From 2275e26c16def742ade9c87b4c8772988c855770 Mon Sep 17 00:00:00 2001 From: root Date: Thu, 21 Dec 2023 14:01:35 -0300 Subject: [PATCH] Refactor in pc xdxd --- nginx/conf.d/default.conf.bal | 44 +++++++++ nginx/configs/general.conf | 7 +- nginx/configs/robots.conf | 26 +++++ nginx/configs/robotsNone.conf | 1 + nginx/configs/security.conf | 5 - nginx/configs/ssl.conf | 2 +- nginx/configs/sslConfig.conf | 12 +++ nginx/mime.types | 99 +++++++++++++++++++ nginx/nginx.conf | 89 ++++++++++++----- .../4get.zzls.xyz.fallback.conf | 21 ++++ nginx/sites-available/blog.zzls.xyz.conf | 22 +++++ nginx/sites-available/cgit.zzls.xyz.conf | 41 ++++++++ nginx/sites-available/contador.zzls.xyz.conf | 15 +++ nginx/sites-available/files.zzls.xyz.conf | 69 ++++++------- nginx/sites-available/i.zzls.xyz.conf | 3 +- .../inv.zzls.xyz.fallback.conf | 17 ++++ nginx/sites-available/logs.zzls.xyz.conf | 23 +++-- nginx/sites-available/mail.zzls.xyz.conf | 77 ++++++++++----- nginx/sites-available/status.zzls.xyz.conf | 24 +++++ nginx/sites-available/zzls.xyz.conf | 89 ++++++++++------- .../sites-enabled/4get.zzls.xyz.fallback.conf | 1 + nginx/sites-enabled/4getus.zzls.xyz.conf | 95 ++++++++++++++++++ nginx/sites-enabled/blog.zzls.xyz.conf | 1 + nginx/sites-enabled/cgit.zzls.xyz.conf | 1 + nginx/sites-enabled/dav.zzls.xyz.conf | 43 ++++++++ nginx/sites-enabled/i.zzls.xyz.conf | 1 - .../sites-enabled/inv.zzls.xyz.fallback.conf | 1 + nginx/sites-enabled/lol.zzls.xyz.conf | 34 +++++++ nginx/sites-enabled/status.zzls.xyz.conf | 1 + nginx/sites-enabled/stream.zzls.xyz.conf | 61 ++++++++++++ 30 files changed, 787 insertions(+), 138 deletions(-) create mode 100644 nginx/conf.d/default.conf.bal create mode 100644 nginx/configs/robots.conf create mode 100644 nginx/configs/robotsNone.conf create mode 100644 nginx/configs/sslConfig.conf create mode 100755 nginx/mime.types create mode 100644 nginx/sites-available/4get.zzls.xyz.fallback.conf create mode 100755 nginx/sites-available/blog.zzls.xyz.conf create mode 100644 nginx/sites-available/cgit.zzls.xyz.conf create mode 100755 nginx/sites-available/contador.zzls.xyz.conf create mode 100644 nginx/sites-available/inv.zzls.xyz.fallback.conf create mode 100755 nginx/sites-available/status.zzls.xyz.conf create mode 120000 nginx/sites-enabled/4get.zzls.xyz.fallback.conf create mode 100644 nginx/sites-enabled/4getus.zzls.xyz.conf create mode 120000 nginx/sites-enabled/blog.zzls.xyz.conf create mode 120000 nginx/sites-enabled/cgit.zzls.xyz.conf create mode 100644 nginx/sites-enabled/dav.zzls.xyz.conf delete mode 120000 nginx/sites-enabled/i.zzls.xyz.conf create mode 120000 nginx/sites-enabled/inv.zzls.xyz.fallback.conf create mode 100644 nginx/sites-enabled/lol.zzls.xyz.conf create mode 120000 nginx/sites-enabled/status.zzls.xyz.conf create mode 100644 nginx/sites-enabled/stream.zzls.xyz.conf diff --git a/nginx/conf.d/default.conf.bal b/nginx/conf.d/default.conf.bal new file mode 100644 index 0000000..ff2ced6 --- /dev/null +++ b/nginx/conf.d/default.conf.bal @@ -0,0 +1,44 @@ +server { + listen 80; + server_name localhost; + + #access_log /var/log/nginx/host.access.log main; + + location / { + root /usr/share/nginx/html; + index index.html index.htm; + } + + #error_page 404 /404.html; + + # redirect server error pages to the static page /50x.html + # + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + + # proxy the PHP scripts to Apache listening on 127.0.0.1:80 + # + #location ~ \.php$ { + # proxy_pass http://127.0.0.1; + #} + + # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 + # + #location ~ \.php$ { + # root html; + # fastcgi_pass 127.0.0.1:9000; + # fastcgi_index index.php; + # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; + # include fastcgi_params; + #} + + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + # + #location ~ /\.ht { + # deny all; + #} +} + diff --git a/nginx/configs/general.conf b/nginx/configs/general.conf index 4483f8d..e07591a 100644 --- a/nginx/configs/general.conf +++ b/nginx/configs/general.conf @@ -10,4 +10,9 @@ gzip_types text/plain text/css text/xml application/json application/java #brotli_comp_level 6; #brotli_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml; -location /robots.txt { alias /var/www/html/robots.txt; } +#location /robots.txt { alias /var/www/html/robots.txt; } + +# FUCK SEMRUSH +if ($http_user_agent ~ (SemrushBot|Bytespider)) { + return 401; +} diff --git a/nginx/configs/robots.conf b/nginx/configs/robots.conf new file mode 100644 index 0000000..95e3837 --- /dev/null +++ b/nginx/configs/robots.conf @@ -0,0 +1,26 @@ +location /robots.txt { return 200 "User-agent: AhrefsBot +Disallow: / + +User-agent: dotbot +Disallow: / + +User-agent: SiteAuditBot +Disallow: / + +User-agent: SemrushBot-BA +Disallow: / + +User-agent: SemrushBot-SI +Disallow: / + +User-agent: SemrushBot-SWA +Disallow: / + +User-agent: SemrushBot-CT +Disallow: / + +User-agent: SplitSignalBot +Disallow: / + +User-agent: SemrushBot-COUB +Disallow: /"; } diff --git a/nginx/configs/robotsNone.conf b/nginx/configs/robotsNone.conf new file mode 100644 index 0000000..41d5193 --- /dev/null +++ b/nginx/configs/robotsNone.conf @@ -0,0 +1 @@ +location /robots.txt { return 200 "User-agent: *\nDisallow: /";} diff --git a/nginx/configs/security.conf b/nginx/configs/security.conf index f0ebe5f..09a6a28 100644 --- a/nginx/configs/security.conf +++ b/nginx/configs/security.conf @@ -6,8 +6,3 @@ add_header Referrer-Policy "no-referrer-when-downgrade" always; #add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always; add_header Permissions-Policy "interest-cohort=()" always; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; - -# . files -location ~ /\.(?!well-known) { - deny all; -} diff --git a/nginx/configs/ssl.conf b/nginx/configs/ssl.conf index 03e2d4d..026accd 100644 --- a/nginx/configs/ssl.conf +++ b/nginx/configs/ssl.conf @@ -1,4 +1,4 @@ ssl_certificate /etc/ssl/certs/zzlschain.pem; ssl_certificate_key /etc/ssl/private/zzlskey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; -ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; \ No newline at end of file +ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; diff --git a/nginx/configs/sslConfig.conf b/nginx/configs/sslConfig.conf new file mode 100644 index 0000000..74966c2 --- /dev/null +++ b/nginx/configs/sslConfig.conf @@ -0,0 +1,12 @@ +# SSL +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305: + ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; +ssl_prefer_server_ciphers off; +ssl_session_timeout 1d; +ssl_session_cache shared:MozSSL:10m; +ssl_session_tickets off; +ssl_early_data on; + +# Diffie-Hellman parameter for DHE ciphersuites +ssl_dhparam /etc/nginx/dhparam.pem; diff --git a/nginx/mime.types b/nginx/mime.types new file mode 100755 index 0000000..1c00d70 --- /dev/null +++ b/nginx/mime.types @@ -0,0 +1,99 @@ + +types { + text/html html htm shtml; + text/css css; + text/xml xml; + image/gif gif; + image/jpeg jpeg jpg; + application/javascript js; + application/atom+xml atom; + application/rss+xml rss; + + text/mathml mml; + text/plain txt; + text/vnd.sun.j2me.app-descriptor jad; + text/vnd.wap.wml wml; + text/x-component htc; + + image/avif avif; + image/png png; + image/svg+xml svg svgz; + image/tiff tif tiff; + image/vnd.wap.wbmp wbmp; + image/webp webp; + image/x-icon ico; + image/x-jng jng; + image/x-ms-bmp bmp; + + font/woff woff; + font/woff2 woff2; + + application/java-archive jar war ear; + application/json json; + application/mac-binhex40 hqx; + application/msword doc; + application/pdf pdf; + application/postscript ps eps ai; + application/rtf rtf; + application/vnd.apple.mpegurl m3u8; + application/vnd.google-earth.kml+xml kml; + application/vnd.google-earth.kmz kmz; + application/vnd.ms-excel xls; + application/vnd.ms-fontobject eot; + application/vnd.ms-powerpoint ppt; + application/vnd.oasis.opendocument.graphics odg; + application/vnd.oasis.opendocument.presentation odp; + application/vnd.oasis.opendocument.spreadsheet ods; + application/vnd.oasis.opendocument.text odt; + application/vnd.openxmlformats-officedocument.presentationml.presentation + pptx; + application/vnd.openxmlformats-officedocument.spreadsheetml.sheet + xlsx; + application/vnd.openxmlformats-officedocument.wordprocessingml.document + docx; + application/vnd.wap.wmlc wmlc; + application/wasm wasm; + application/x-7z-compressed 7z; + application/x-cocoa cco; + application/x-java-archive-diff