any; +gzip_comp_level 6; +gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml; + +# brotli +#brotli on; +#brotli_comp_level 6; +#brotli_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml; diff --git a/nginx/configs/proxyheaders.conf b/nginx/configs/proxyheaders.conf new file mode 100644 index 0000000..8b0d71e --- /dev/null +++ b/nginx/configs/proxyheaders.conf @@ -0,0 +1,20 @@ +proxy_http_version 1.1; +proxy_cache_bypass $http_upgrade; + +# Proxy SSL +proxy_ssl_server_name on; + +# Proxy headers +proxy_set_header Upgrade $http_upgrade; +proxy_set_header Connection $connection_upgrade; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header Forwarded $proxy_add_forwarded; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $scheme; +proxy_set_header X-Forwarded-Host $host; +proxy_set_header X-Forwarded-Port $server_port; + +# Proxy timeouts +proxy_connect_timeout 60s; +proxy_send_timeout 60s; +proxy_read_timeout 60s; diff --git a/nginx/configs/securityheaders.conf b/nginx/configs/securityheaders.conf new file mode 100644 index 0000000..864182d --- /dev/null +++ b/nginx/configs/securityheaders.conf @@ -0,0 +1,13 @@ +# security headers +add_header X-XSS-Protection "1; mode=block" always; +add_header X-Content-Type-Options "nosniff" always; +add_header X-Frame-Options "sameorigin" always; +add_header Referrer-Policy "no-referrer-when-downgrade" always; +#add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always; +add_header Permissions-Policy "interest-cohort=()" always; +add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + +# . files +location ~ /\.(?!well-known) { + deny all; +} diff --git a/nginx/nginx.conf b/nginx/nginx.conf index f3f0b2e..3a07e15 100755 --- a/nginx/nginx.conf +++ b/nginx/nginx.conf @@ -1,68 +1,53 @@ user www-data; worker_processes auto; +worker_rlimit_nofile 65535; pid /run/nginx.pid; include /etc/nginx/modules-enabled/*.conf; +include /etc/nginx/conf.d/*.conf; events { - worker_connections 768; - # multi_accept on; + worker_connections 65535; + multi_accept on; } http { - # Basic Settings + # Basic Settings + charset utf-8; + sendfile on; + tcp_nopush on; + tcp_nodelay on; + server_tokens off; + log_not_found off; + types_hash_max_size 4096; + types_hash_bucket_size 64; - sendfile on; - tcp_nopush on; - types_hash_max_size 2048; - server_tokens off; + # MIME + include mime.types; + default_type application/octet-stream; - # server_names_hash_bucket_size 64; - # server_name_in_redirect off; + # SSL + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; + ssl_prefer_server_ciphers off; + # + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; + ssl_session_tickets off; - include /etc/nginx/mime.types; - default_type application/octet-stream; + # Diffie-Hellman parameter for DHE ciphersuites + ssl_dhparam /etc/nginx/dhparam.pem; - # SSL Settings - ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE - ssl_prefer_server_ciphers off; + # HTTP2 Settings + http2_max_field_size 64k; + http2_max_header_size 512k; - # Logging Settings + # Virtual Host Configs + include /etc/nginx/sites-enabled/*; - access_log /var/log/nginx/access.log; - error_log /var/log/nginx/error.log; - - # Gzip Settings - - gzip on; - - # gzip_vary on; - # gzip_proxied any; - # gzip_comp_level 6; - # gzip_buffers 16 8k; - # gzip_http_version 1.1; - # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; - - # HTTP2 Settings - http2_max_field_size 64k; - http2_max_header_size 512k; - - # Virtual Host Configs - - include /etc/nginx/conf.d/*.conf; - include /etc/nginx/sites-enabled/*; - - # Headers ,XSS protection and security - add_header Referrer-Policy "no-referrer-when-downgrade" always; - add_header Permissions-Policy "interest-cohort=()" always; - #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-XSS-Protection "1; mode=block" always; - - # DDOS Protection - limit_conn_zone $binary_remote_addr zone=perip:10m; + # DDOS Protection + limit_conn_zone $binary_remote_addr zone=perip:10m; limit_conn perip 100; limit_req_zone $binary_remote_addr zone=engine:10m rate=2r/s; @@ -78,4 +63,32 @@ http { keepalive_timeout 65s; # maximum time between packets nginx is allowed to pause when sending the client data send_timeout 10s; + + # Connection header for WebSocket reverse proxy + map $http_upgrade $connection_upgrade { + default upgrade; + "" close; + } + + map $remote_addr $proxy_forwarded_elem { + + # IPv4 addresses can be sent as-is + ~^[0-9.]+$ "for=$remote_addr"; + + # IPv6 addresses need to be bracketed and quoted + ~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\""; + + # Unix domain socket names cannot be represented in RFC 7239 syntax + default "for=unknown"; + } + + map $http_forwarded $proxy_add_forwarded { + + # If the incoming Forwarded header is syntactically valid, append to it + "~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem"; + + # Otherwise, replace it + default "$proxy_forwarded_elem"; + } + } diff --git a/nginx/sites-available/bapi.conf b/nginx/sites-available-archive/bapi.conf similarity index 100% rename from nginx/sites-available/bapi.conf rename to nginx/sites-available-archive/bapi.conf diff --git a/nginx/sites-available/boards.conf b/nginx/sites-available-archive/boards.conf similarity index 100% rename from nginx/sites-available/boards.conf rename to nginx/sites-available-archive/boards.conf diff --git a/nginx/sites-available/booyahtv.conf b/nginx/sites-available-archive/booyahtv.conf similarity index 100% rename from nginx/sites-available/booyahtv.conf rename to nginx/sites-available-archive/booyahtv.conf diff --git a/nginx/sites-available/default b/nginx/sites-available-archive/default similarity index 100% rename from nginx/sites-available/default rename to nginx/sites-available-archive/default diff --git a/nginx/sites-available/default.bak b/nginx/sites-available-archive/default.bak similarity index 100% rename from nginx/sites-available/default.bak rename to nginx/sites-available-archive/default.bak diff --git a/nginx/sites-available/i2.conf b/nginx/sites-available-archive/i2.conf similarity index 100% rename from nginx/sites-available/i2.conf rename to nginx/sites-available-archive/i2.conf diff --git a/nginx/sites-available/ii.conf b/nginx/sites-available-archive/ii.conf similarity index 100% rename from nginx/sites-available/ii.conf rename to nginx/sites-available-archive/ii.conf diff --git a/nginx/sites-available/logstemp.conf b/nginx/sites-available-archive/logstemp.conf similarity index 100% rename from nginx/sites-available/logstemp.conf rename to nginx/sites-available-archive/logstemp.conf diff --git a/nginx/sites-available/shorturl.conf b/nginx/sites-available-archive/shorturl.conf similarity index 100% rename from nginx/sites-available/shorturl.conf rename to nginx/sites-available-archive/shorturl.conf diff --git a/nginx/sites-available/vanced.conf b/nginx/sites-available-archive/vanced.conf similarity index 100% rename from nginx/sites-available/vanced.conf rename to nginx/sites-available-archive/vanced.conf diff --git a/nginx/sites-available/donate.zzls.xyz.conf b/nginx/sites-available/donate.zzls.xyz.conf index bb05310..4ae394b 100755 --- a/nginx/sites-available/donate.zzls.xyz.conf +++ b/nginx/sites-available/donate.zzls.xyz.conf @@ -6,20 +6,13 @@ server { index index.html index.htm index.nginx-debian.html; server_name donate.zzls.xyz; + include configs/general.conf; + include configs/securityheaders.conf; location / { - try_files $uri $uri/ =404; } - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - add_header Referrer-Policy "no-referrer-when-downgrade" always; - add_header Permissions-Policy "interest-cohort=()" always; - add_header X-Frame-Options "sameorigin" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-XSS-Protection "1; mode=block" always; - - listen 443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/donate.zzls.xyz/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/donate.zzls.xyz/privkey.pem; # managed by Certbot diff --git a/nginx/sites-available/files.zzls.xyz.conf b/nginx/sites-available/files.zzls.xyz.conf index 5c677ac..29a7bca 100755 --- a/nginx/sites-available/files.zzls.xyz.conf +++ b/nginx/sites-available/files.zzls.xyz.conf @@ -1,96 +1,97 @@ server { - access_log /var/log/nginx/files.access.log combined; + access_log /var/log/nginx/files.access.log combined; - server_name files.zzls.xyz; - #root /var/www/files; - #index index.php /_h5ai/public/index.php; - if ($http_user_agent ~* (google) ) { - return 404; - } + server_name files.zzls.xyz; + include configs/general.conf; + include configs/securityheaders.conf; + #root /var/www/files; + #index index.php /_h5ai/public/index.php; + if ($http_user_agent ~* (google) ) { + return 404; + } + + location / { + if ($http_user_agent ~* (google) ) { + return 404; + } + + root /mnt/blockstorage/wwwfiles; + index index.html index.php /_h5ai/public/index.php; + + dav_ext_methods PROPFIND OPTIONS; + dav_access user:r group:r all:r; + + location ~ [^/]\.php(/|$) { + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + fastcgi_param HTTP_PROXY ""; + + fastcgi_pass unix:/run/php/php7.4-fpm.sock; + fastcgi_index index.php; + + include fastcgi_params; + + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + } + + location /_h5ai/private { + return 403; + } + + } + + # location / { + # root /mnt/blockstorage/wwwfiles; + # autoindex on; + # autoindex_format xml; + # autoindex_exact_size off; + # autoindex_localtime on; + # xslt_stylesheet /var/www/html/assets/superbindex.xslt; + # xslt_string_param color-base00 '#18191A'; + # + # } + + # location /vods { + # alias /mnt/blockstorage/Auto-Stream-Recording-Twitch/vods; + # autoindex on; + # autoindex_format xml; + # autoindex_exact_size on; + # autoindex_localtime on; + # #xslt_stylesheet /var/www/html/assets/superbindex.xslt; + # #xslt_string_param color-base00 '#18191A'; + # # #WebDAV + # # auth_basic realm_name; + # # auth_basic_user_file /etc/nginx/.passwords.list; + # # dav_methods PUT DELETE MKCOL COPY MOVE; + # # dav_ext_methods PROPFIND OPTIONS; + # # dav_access user:rw group:rw all:r; + # } + location ~ [^/]\.php(/|$) { + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + fastcgi_param HTTP_PROXY ""; + + fastcgi_pass unix:/run/php/php7.4-fpm.sock; + fastcgi_index index.php; + + include fastcgi_params; + + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + } - location / { - if ($http_user_agent ~* (google) ) { - return 404; - } - - root /mnt/blockstorage/wwwfiles; - index index.html index.php /_h5ai/public/index.php; - - dav_ext_methods PROPFIND OPTIONS; - dav_access user:r group:r all:r; - - location ~ [^/]\.php(/|$) { - fastcgi_split_path_info ^(.+?\.php)(/.*)$; - if (!