From 45b3ef422ff268db35c9e5afd992709124eb43d5 Mon Sep 17 00:00:00 2001 From: "veil.nadeko.net" Date: Tue, 30 Jan 2024 02:05:12 -0300 Subject: [PATCH] init --- conf.d/ckg/ayaya.beauty.conf | 82 +++++++++++++++++++++++++ conf.d/ckg/breezewiki.nadeko.net.conf | 42 +++++++++++++ conf.d/ckg/search.nadeko.net.conf | 87 +++++++++++++++++++++++++++ configs/general.conf | 10 +++ configs/http3.conf | 2 + configs/proxy.conf | 20 ++++++ configs/robotsNone.conf | 1 + configs/security.conf | 6 ++ configs/ssl.conf | 5 ++ configs/sslConfig.conf | 12 ++++ configs/upstreams.conf | 11 ++++ fastcgi.conf | 27 +++++++++ nginx.conf | 65 ++++++++++++++++++++ snippets/maps.conf | 27 +++++++++ snippets/poop.conf | 9 +++ 15 files changed, 406 insertions(+) create mode 100644 conf.d/ckg/ayaya.beauty.conf create mode 100644 conf.d/ckg/breezewiki.nadeko.net.conf create mode 100644 conf.d/ckg/search.nadeko.net.conf create mode 100644 configs/general.conf create mode 100644 configs/http3.conf create mode 100644 configs/proxy.conf create mode 100644 configs/robotsNone.conf create mode 100644 configs/security.conf create mode 100644 configs/ssl.conf create mode 100644 configs/sslConfig.conf create mode 100644 configs/upstreams.conf create mode 100644 fastcgi.conf create mode 100644 nginx.conf create mode 100644 snippets/maps.conf create mode 100644 snippets/poop.conf diff --git a/conf.d/ckg/ayaya.beauty.conf b/conf.d/ckg/ayaya.beauty.conf new file mode 100644 index 0000000..5dc2dd1 --- /dev/null +++ b/conf.d/ckg/ayaya.beauty.conf @@ -0,0 +1,82 @@ +server { + access_log /var/log/nginx/ayaya.beauty.access.log combined; + error_log /var/log/nginx/ayaya.beauty.error.log; + server_name ayaya.beauty; + include configs/general.conf; + include configs/security.conf; + include configs/robotsNone.conf; + include snippets/torblacklist.conf; + + root /var/www/fijxu/uguu/dist/public; + autoindex off; + index index.html index.php; + + client_max_body_size 512M; + + location ~* \.(css|js|jpg|jpeg|gif|png|ico|xml|eot|woff|woff2|ttf|svg|otf|x-icon|avif|webp|apng)$ { + expires 7d; + } + + location ~ \.php$ { + fastcgi_pass php-fpm; + fastcgi_intercept_errors on; + fastcgi_index index.php; + fastcgi_split_path_info ^(.+\.php)(.*)$; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + } + + location /torisblocked { + alias errors/torisblocked.txt; + } + + error_page 403 =302 /torisblocked; + + # QUIC + #include configs/http3.conf; + + listen 443 ssl; + http2 on; + +} + +server { + access_log /var/log/nginx/i.ayaya.beauty.access.log; + server_name i.ayaya.beauty; + include configs/general.conf; + include configs/security.conf; + include configs/robotsNone.conf; + root /var/www/fijxu/uguu/files; + autoindex off; + + location / { + rewrite ^/(.*)/$ /\$1 break; + try_files $uri $uri/ =404; + error_page 401 402 403 404 =301 https://ayaya.beauty; + } + + # QUIC + #include configs/http3.conf; + + listen 443 ssl; + http2 on; + +} + +server { + if ($host = i.ayaya.beauty) { + return 301 https://$host$request_uri; + } + listen 80; + server_name i.ayaya.beauty; + return 404; +} + +server { + if ($host = ayaya.beauty) { + return 301 https://$host$request_uri; + } + listen 80; + server_name ayaya.beauty; + return 404; +} diff --git a/conf.d/ckg/breezewiki.nadeko.net.conf b/conf.d/ckg/breezewiki.nadeko.net.conf new file mode 100644 index 0000000..b903781 --- /dev/null +++ b/conf.d/ckg/breezewiki.nadeko.net.conf @@ -0,0 +1,42 @@ +server { + server_name breezewiki.nadeko.net; + include