jardiff; + application/x-java-jnlp-file jnlp; + application/x-makeself run; + application/x-perl pl pm; + application/x-pilot prc pdb; + application/x-rar-compressed rar; + application/x-redhat-package-manager rpm; + application/x-sea sea; + application/x-shockwave-flash swf; + application/x-stuffit sit; + application/x-tcl tcl tk; + application/x-x509-ca-cert der pem crt; + application/x-xpinstall xpi; + application/xhtml+xml xhtml; + application/xspf+xml xspf; + application/zip zip; + + application/octet-stream bin exe dll; + application/octet-stream deb; + application/octet-stream dmg; + application/octet-stream iso img; + application/octet-stream msi msp msm; + + audio/midi mid midi kar; + audio/mpeg mp3; + audio/ogg ogg; + audio/x-m4a m4a; + audio/x-realaudio ra; + + video/3gpp 3gpp 3gp; + video/mp2t ts; + video/mp4 mp4; + video/mpeg mpeg mpg; + video/quicktime mov; + video/webm webm; + video/x-flv flv; + video/x-m4v m4v; + video/x-mng mng; + video/x-ms-asf asx asf; + video/x-ms-wmv wmv; + video/x-msvideo avi; +} diff --git a/nginx/nginx.conf b/nginx/nginx.conf index 9aa2a9f..6d538a0 100755 --- a/nginx/nginx.conf +++ b/nginx/nginx.conf @@ -3,6 +3,7 @@ worker_processes auto; worker_rlimit_nofile 65535; pid /run/nginx.pid; include /etc/nginx/modules-enabled/*.conf; +load_module /usr/lib/nginx/modules/ngx_rtmp_module.so; include /etc/nginx/conf.d/*.conf; events { @@ -10,9 +11,52 @@ events { multi_accept on; } +rtmp_auto_push on; +rtmp_auto_push_reconnect 10s; + +rtmp { + + max_connections 1000; + + server { + listen 1935; + allow publish 0.0.0.0; + deny play all; + chunk_size 4096; + application live { + sync 100ms; +# play_restart on; + interleave on; +# wait_key on; +# wait_video on; + drop_idle_publisher 10s; + #dash + dash on; + dash_path /tmp/dash; + dash_fragment 1; + dash_playlist_length 10; + #hls + hls on; + hls_fragment_naming system; + hls_path /tmp/hls; + hls_fragment 1; + hls_playlist_length 10; + hls_continuous on; + #rtmp + #on_publish http://127.0.0.1:7069/forms/stream; + live on; + record off; + } + } +} + + http { -access_log off; -error_log /dev/null; + log_format limited '$remote_addr - $remote_user [$time_local] ' + '"$request_method /bogus $server_protocol" $status $body_bytes_sent ' + '"-" "Bogus/66.6"'; + access_log off; + error_log /dev/null; # Basic Settings charset utf-8; @@ -21,39 +65,21 @@ error_log /dev/null; tcp_nodelay on; server_tokens off; log_not_found off; - types_hash_max_size 4096; + types_hash_max_size 1024; types_hash_bucket_size 64; + server_names_hash_bucket_size 128; # MIME include mime.types; default_type application/octet-stream; # SSL - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; - ssl_prefer_server_ciphers off; - # - ssl_session_timeout 1d; - ssl_session_cache shared:MozSSL:10m; - ssl_session_tickets off; - - # Diffie-Hellman parameter for DHE ciphersuites - ssl_dhparam /etc/nginx/dhparam.pem; - - # HTTP2 Settings - http2_max_field_size 64k; - http2_max_header_size 512k; - - # Virtual Host Configs - include /etc/nginx/sites-enabled/*.conf; + include configs/sslConfig.conf; # DDOS Protection limit_conn_zone $binary_remote_addr zone=perip:10m; limit_conn perip 100; - limit_req_zone $binary_remote_addr zone=engine:10m rate=2r/s; - limit_req_zone $binary_remote_addr zone=static:10m rate=100r/s; - # reset timed out connections freeing ram reset_timedout_connection on; # maximum time between packets the client can pause when sending nginx any data @@ -61,10 +87,23 @@ error_log /dev/null; # maximum time the client has to send the entire header to nginx client_header_timeout 10s; # timeout which a single keep-alive client connection will stay open - keepalive_timeout 65s; + keepalive_timeout 60s; # maximum time between packets nginx is allowed to pause when sending the client data send_timeout 10s; - include /etc/nginx/snippets/maps.conf; + # QUIC AND HTTP3 SHIT + http3 on; + quic_retry on; + quic_gso on; + # PERFORMANCE / ASYNC I/O + aio threads=default; + aio_write on; + directio 2m; + + # Maps + include /etc/nginx/snippets/maps.conf; + + # Virtual Host Configs + include /etc/nginx/sites-enabled/*.conf; } diff --git a/nginx/sites-available/4get.zzls.xyz.fallback.conf b/nginx/sites-available/4get.zzls.xyz.fallback.conf