-f $document_root$fastcgi_script_name) { - return 404; - } - - fastcgi_param HTTP_PROXY ""; - - fastcgi_pass unix:/run/php/php7.4-fpm.sock; - fastcgi_index index.php; - - include fastcgi_params; - - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $fastcgi_path_info; - } - - location /_h5ai/private { - return 403; - } - - } - - # location / { - # root /mnt/blockstorage/wwwfiles; - # autoindex on; - # autoindex_format xml; - # autoindex_exact_size off; - # autoindex_localtime on; - # xslt_stylesheet /var/www/html/assets/superbindex.xslt; - # xslt_string_param color-base00 '#18191A'; - # - # } - - # location /vods { - # alias /mnt/blockstorage/Auto-Stream-Recording-Twitch/vods; - # autoindex on; - # autoindex_format xml; - # autoindex_exact_size on; - # autoindex_localtime on; - # #xslt_stylesheet /var/www/html/assets/superbindex.xslt; - # #xslt_string_param color-base00 '#18191A'; - # # #WebDAV - # # auth_basic realm_name; - # # auth_basic_user_file /etc/nginx/.passwords.list; - # # dav_methods PUT DELETE MKCOL COPY MOVE; - # # dav_ext_methods PROPFIND OPTIONS; - # # dav_access user:rw group:rw all:r; - # } - location ~ [^/]\.php(/|$) { - fastcgi_split_path_info ^(.+?\.php)(/.*)$; - if (!-f $document_root$fastcgi_script_name) { - return 404; - } - - fastcgi_param HTTP_PROXY ""; - - fastcgi_pass unix:/run/php/php7.4-fpm.sock; - fastcgi_index index.php; - - include fastcgi_params; - - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $fastcgi_path_info; - } - - - listen 443 ssl http2; # managed by Certbot - ssl_certificate /etc/letsencrypt/live/files.zzls.xyz/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/files.zzls.xyz/privkey.pem; # managed by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + listen 443 ssl http2; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/files.zzls.xyz/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/files.zzls.xyz/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot } diff --git a/nginx/sites-available/i.zzls.xyz.conf b/nginx/sites-available/i.zzls.xyz.conf index a3b44d3..1329fdf 100755 --- a/nginx/sites-available/i.zzls.xyz.conf +++ b/nginx/sites-available/i.zzls.xyz.conf @@ -6,10 +6,13 @@ server { index index.html index.htm index.nginx-debian.html; server_name i.zzls.xyz; + include configs/general.conf; + include configs/securityheaders.conf; location / { client_max_body_size 51M; proxy_pass http://127.0.0.1:40007/; + include configs/proxyheaders.conf; } #location /upload { diff --git a/nginx/sites-available/logs.spanix.xyz.conf b/nginx/sites-available/logs.spanix.xyz.conf index 591f882..191b1c5 100755 --- a/nginx/sites-available/logs.spanix.xyz.conf +++ b/nginx/sites-available/logs.spanix.xyz.conf @@ -2,11 +2,12 @@ server { access_log /var/log/nginx/logs.spanix.access.log combined; server_name logs.spanix.xyz; + include configs/general.conf; + include configs/securityheaders.conf; location / { - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header Host $http_host; proxy_pass http://127.0.0.1:40004; + include configs/proxyheaders.conf; } listen 443 ssl http2; # managed by Certbot diff --git a/nginx/sites-available/logs.zzls.xyz.conf b/nginx/sites-available/logs.zzls.xyz.conf index 654707e..1e55ea7 100755 --- a/nginx/sites-available/logs.zzls.xyz.conf +++ b/nginx/sites-available/logs.zzls.xyz.conf @@ -3,13 +3,12 @@ server { access_log /var/log/nginx/logs.access.log combined; server_name logs.zzls.xyz; + include configs/general.conf; + include configs/securityheaders.conf; location / { - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header Host $host; # so Invidious knows domain - proxy_http_version 1.1; # to keep alive - proxy_set_header Connection ""; # to keep alive proxy_pass http://127.0.0.1:40003; + include configs/proxyheaders.conf; # location ~ ^/(channel/rubius|channelid/39276140)/ { # return 401 "Los logs de Rubius han sido deshabilitados"; @@ -17,6 +16,7 @@ server { # location ~ ^/(channel/ibai|channelid/83232866)/ { # return 401 "Los logs de Ibai han sido deshabilitados"; # } + location ~ ^/(channel/*/user/zonianbot|channelid/*/user/zonianbot|channel/*/userid/670683053|channelid/*/userid/670683053)/ { return 401 "XD"; } @@ -26,8 +26,8 @@ server { error_page 502 = @fallback; proxy_intercept_errors on; - } + } location @fallback { root /var/www/logs; @@ -45,7 +45,6 @@ server { } server { - access_log /var/log/nginx/notlogs.access.log combined; server_name notlogs.zzls.xyz; @@ -54,7 +53,6 @@ server { rewrite ^/(.