Fijxu/etc-configs
1
1
Fork 1
Code Issues Pull requests Projects Releases Packages Wiki Activity

caca

Browse source
This commit is contained in:
Fijxu 2022-12-03 01:57:21 -03:00
parent c3af680506
commit 5615a26075
14 changed files with 456 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
nginx/configs/general.conf Normal file
View file

@ -0,0 +1,11 @@
# gzip
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
# brotli
#brotli on;
#brotli_comp_level 6;
#brotli_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;

20
nginx/configs/proxyheaders.conf Normal file
View file

@ -0,0 +1,20 @@
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
# Proxy SSL
proxy_ssl_server_name on;
# Proxy headers
proxy_set_header Upgrade $http_upgrade;
#proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Forwarded $proxy_add_forwarded;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
# Proxy timeouts
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;

12
nginx/configs/securityheaders.conf Normal file
View file

@ -0,0 +1,12 @@
# security headers
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
#add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always;
add_header Permissions-Policy "interest-cohort=()" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# . files
location ~ /\.(?!well-known) {
deny all;
}

85
nginx/nginx.conf Executable file
View file

@ -0,0 +1,85 @@
worker_processes auto;
worker_rlimit_nofile 65535;
# Include Modules
include /etc/nginx/modules-enabled/*.conf;
#load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so;
load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so; # for compressing responses on-the-fly
load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so; # for serving pre-compressed files
# Include external config
include /etc/nginx/conf.d/*.conf;
events {
multi_accept on;
worker_connections 65535;
}
stream {
include /etc/nginx/streams/*.conf;
}
http {
charset utf-8;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
log_not_found off;
types_hash_max_size 4096;
types_hash_bucket_size 64;
# MIME
include mime.types;
default_type application/octet-stream;
# SSL
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
ssl_prefer_server_ciphers off;
#
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites
ssl_dhparam /etc/nginx/dhparam.pem;
# OCSP Stapling
#ssl_stapling on;
#ssl_stapling_verify on;
# Connection header for WebSocket reverse proxy
map $http_upgrade $connection_upgrade {
default upgrade;
"" close;
}
map $remote_addr $proxy_forwarded_elem {
# IPv4 addresses can be sent as-is
~^[0-9.]+$ "for=$remote_addr";
# IPv6 addresses need to be bracketed and quoted
~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\"";
# Unix domain socket names cannot be represented in RFC 7239 syntax
default "for=unknown";
}
map $http_forwarded $proxy_add_forwarded {
# If the incoming Forwarded header is syntactically valid, append to it
"~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
# Otherwise, replace it
default "$proxy_forwarded_elem";
}
# Include sites-enabled and config
# include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

33
nginx/sites-available/ayayabeauty.conf Executable file
View file

@ -0,0 +1,33 @@
server {
server_name ayaya.beauty;
location /.well-known/matrix/server {
return 200 '{ "m.server": "matrix.ayaya.beauty:443" }';
}
location /.well-known/matrix/client {
# If your sever_name here doesn't match your matrix homeserver URL
# (e.g. hostname.com as server_name and matrix.hostname.com as homeserver URL)
add_header Access-Control-Allow-Origin '*';
return 200 '{ "m.homeserver": { "base_url": "https://matrix.ayaya.beauty" } }';
}
listen 443 ssl http2; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/ayaya.beauty/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/ayaya.beauty/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = ayaya.beauty) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name ayaya.beauty;
return 404; # managed by Certbot
}

33
nginx/sites-available/counter.conf Executable file
View file

@ -0,0 +1,33 @@
server {
access_log /var/log/nginx/count.ayaya.beauty.log combined;
server_name count.ayaya.beauty;
include configs/general.conf;
include configs/securityheaders.conf;
location / {
proxy_pass http://127.0.0.1:41000/;
include configs/proxyheaders.conf;
}
# QUIC
add_header Alt-Svc 'h3=":443"; ma=86400';
listen 443 http3;
listen 443 http2 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/count.ayaya.beauty/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/count.ayaya.beauty/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = count.ayaya.beauty) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name count.ayaya.beauty;
listen 80;
return 404; # managed by Certbot
}

56
nginx/sites-available/matrix.conf Executable file
View file

@ -0,0 +1,56 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# For the federation port
listen 8448 ssl http2 default_server;
listen [::]:8448 ssl http2 default_server;
server_name matrix.zzls.xyz;
location ~ ^(/_matrix|/_synapse/client) {
# note: do not add a path (even a single /) after the port in `proxy_pass`,
# otherwise nginx will canonicalise the URI and cause signature verification
# errors.
proxy_pass http://localhost:8008;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Permissions-Policy "interest-cohort=()" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "sameorigin";
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size 50M;
}
location /.well-known/matrix/client {
return 200 '{"m.homeserver": {"base_url": "https://matrix.zzls.xyz"}}';
default_type application/json;
add_header Access-Control-Allow-Origin *;
}
ssl_certificate /etc/letsencrypt/live/matrix.zzls.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/matrix.zzls.xyz/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = matrix.zzls.xyz) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name matrix.zzls.xyz;
return 404; # managed by Certbot
}