new file mode 100644 index 0000000..f1b95d0 --- /dev/null +++ b/nginx/sites-available/4get.zzls.xyz.fallback.conf @@ -0,0 +1,21 @@ +# CLEARNET +server { + server_name 4get.zzls.xyz; + include configs/general.conf; + include configs/ssl.conf; + include configs/security.conf; + + location / { + return 301 https://4getus.zzls.xyz$request_uri; + } + + +} + +server { + if ($host = 4get.zzls.xyz) { + return 301 https://$host$request_uri; + } + listen 80; + server_name 4get.zzls.xyz; +} diff --git a/nginx/sites-available/blog.zzls.xyz.conf b/nginx/sites-available/blog.zzls.xyz.conf new file mode 100755 index 0000000..c5e815d --- /dev/null +++ b/nginx/sites-available/blog.zzls.xyz.conf @@ -0,0 +1,22 @@ +server { + access_log /var/log/nginx/blog.zzls.xyz.log combined; + + root /var/www/blog; + index index.html; + + server_name blog.zzls.xyz; + include configs/general.conf; + include configs/security.conf; + + listen 443 ssl http2; + include configs/ssl.conf; + +} +server { + if ($host = blog.zzls.xyz) { + return 301 https://$host$request_uri; + } + server_name blog.zzls.xyz; + listen 80; + return 404; # managed by Certbot +} diff --git a/nginx/sites-available/cgit.zzls.xyz.conf b/nginx/sites-available/cgit.zzls.xyz.conf new file mode 100644 index 0000000..a61ba79 --- /dev/null +++ b/nginx/sites-available/cgit.zzls.xyz.conf @@ -0,0 +1,41 @@ +# CLEARNET +server { + access_log /var/log/nginx/cgit.access.log; + server_name cgit.zzls.xyz; + include configs/general.conf; + include configs/security.conf; + root /usr/share/cgit; + try_files $uri @cgit; + + # Configure HTTP transport + #location ~ /.+/(info/refs|git-upload-pack) { +# include fastcgi_params; +# fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend; +# fastcgi_param PATH_INFO $uri; +# fastcgi_param GIT_HTTP_EXPORT_ALL 1; +# fastcgi_param GIT_PROJECT_ROOT /srv/git; +# fastcgi_param HOME /srv/git; +# fastcgi_pass unix:/run/fcgiwrap.socket; +# } + + location @cgit { + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME /usr/lib/cgit/cgit.cgi; + fastcgi_param PATH_INFO $uri; + fastcgi_param QUERY_STRING $args; + fastcgi_param HTTP_HOST $server_name; + fastcgi_pass unix:/run/fcgiwrap.socket; + } + + listen 443 ssl; + http2 on; + include configs/ssl.conf; +} + +server { + if ($host = cgit.zzls.xyz) { + return 301 https://$host$request_uri; + } + listen 80; + server_name cgit.zzls.xyz; +} diff --git a/nginx/sites-available/contador.zzls.xyz.conf b/nginx/sites-available/contador.zzls.xyz.conf new file mode 100755 index 0000000..e289534 --- /dev/null +++ b/nginx/sites-available/contador.zzls.xyz.conf @@ -0,0 +1,15 @@ +server { +listen 80; +access_log /var/log/nginx/contador.xyz.log; + + root /var/www/website; + index contador.html; + + server_name contador.ayaya.beauty; + + location / { + try_files $uri $uri/ =404; +add_header Access-Control-Allow-Origin *; + } + +} diff --git a/nginx/sites-available/files.zzls.xyz.conf b/nginx/sites-available/files.zzls.xyz.conf index 80b6b0d..fabae7b 100755 --- a/nginx/sites-available/files.zzls.xyz.conf +++ b/nginx/sites-available/files.zzls.xyz.conf @@ -1,50 +1,51 @@ server { - access_log /var/log/nginx/files.zzls.xyz.log combined; + access_log /var/log/nginx/files.zzls.xyz.log combined; - server_name files.zzls.xyz; - include configs/general.conf; - include configs/security.conf; + server_name files.zzls.xyz; + include configs/general.conf; + include configs/security.conf; - location / { - if ($http_user_agent ~* (google) ) { - return 404; - } + location / { + if ($http_user_agent ~* (google) ) { + return 404; + } - root /mnt/blockstorage/files.zzls.xyz; - index index.html index.php /_h5ai/public/index.php; + root /mnt/blockstorage/files.zzls.xyz; + index index.html index.php /_h5ai/public/index.php; - location ~ [^/]\.php(/|$) { - fastcgi_split_path_info ^(.+?\.php)(/.*)$; - if (!