*)$ https://logs.zzls.xyz/$1 redirect; } - listen [::]:443 ssl http2; # managed by Certbot listen 443 ssl http2; # managed by Certbot ssl_certificate /etc/letsencrypt/live/logs.zzls.xyz/fullchain.pem; # managed by Certbot diff --git a/nginx/sites-available/mail.zzls.xyz.conf b/nginx/sites-available/mail.zzls.xyz.conf index 8c2b52a..7d89c2e 100755 --- a/nginx/sites-available/mail.zzls.xyz.conf +++ b/nginx/sites-available/mail.zzls.xyz.conf @@ -1,11 +1,12 @@ server { - access_log /var/log/nginx/mail.access.log combined; - root /var/www/mail; + root /var/www/mail; index index.html index.htm index.nginx-debian.html; server_name mail.zzls.xyz; + include configs/general.conf; + include configs/securityheaders.conf; location / { try_files $uri $uri/ =404; @@ -19,7 +20,7 @@ server { proxy_pass_header Authorization; } - listen 443 ssl; # managed by Certbot + listen 443 http2 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/mail.zzls.xyz/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/mail.zzls.xyz/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot @@ -29,15 +30,14 @@ server { server { if ($host = mail.zzls.xyz) { return 301 https://$host$request_uri; - } # managed by Certbot + } # managed by Certbot - - server_name mail.zzls.xyz; + server_name mail.zzls.xyz; - listen 80; - return 404; # managed by Certbot + listen 80; + return 404; # managed by Certbot -} \ No newline at end of file + } \ No newline at end of file diff --git a/nginx/sites-available/paste.zzls.xyz.conf b/nginx/sites-available/paste.zzls.xyz.conf index b652bac..c3dd5ff 100755 --- a/nginx/sites-available/paste.zzls.xyz.conf +++ b/nginx/sites-available/paste.zzls.xyz.conf @@ -1,14 +1,15 @@ server { - access_log /var/log/nginx/paste.access.log combined; server_name paste.zzls.xyz; + include configs/general.conf; + include configs/securityheaders.conf; location / { proxy_pass http://127.0.0.1:40005/; + include configs/proxyheaders.conf; } - listen 443 ssl http2; # managed by Certbot ssl_certificate /etc/letsencrypt/live/paste.zzls.xyz/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/paste.zzls.xyz/privkey.pem; # managed by Certbot diff --git a/nginx/sites-available/posts.zzls.xyz.conf b/nginx/sites-available/posts.zzls.xyz.conf index dac49fa..7822e88 100755 --- a/nginx/sites-available/posts.zzls.xyz.conf +++ b/nginx/sites-available/posts.zzls.xyz.conf @@ -1,11 +1,12 @@ server { - access_log /var/log/nginx/posts.access.log combined; root /var/www/posts; index index.html index.htm index.nginx-debian.html; server_name posts.zzls.xyz; + include configs/general.conf; + include configs/securityheaders.conf; listen 443 ssl http2; # managed by Certbot diff --git a/nginx/sites-available/zzls.xyz.conf b/nginx/sites-available/zzls.xyz.conf index b497fd5..a80fde7 100755 --- a/nginx/sites-available/zzls.xyz.conf +++ b/nginx/sites-available/zzls.xyz.conf @@ -4,6 +4,8 @@ server { index index.html index.htm index.nginx-debian.html; server_name zzls.xyz www.zzls.xyz; + include configs/general.conf; + include configs/securityheaders.conf; location /.well-known/matrix/client { @@ -19,16 +21,11 @@ server { } location / { - try_files $uri $uri/ =404; } add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - add_header Referrer-Policy "no-referrer-when-downgrade" always; - add_header Permissions-Policy "interest-cohort=()" always; - add_header X-Frame-Options "sameorigin" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-XSS-Protection "1; mode=block" always; + listen 443 ssl http2; # managed by Certbot