configs/general.conf; + include configs/security.conf; + include configs/robotsNone.conf; + + location / { + proxy_pass http://breezewiki; + #include configs/proxy.conf; + } + + # Onion Service Header + add_header Onion-Location http://breezewiki.nadekonfkhwlxwwk4ycbvq42zvcjmvo5iakl4tajojjwxd4a5dcetuyd.onion$request_uri; + + # QUIC + include configs/http3.conf; + + listen 443 ssl; + http2 on; + +} + +server { + listen 127.0.0.1:10040; + server_name breezewiki.nadekonfkhwlxwwk4ycbvq42zvcjmvo5iakl4tajojjwxd4a5dcetuyd.onion; + include configs/general.conf; + include configs/security.conf; + include configs/robotsNone.conf; + +} +server { + set $x ""; + if ($host = breezewiki.nadeko.net) { + set $x 1; + } + if ($x = 1) { + return 301 https://$host$request_uri; + } + listen 80; + server_name breezewiki.nadeko.net; + return 404; +} diff --git a/conf.d/ckg/search.nadeko.net.conf b/conf.d/ckg/search.nadeko.net.conf new file mode 100644 index 0000000..c9037e0 --- /dev/null +++ b/conf.d/ckg/search.nadeko.net.conf @@ -0,0 +1,87 @@ +server { + server_name search.zzls.xyz search.nadeko.net; + include configs/general.conf; + + location @socket { + uwsgi_pass searxng; + include uwsgi_params; + uwsgi_param HTTP_HOST $host; + uwsgi_param HTTP_CONNECTION $http_connection; + # see flaskfix.py + uwsgi_param HTTP_X_SCHEME $scheme; + #uwsgi_param HTTP_X_SCRIPT_NAME /searxng; + # see limiter.py + uwsgi_param HTTP_X_REAL_IP $remote_addr; + uwsgi_param HTTP_X_FORWARDED_FOR $proxy_add_x_forwarded_for; + } + + location / { + try_files $uri @socket; + } + + location /search { + try_files $uri @socket; + if ($server_protocol ~* "HTTP/1.1") { + return 444; + } + } + + # Onion Service Header + add_header Onion-Location http://search.nadekonfkhwlxwwk4ycbvq42zvcjmvo5iakl4tajojjwxd4a5dcetuyd.onion$request_uri; + + # QUIC + include configs/http3.conf; + + # CSP + Security Headers + add_header Permissions-Policy "interest-cohort=()" always; + add_header Strict-Transport-Security "max-age=63072000; preload" always; + add_header Content-Security-Policy "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/tiekoetter/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src 'self' https://www.youtube-nocookie.com https://invidious.tiekoetter.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com https://open.spotify.com/" always; + + listen 443 ssl; + http2 on; + +} + +server { + listen 127.0.0.1:10040; + server_name search.nadekonfkhwlxwwk4ycbvq42zvcjmvo5iakl4tajojjwxd4a5dcetuyd.onion; + include configs/general.conf; + + location @socket { + uwsgi_pass searxng; + include uwsgi_params; + uwsgi_param HTTP_HOST $host; + uwsgi_param HTTP_CONNECTION $http_connection; + # see flaskfix.py + uwsgi_param HTTP_X_SCHEME $scheme; + #uwsgi_param HTTP_X_SCRIPT_NAME /searxng; + # see limiter.py + uwsgi_param HTTP_X_REAL_IP $remote_addr; + uwsgi_param HTTP_X_FORWARDED_FOR $proxy_add_x_forwarded_for; + } + + location / { + try_files $uri @socket; + } + + # CSP + Security Headers + add_header Permissions-Policy "interest-cohort=()" always; + add_header Strict-Transport-Security "max-age=63072000; preload" always; + add_header Content-Security-Policy "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/tiekoetter/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src 'self' https://www.youtube-nocookie.com https://invidious.tiekoetter.