-f $document_root$fastcgi_script_name) { - return 404; - } + location ~ [^/]\.php(/|$) { + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } - fastcgi_param HTTP_PROXY ""; + fastcgi_param HTTP_PROXY ""; - fastcgi_pass unix:/run/php/php7.4-fpm.sock; - fastcgi_index index.php; + fastcgi_pass unix:/run/php/php8.2-fpm.sock; + fastcgi_index index.php; - include fastcgi_params; + include fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $fastcgi_path_info; - } + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + } - location /_h5ai/private { - return 403; - } + location /_h5ai/private { + return 403; + } - } + } - listen 443 ssl http2; - include configs/ssl.conf; + listen 443 ssl; + http2 on; + include configs/ssl.conf; } server { - if ($host = files.zzls.xyz) { - return 301 https://$host$request_uri; - } - listen 80; - server_name files.zzls.xyz; - return 404; # managed by Certbot + if ($host = files.zzls.xyz) { + return 301 https://$host$request_uri; + } + listen 80; + server_name files.zzls.xyz; + return 404; # managed by Certbot } diff --git a/nginx/sites-available/i.zzls.xyz.conf b/nginx/sites-available/i.zzls.xyz.conf index 7f16c26..065cc0e 100755 --- a/nginx/sites-available/i.zzls.xyz.conf +++ b/nginx/sites-available/i.zzls.xyz.conf @@ -9,7 +9,8 @@ server { rewrite ^/(.*)$ https://i.ayaya.beauty/$1 redirect; } - listen 443 ssl http2; + listen 443 ssl; + http2 on include configs/ssl.conf; } diff --git a/nginx/sites-available/inv.zzls.xyz.fallback.conf b/nginx/sites-available/inv.zzls.xyz.fallback.conf new file mode 100644 index 0000000..9732d29 --- /dev/null +++ b/nginx/sites-available/inv.zzls.xyz.fallback.conf @@ -0,0 +1,17 @@ +server { + listen 80; + include configs/general.conf; + include configs/robotsNone.conf; + server_name inv.zzls.xyz; + root /var/www/website/invidious; + access_log /var/log/nginx/inv.zzls.xyz.fallback.conf.access.log; + + # QUIC + add_header Alt-Svc 'h3=":443"; ma=86400'; + + listen 443 ssl; + listen 443 quic; + http2 on; + include configs/ssl.conf; + +} diff --git a/nginx/sites-available/logs.zzls.xyz.conf b/nginx/sites-available/logs.zzls.xyz.conf index b2b6381..2066f15 100755 --- a/nginx/sites-available/logs.zzls.xyz.conf +++ b/nginx/sites-available/logs.zzls.xyz.conf @@ -9,16 +9,19 @@ server { proxy_pass http://127.0.0.1:40003; include configs/proxy.conf; - # location ~ ^/(channel/rubius|channelid/39276140)/ { - # return 401 "Los logs de Rubius han sido deshabilitados"; - # } - # location ~ ^/(channel/ibai|channelid/83232866)/ { - # return 401 "Los logs de Ibai han sido deshabilitados"; - # } + location ~ ^/(channel/rubius|channelid/39276140)/ { + return 401 "Los logs de Rubius han sido deshabilitados"; + } + location ~ ^/(channel/ibai|channelid/83232866)/ { + return 401 "Los logs de Ibai han sido deshabilitados"; + } - location ~ ^/(channel/*/user/zonianbot|channelid/*/user/zonianbot|channel/*/userid/670683053|channelid/*/userid/670683053)/ { - return 401 "XD"; - } + #location ~ ^/(channel/*/user/zonianbot|channelid/*/user/zonianbot|channel/*/userid/670683053|channelid/*/userid/670683053|channel/*/user/skybluecold|channelid/*/user/skybluecold|channel/*/userid/130372054|channelid/*/user/skybluecold)/ { + # return 401 "XD"; + # } + location ~* ^/(channel/.*/user/skybluecold|channelid/.*/user/skybluecold|channel/.*/userid/130372054|channelid/.*/userid/130372054){ + return 401 "lol"; +} location ~ ^/(channel/notfijxu|channelid/664947434)/ { return 401 "lol"; } @@ -32,7 +35,7 @@ server { index 50x.html; } - listen 443 ssl http2; + listen 443 ssl; include configs/ssl.conf; } diff --git a/nginx/sites-available/mail.zzls.xyz.conf b/nginx/sites-available/mail.zzls.xyz.conf index de21603..103df11 100755 --- a/nginx/sites-available/mail.zzls.xyz.conf +++ b/nginx/sites-available/mail.zzls.xyz.conf @@ -1,34 +1,63 @@ server { - access_log /var/log/nginx/mail.zzls.xyz.log combined; + access_log /var/log/nginx/mail.zzls.xyz.log combined; + error_log /var/log/nginx/mail.zzls.xyz.error; - root /var/www/mail; - index index.html; + root /var/www/mail; + index index.html index.php; - server_name mail.zzls.xyz; - include configs/general.conf; - include configs/security.conf; + server_name mail.zzls.xyz; + include configs/general.conf; - location / { - try_files $uri $uri/ =404; - } + location ^~ /baikal { + root /opt/baikal/html; + index index.php; + if (!