38
nginx/sites-available/matrix2.conf Executable file
View file

@ -0,0 +1,38 @@
server {
server_name matrix.ayaya.beauty; # EDIT THIS
access_log /var/log/nginx/matrix.log;
#merge_slashes off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_read_timeout 600;
location /_matrix/ {
proxy_pass http://127.0.0.1:8008;
# proxy_set_header Host $http_host;
# proxy_buffering off;
}
client_max_body_size 20M;
listen 443 ssl http2; # managed by Certbot
listen 8448 ssl http2;
listen [::]:8448 ssl http2;
ssl_certificate /etc/letsencrypt/live/matrix.ayaya.beauty/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/matrix.ayaya.beauty/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = matrix.ayaya.beauty) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name matrix.ayaya.beauty;
return 404; # managed by Certbot
}

42
nginx/sites-available/nimuvt.multex.software.conf Executable file
View file

@ -0,0 +1,42 @@
error_log /var/log/nginx/nimuerr.log;
access_log /var/log/nginx/nimu.log;
upstream nimuvt-botsite {
server unix:///tmp/remote_socket;
}
upstream nimuvt-websocket {
server unix:///var/run/pajbot/nimuvt/websocket.sock;
}
server {
#listen 443 ssl http2;
#listen [::]:443 ssl http2;
#ssl_certificate /etc/letsencrypt/live/multex.software/fullchain.pem;
#ssl_certificate_key /etc/letsencrypt/live/multex.software/privkey.pem;
listen 80;
server_name nimuvt.multex.software;
charset utf-8;
location /api/ {
uwsgi_pass nimuvt-botsite;
include uwsgi_params;
expires epoch;
}
location / {
uwsgi_pass nimuvt-botsite;
include uwsgi_params;
expires epoch;
add_header Cache-Control "public";
}
location /clrsocket {
proxy_pass http://nimuvt-websocket/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
}

68
nginx/sites-available/searxng.conf Executable file
View file

@ -0,0 +1,68 @@
server {
access_log /dev/null;
error_log /dev/null;
server_name search.zzls.xyz;
include configs/general.conf;
include configs/securityheaders.conf;
if ($server_protocol ~* "HTTP/1.0") {
return 444;
}
if ($http_user_agent ~* (python) ) {
return 403;
}
location / {
proxy_pass http://127.0.0.1:8888/;
#
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
# Proxy headers for the Limiter
proxy_set_header Host $host;
proxy_set_header Connection $http_connection;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Scheme $scheme;
}
location /searx/static/ {
alias /usr/local/searx/searx-src/searx/static/;
}
# Onion Service Header
add_header Onion-Location http://searxdr3pqz4nydgnqocsia2xbywptxbkympa2emn7zlgggrir4bkfad.onion$request_uri;
# QUIC
add_header Alt-Svc 'h3=":443"; ma=86400';
quic_retry on;
quic_gso on;
ssl_early_data on;
ssl_session_ticket_key /etc/nginx/http3key.key;
listen 443 http3;
listen 443 ssl http2; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/search.zzls.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/search.zzls.xyz/privkey.pem; # managed by Certbot
#include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = search.zzls.xyz) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name search.zzls.xyz;
return 404; # managed by Certbot
}

1
nginx/sites-enabled/counter.conf Symbolic link
View file

@ -0,0 +1 @@
/etc/nginx/sites-available/counter.conf

1
nginx/sites-enabled/searxng.conf Symbolic link
View file

@ -0,0 +1 @@
/etc/nginx/sites-available/searxng.conf

28
nginx/streams/dns.conf Normal file
View file

@ -0,0 +1,28 @@
# DNS logging. This log file will show the DNS requests geting forwarded to UNBOUND
#log_format dns '$remote_addr [$time_local] $protocol "$dns_qname"';
#access_log /var/log/nginx/dns-access.log dns;
# Include the NJS module. Get the file from https://github.com/TuxInvader/nginx-dns/tree/master/njs.d
#js_include /etc/nginx/njs.d/nginx_stream.js;
# The $dns_qname variable can be populated by preread calls, and can be used for DNS routing
#js_set $dns_qname dns_get_qname;
upstream dns {
zone dns 64k;
server 127.0.0.1:53;
}
server {
#listen 853 http3;
listen 853 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/dns.zzls.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/dns.zzls.xyz/privkey.pem; # managed by Certbot
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_handshake_timeout 10s;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 4h;
proxy_pass dns;
}

28
nginx/streams/dns.conf.bak Normal file
View file

@ -0,0 +1,28 @@
# DNS logging. This log file will show the DNS requests geting forwarded to UNBOUND
log_format dns '$remote_addr [$time_local] $protocol';
access_log /var/log/nginx/dns-access.log dns;
# Include the NJS module. Get the file from https://github.com/TuxInvader/nginx-dns/tree/master/njs.d
#js_include /etc/nginx/njs.d/nginx_stream.js;
# The $dns_qname variable can be populated by preread calls, and can be used for DNS routing
#js_set $dns_qname dns_get_qname;
upstream dns-servers {
#zone dns 64k;
server 127.0.0.1:53;
}
server {
#listen 853 http3;
listen 853; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/dns.zzls.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/dns.zzls.xyz/privkey.pem; # managed by Certbot
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_handshake_timeout 10s;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 4h;
proxy_pass dns-servers;
}