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com https://open.spotify.com/" always; + +} +server { + set $x ""; + if ($host = search.zzls.xyz) { + set $x 1; + } + if ($host = search.nadeko.net) { + set $x 1; + } + if ($x = 1) { + return 301 https://$host$request_uri; + } + listen 80; + server_name search.zzls.xyz search.nadeko.net; + return 404; +} diff --git a/configs/general.conf b/configs/general.conf new file mode 100644 index 0000000..b73e1df --- /dev/null +++ b/configs/general.conf @@ -0,0 +1,10 @@ +# gzip +gzip on; +gzip_vary on; +gzip_proxied any; +gzip_comp_level 6; +gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml; + +if ($poop) { + return 444; +} diff --git a/configs/http3.conf b/configs/http3.conf new file mode 100644 index 0000000..5b826b1 --- /dev/null +++ b/configs/http3.conf @@ -0,0 +1,2 @@ +add_header Alt-Svc 'h3=":443"; ma=86400'; +listen 443 quic; diff --git a/configs/proxy.conf b/configs/proxy.conf new file mode 100644 index 0000000..3d8815b --- /dev/null +++ b/configs/proxy.conf @@ -0,0 +1,20 @@ +proxy_http_version 1.1; +proxy_cache_bypass $http_upgrade; + +# Proxy SSL +proxy_ssl_server_name on; + +# Proxy headers +proxy_set_header Upgrade $http_upgrade; +#proxy_set_header Connection $connection_upgrade; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header Forwarded $proxy_add_forwarded; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $scheme; +proxy_set_header X-Forwarded-Host $host; +proxy_set_header X-Forwarded-Port $server_port; + +# Proxy timeouts +proxy_connect_timeout 60s; +proxy_send_timeout 60s; +proxy_read_timeout 60s; diff --git a/configs/robotsNone.conf b/configs/robotsNone.conf new file mode 100644 index 0000000..41d5193 --- /dev/null +++ b/configs/robotsNone.conf @@ -0,0 +1 @@ +location /robots.txt { return 200 "User-agent: *\nDisallow: /";} diff --git a/configs/security.conf b/configs/security.conf new file mode 100644 index 0000000..c4d3368 --- /dev/null +++ b/configs/security.conf @@ -0,0 +1,6 @@ +# security headers +add_header X-Content-Type-Options "nosniff" always; +add_header Referrer-Policy "same-origin" always; +add_header X-Frame-Options "sameorigin" always; +add_header Permissions-Policy "interest-cohort=()" always; +add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; diff --git a/configs/ssl.conf b/configs/ssl.conf new file mode 100644 index 0000000..876192f --- /dev/null +++ b/configs/ssl.conf @@ -0,0 +1,5 @@ +# ECDSA +ssl_certificate /etc/ssl/nadeko.net/fullchain.ec.crt; +ssl_certificate_key /etc/ssl/nadeko.net/nadeko.net.ec.key; + +include configs/sslConfig.conf; diff --git a/configs/sslConfig.conf b/configs/sslConfig.conf new file mode 100644 index 0000000..373ebde --- /dev/null +++ b/configs/sslConfig.conf @@ -0,0 +1,12 @@ +# SSL +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; +ssl_prefer_server_ciphers off; +ssl_session_timeout 1d; +ssl_session_cache shared:SSL:10m; +ssl_session_tickets off; +ssl_early_data on; + +# Custom 4096bits Diffie-Hellman parameter for DHE ciphersuites (Not the one bundled with letsencrypt +# Changed to a custom one for trust purposes +ssl_dhparam /etc/nginx/dhparam.pem; diff --git a/configs/upstreams.conf b/configs/upstreams.conf new file mode 100644 index 0000000..483c949 --- /dev/null +++ b/configs/upstreams.conf @@ -0,0 +1,11 @@ +upstream php-fpm { + server unix:/run/php/php-fpm.sock; +} + +upstream searxng { + server unix:/usr/local/searxng/run/socket; +} + +upstream breezewiki { + server 127.0.0.1:10001; +} diff --git a/fastcgi.conf b/fastcgi.conf new file mode 100644 index 0000000..d53a628 --- /dev/null +++ b/fastcgi.conf @@ -0,0 +1,27 @@ + +fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; +fastcgi_param