-e $request_filename) { rewrite ^ /baikal/index.php last; } + rewrite ^/.well-known/caldav /dav.php redirect; + rewrite ^/.well-known/carddav /dav.php redirect; - location /radicale/ { - proxy_pass http://127.0.0.1:40001/; # The / is important! - proxy_set_header X-Script-Name /radicale; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Host $http_host; - proxy_pass_header Authorization; - } + location ~ /(\.ht|Core|Specific|config) { + deny all; + return 404; + } - listen 443 ssl http2; - include configs/ssl.conf; + location ~ \.php$ { + if (!-f $request_filename) { return 404; } + try_files $uri =404; + include fastcgi_params; + fastcgi_split_path_info ^(.+\.php)(.*)$; + fastcgi_pass unix:/run/php/php8.2-fpm.sock; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + } + } + +# location @baikal { +# rewrite /baikal/(.*)$ /baikal/index.php?/$1 last; +# } + location /radicale/ { + proxy_pass http://127.0.0.1:40001/; + proxy_set_header X-Script-Name /radicale; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Remote-User $remote_user; + proxy_set_header Host $http_host; + } + + listen 443 ssl http2; + include configs/ssl.conf; + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Frame-Options "sameorigin" always; + add_header Referrer-Policy "no-referrer-when-downgrade" always; +#add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always; + add_header Permissions-Policy "interest-cohort=()" always; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; } server { - if ($host = mail.zzls.xyz) { - return 301 https://$host$request_uri; - } - server_name mail.zzls.xyz; - listen 80; - return 404; # managed by Certbot + if ($host = mail.zzls.xyz) { + return 301 https://$host$request_uri; + } + server_name mail.zzls.xyz; + listen 80; + return 404; # managed by Certbot } diff --git a/nginx/sites-available/status.zzls.xyz.conf b/nginx/sites-available/status.zzls.xyz.conf new file mode 100755 index 0000000..5a86aa1 --- /dev/null +++ b/nginx/sites-available/status.zzls.xyz.conf @@ -0,0 +1,24 @@ +server { + access_log /var/log/nginx/status.zzls.xyz.log combined; + + server_name status.zzls.xyz; + include configs/general.conf; + include configs/security.conf; + + location / { + proxy_pass http://127.0.0.1:8080; + include configs/proxy.conf; + } + + listen 443 ssl; + include configs/ssl.conf; + +} +server { + if ($host = status.zzls.xyz) { + return 301 https://$host$request_uri; + } + listen 80; + server_name status.zzls.xyz; + return 404; # managed by Certbot +} diff --git a/nginx/sites-available/zzls.xyz.conf b/nginx/sites-available/zzls.xyz.conf index ad125b9..916d354 100755 --- a/nginx/sites-available/zzls.xyz.conf +++ b/nginx/sites-available/zzls.xyz.conf @@ -1,47 +1,64 @@ server { + access_log /var/log/nginx/zzls.xyz.log; + root /var/www/website; + index index.html; + server_name zzls.xyz www.zzls.xyz; + include configs/general.conf; + include configs/security.conf; - root /var/www/website; - index index.html; + location /.well-known/matrix/client { + return 200 '{"m.homeserver": {"base_url": "https://matrix.zzls.xyz"}, "org.matrix.msc3575.proxy": {"url": "https://matrix.zzls.xyz"}}'; + default_type application/json; + add_header Access-Control-Allow-Origin *; + } - server_name zzls.xyz www.zzls.xyz; - include configs/general.conf; - include configs/security.conf; + location /.well-known/matrix/server { + return 200 '{"m.server": "matrix.zzls.xyz:8448"}'; + default_type application/json; + add_header Access-Control-Allow-Origin *; + } - location /.well-known/matrix/client { - return 200 '{"m.homeserver": {"base_url": "https://matrix.zzls.xyz"}}'; - default_type application/json; - add_header Access-Control-Allow-Origin *; - } + location / { + try_files $uri $uri/ =404; + add_header Access-Control-Allow-Origin *; + expires 24h; + } - location /.well-known/matrix/server { - return 200 '{"m.server": "matrix.zzls.xyz:8448"}'; - default_type application/json; - add_header Access-Control-Allow-Origin *; - } + location /transparency { + autoindex on; + autoindex_exact_size off; + autoindex_format html; + autoindex_localtime on; + } - location / { - try_files $uri $uri/ =404; - } + listen 443 ssl http2; + include configs/ssl.conf; - location /transparency { - autoindex on; - autoindex_exact_size off; - autoindex_format html; - autoindex_localtime on; - } - - listen 443 ssl http2; - include configs/ssl.conf; } + server { - if ($host = www.zzls.xyz) { - return 301 https://$host$request_uri; - } - if ($host = zzls.xyz) { - return 301 https://$host$request_uri; - } - server_name zzls.xyz www.zzls.xyz; - listen 80; - return 404; # managed by Certbot + access_log /var/log/nginx/zzls.i2p.log; + listen 30001; + server_name zzlst7dauwprptpu2y7cxpetz4fl4jw73tivxhtnm7dla7m6teyq.b32.i2p; + + root /var/www/website; + index index.html; + + location / { + try_files $uri $uri/ =404; + } + +} + +server { + if ($host = www.zzls.xyz) { + return 301 https://$host$request_uri; + } + if ($host = zzls.xyz) { + return 301 https://$host$request_uri; + } + server_name zzls.xyz www.zzls.xyz; + listen 80; + return 404; # managed by Certbot } diff --git a/nginx/sites-enabled/4get.zzls.xyz.fallback.conf b/nginx/sites-enabled/4get.zzls.xyz.fallback.conf new file mode 120000 index 0000000..f9d6a29 --- /dev/null +++ b/nginx/sites-enabled/4get.zzls.xyz.fallback.conf @@ -0,0 +1 @@ +../sites-available/4get.zzls.xyz.fallback.conf \ No newline at end of file diff --git a/nginx/sites-enabled/4getus.zzls.xyz.conf b/nginx/sites-enabled/4getus.zzls.xyz.conf new file mode 100644 index 0000000..abb10bf --- /dev/null +++ b/nginx/sites-enabled/4getus.zzls.xyz.conf @@ -0,0 +1,95 @@ +# FUCK BOTS +limit_req_zone $binary_remote_addr zone=4get:10m rate=2r/s; + +# CLEARNET +server { + access_log /var/log/nginx/4getus.access.log; + error_log /var/log/nginx/4getus.error.log; + server_name 4getus.zzls.xyz; + include configs/general.conf; + root /var/www/4get-zzls/; + + location @upstream { + try_files $uri.php $uri/index.php =404; + fastcgi_pass unix:/run/php/php8.2-fpm.sock; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; + include fastcgi_params; + fastcgi_intercept_errors on; + } + + location / { + try_files $uri @upstream; + } + location /web { + try_files $uri @upstream; + limit_req zone=4get; + limit_req_status 444; + include snippets/torblacklist.conf; + include snippets/spys.me.proxies.blacklist.conf; + error_page 403 =302 /torisblocked; + } + location /torisblocked { + access_log /var/log/nginx/4getus.torblocked.access.log; + add_header Content-Type text/plain; + return 200 " + Tor and Proxies are not allowed in this service, sorry. + Check if this service offers a Tor version instead, if yes, use it, if not, well, there is no way to use this service. + + Tor y Proxies no estan permitidos en este servicio, lo siento. + Revisa si este servicio ofrece una version para Tor, si es asi, usalo, si no, pues no hay forma de usar este servicio."; + } + + location /data { + return 444; + } + + location ~* ^(.*)\.php$ { + return 301 $1; + } + + # Tor Header + add_header Onion-Location http://4getus.zzls2vhse6jeahgdz5snle37dnngmbeh4jgug5xvsdpmlchaw3ieonid.onion$request_uri; + + # CSP + Security Headers + include configs/security.conf; + include configs/ssl.conf; + listen 443 ssl; + listen 443 quic; + http2 on; + +} + +# TOR +server { + access_log /var/log/nginx/4getus.tor.access.log; + listen 80; + server_name 4getus.zzls2vhse6jeahgdz5snle37dnngmbeh4jgug5xvsdpmlchaw3ieonid.onion; + root /var/www/4get-zzls/; + + location @upstream { + try_files $uri.php $uri/index.php =404; + fastcgi_pass unix:/run/php/php8.2-fpm.sock; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; + include fastcgi_params; + fastcgi_intercept_errors on; + } + + location / { + try_files $uri @upstream; + } + + location ~* ^(.*)\.php$ { + return 301 $1; + } + +} + +server { + if ($host = 4getus.zzls.xyz) { + return 301 https://$host$request_uri; + } + listen 80; + server_name 4getus.zzls.xyz; +} diff --git a/nginx/sites-enabled/blog.zzls.xyz.conf b/nginx/sites-enabled/blog.zzls.xyz.conf new file mode 120000 index 0000000..e4d7c81 --- /dev/null +++ b/nginx/sites-enabled/blog.zzls.xyz.conf @@ -0,0 +1 @@ +../sites-available/blog.zzls.xyz.conf \ No newline at end of file diff --git a/nginx/sites-enabled/cgit.zzls.xyz.conf b/nginx/sites-enabled/cgit.zzls.xyz.conf new file mode 120000 index 0000000..a4543a9 --- /dev/null +++ b/nginx/sites-enabled/cgit.zzls.xyz.conf @@ -0,0 +1 @@ +../sites-available/cgit.zzls.xyz.conf \ No newline at end of file diff --git a/nginx/sites-enabled/dav.zzls.xyz.conf b/nginx/sites-enabled/dav.zzls.xyz.conf new file mode 100644 index 0000000..849b33c --- /dev/null +++ b/nginx/sites-enabled/dav.zzls.xyz.conf @@ -0,0 +1,43 @@ +server { + access_log /var/log/nginx/dav.access.log; + error_log /var/log/nginx/dav.error.log; + server_name dav.zzls.xyz; + include configs/general.conf; + root /opt/baikal/html; + index index.php + + rewrite ^/.well-known/caldav /dav redirect; + rewrite ^/.well-known/carddav /dav redirect; + + charset utf-8; + + location ~ /(\.ht|Core|Specific|config) { + deny all; + return 404; + } + + location ~ ^(.