QUERY_STRING $query_string; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; + +fastcgi_param SCRIPT_NAME $fastcgi_script_name; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; +fastcgi_param REQUEST_SCHEME $scheme; +fastcgi_param HTTPS $https if_not_empty; + +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param REMOTE_USER $remote_user; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_NAME $server_name; + +# PHP only, required if PHP was built with --enable-force-cgi-redirect +fastcgi_param REDIRECT_STATUS 200; diff --git a/nginx.conf b/nginx.conf new file mode 100644 index 0000000..468218e --- /dev/null +++ b/nginx.conf @@ -0,0 +1,65 @@ +user www-data; +worker_processes auto; +worker_rlimit_nofile 65535; +pid /run/nginx.pid; + +include /etc/nginx/modules-enabled/*.conf; + +events { + worker_connections 4096; + multi_accept off; +} + +http { + log_format limited '$remote_addr - $remote_user [$time_local] ' + '"$request_method /bogus $server_protocol" $status $body_bytes_sent ' + '"-" "Bogus/66.6"'; + + access_log off; + error_log /dev/null; + + # Basic Settings + charset utf-8; + sendfile on; + tcp_nopush on; + tcp_nodelay on; + server_tokens off; + log_not_found off; + types_hash_max_size 1024; + types_hash_bucket_size 64; + server_names_hash_bucket_size 128; + + # MIME + include mime.types; + + # SSL + include configs/ssl.conf; + + # reset timed out connections freeing ram + reset_timedout_connection on; + # maximum time between packets the client can pause when sending nginx any data + client_body_timeout 10s; + # maximum time the client has to send the entire header to nginx + client_header_timeout 10s; + # timeout which a single keep-alive client connection will stay open + keepalive_timeout 65s; + # maximum time between packets nginx is allowed to pause when sending the client data + send_timeout 10s; + + # PERFORMANCE / ASYNC I/O + aio threads=default; + aio_write on; + directio 2m; + + # Maps + include /etc/nginx/snippets/maps.conf; + include /etc/nginx/snippets/poop.conf; + + # Upstreams + include /etc/nginx/configs/upstreams.conf; + + # Aqui esta wisp.conf + include /etc/nginx/conf.d/root/*.conf; + # Aqui deje mi carpeta para mis configuraciones, para evitar confusiones. + include /etc/nginx/conf.d/ckg/*.conf; +} diff --git a/snippets/maps.conf b/snippets/maps.conf new file mode 100644 index 0000000..f5d9827 --- /dev/null +++ b/snippets/maps.conf @@ -0,0 +1,27 @@ +# Connection header for WebSocket reverse proxy + + map $http_upgrade $connection_upgrade { + default upgrade; + "" close; + } + + map $remote_addr $proxy_forwarded_elem { + + # IPv4 addresses can be sent as-is + ~^[0-9.]+$ "for=$remote_addr"; + + # IPv6 addresses need to be bracketed and quoted + ~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\""; + + # Unix domain socket names cannot be represented in RFC 7239 syntax + default "for=unknown"; + } + + map $http_forwarded $proxy_add_forwarded { + + # If the incoming Forwarded header is syntactically valid, append to it + "~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem"; + + # Otherwise, replace it + default "$proxy_forwarded_elem"; + } diff --git a/snippets/poop.conf b/snippets/poop.conf new file mode 100644 index 0000000..2a2cb5b --- /dev/null +++ b/snippets/poop.conf @@ -0,0 +1,9 @@ +map $http_user_agent $poop { + default 0; + ~*my-tiny-bot 1; + ~*thesis-research-bot 1; + ~*SemrushBot 1; + ~*Bytespider 1; + ~*PetalBot 1; + ~*Amazonbot 1; +}