+\.php)(.*)$ { + try_files $fastcgi_script_name =404; + include fastcgi_params; + fastcgi_split_path_info ^(.+\.php)(.*)$; + fastcgi_pass unix:/run/php/php8.2-fpm.sock; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + } + + # CSP + Security Headers + include configs/security.conf; + include configs/ssl.conf; + listen 443 ssl; + listen 443 quic; + http2 on; + +} + +server { + if ($host = dav.zzls.xyz) { + return 301 https://$host$request_uri; + } + listen 80; + server_name dav.zzls.xyz; +} diff --git a/nginx/sites-enabled/i.zzls.xyz.conf b/nginx/sites-enabled/i.zzls.xyz.conf deleted file mode 120000 index a5933b8..0000000 --- a/nginx/sites-enabled/i.zzls.xyz.conf +++ /dev/null @@ -1 +0,0 @@ -/etc/nginx/sites-available/i.zzls.xyz.conf \ No newline at end of file diff --git a/nginx/sites-enabled/inv.zzls.xyz.fallback.conf b/nginx/sites-enabled/inv.zzls.xyz.fallback.conf new file mode 120000 index 0000000..7e2b637 --- /dev/null +++ b/nginx/sites-enabled/inv.zzls.xyz.fallback.conf @@ -0,0 +1 @@ +../sites-available/inv.zzls.xyz.fallback.conf \ No newline at end of file diff --git a/nginx/sites-enabled/lol.zzls.xyz.conf b/nginx/sites-enabled/lol.zzls.xyz.conf new file mode 100644 index 0000000..366d191 --- /dev/null +++ b/nginx/sites-enabled/lol.zzls.xyz.conf @@ -0,0 +1,34 @@ +server { + access_log /var/log/nginx/lol.zzls.xyz.access.log; + server_name lol.zzls.xyz; + include configs/general.conf; + include configs/robotsNone.conf; + # security headers + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Referrer-Policy "no-referrer-when-downgrade" always; +#add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always; + add_header Permissions-Policy "interest-cohort=()" always; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + + location / { + proxy_pass http://127.0.0.1:40010; + include configs/proxy.conf; + } + + # QUIC + add_header Alt-Svc 'h3=":443"; ma=86400'; + + listen 443 ssl; + listen 443 quic; + http2 on; + include configs/ssl.conf; + +} +server { + if ($host = lol.zzls.xyz) { + return 301 https://$host$request_uri; + } + listen 80; + server_name lol.zzls.xyz; +} diff --git a/nginx/sites-enabled/status.zzls.xyz.conf b/nginx/sites-enabled/status.zzls.xyz.conf new file mode 120000 index 0000000..5aca602 --- /dev/null +++ b/nginx/sites-enabled/status.zzls.xyz.conf @@ -0,0 +1 @@ +../sites-available/status.zzls.xyz.conf \ No newline at end of file diff --git a/nginx/sites-enabled/stream.zzls.xyz.conf b/nginx/sites-enabled/stream.zzls.xyz.conf new file mode 100644 index 0000000..8118dc9 --- /dev/null +++ b/nginx/sites-enabled/stream.zzls.xyz.conf @@ -0,0 +1,61 @@ +# CLEARNET +server { + access_log /var/log/nginx/stream.access.log; + error_log /var/log/nginx/stream.error.log; + server_name stream.zzls.xyz; + include configs/general.conf; + + location /hls/ { + types { application/vnd.apple.mpegurl m3u8; video/mp2t ts; } + root /tmp/; + } + + location /dash/ { + types { application/dash+xml mpd; audio/mp4 m4a; video/mp4 m4v; } + root /tmp/; + } + + location = /streams { + rtmp_stat all; + rtmp_stat_stylesheet /stat.xsl; + } + + location /stat.xsl { + root /var/www/stream/public/; + } + + location /viewers/ { + default_type text/plain; + add_header Content-Type "text/plain"; + add_header Refresh "30; $request_uri"; + root /var/www/stream/public/; + try_files $uri /viewers.txt =404; + } + + location /posters/ { + root /var/www/stream/public/; + try_files $uri /offline.png =404; + } + + location / { + root /var/www/stream/public/; + try_files $uri $uri/hls.html =404; + } + + + # CSP + Security Headers + include configs/security.conf; + include configs/ssl.conf; + listen 443 ssl; + listen 443 quic; + http2 on; + +} + +server { + if ($host = stream.zzls.xyz) { + return 301 https://$host$request_uri; + } + listen 80; + server_name stream.zzls.xyz; +}