From 5615a26075d60c56e88c027a7e7601b885fed15e Mon Sep 17 00:00:00 2001 From: Fijxu Date: Sat, 3 Dec 2022 01:57:21 -0300 Subject: [PATCH] caca --- nginx/configs/general.conf | 11 +++ nginx/configs/proxyheaders.conf | 20 +++++ nginx/configs/securityheaders.conf | 12 +++ nginx/nginx.conf | 85 +++++++++++++++++++ nginx/sites-available/ayayabeauty.conf | 33 +++++++ nginx/sites-available/counter.conf | 33 +++++++ nginx/sites-available/matrix.conf | 56 ++++++++++++ nginx/sites-available/matrix2.conf | 38 +++++++++ .../nimuvt.multex.software.conf | 42 +++++++++ nginx/sites-available/searxng.conf | 68 +++++++++++++++ nginx/sites-enabled/counter.conf | 1 + nginx/sites-enabled/searxng.conf | 1 + nginx/streams/dns.conf | 28 ++++++ nginx/streams/dns.conf.bak | 28 ++++++ 14 files changed, 456 insertions(+) create mode 100644 nginx/configs/general.conf create mode 100644 nginx/configs/proxyheaders.conf create mode 100644 nginx/configs/securityheaders.conf create mode 100755 nginx/nginx.conf create mode 100755 nginx/sites-available/ayayabeauty.conf create mode 100755 nginx/sites-available/counter.conf create mode 100755 nginx/sites-available/matrix.conf create mode 100755 nginx/sites-available/matrix2.conf create mode 100755 nginx/sites-available/nimuvt.multex.software.conf create mode 100755 nginx/sites-available/searxng.conf create mode 120000 nginx/sites-enabled/counter.conf create mode 120000 nginx/sites-enabled/searxng.conf create mode 100644 nginx/streams/dns.conf create mode 100644 nginx/streams/dns.conf.bak diff --git a/nginx/configs/general.conf b/nginx/configs/general.conf new file mode 100644 index 0000000..cbd0161 --- /dev/null +++ b/nginx/configs/general.conf @@ -0,0 +1,11 @@ +# gzip +gzip on; +gzip_vary on; +gzip_proxied any; +gzip_comp_level 6; +gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml; + +# brotli +#brotli on; +#brotli_comp_level 6; +#brotli_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml; diff --git a/nginx/configs/proxyheaders.conf b/nginx/configs/proxyheaders.conf new file mode 100644 index 0000000..3d8815b --- /dev/null +++ b/nginx/configs/proxyheaders.conf @@ -0,0 +1,20 @@ +proxy_http_version 1.1; +proxy_cache_bypass $http_upgrade; + +# Proxy SSL +proxy_ssl_server_name on; + +# Proxy headers +proxy_set_header Upgrade $http_upgrade; +#proxy_set_header Connection $connection_upgrade; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header Forwarded $proxy_add_forwarded; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $scheme; +proxy_set_header X-Forwarded-Host $host; +proxy_set_header X-Forwarded-Port $server_port; + +# Proxy timeouts +proxy_connect_timeout 60s; +proxy_send_timeout 60s; +proxy_read_timeout 60s; diff --git a/nginx/configs/securityheaders.conf b/nginx/configs/securityheaders.conf new file mode 100644 index 0000000..7f6e72a --- /dev/null +++ b/nginx/configs/securityheaders.conf @@ -0,0 +1,12 @@ +# security headers +add_header X-XSS-Protection "1; mode=block" always; +add_header X-Content-Type-Options "nosniff" always; +add_header Referrer-Policy "no-referrer-when-downgrade" always; +#add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always; +add_header Permissions-Policy "interest-cohort=()" always; +add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + +# . files +location ~ /\.(?!well-known) { + deny all; +} diff --git a/nginx/nginx.conf b/nginx/nginx.conf new file mode 100755 index 0000000..5bce696 --- /dev/null +++ b/nginx/nginx.conf @@ -0,0 +1,85 @@ + +worker_processes auto; +worker_rlimit_nofile 65535; + +# Include Modules +include /etc/nginx/modules-enabled/*.conf; +#load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so; +load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so; # for compressing responses on-the-fly +load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so; # for serving pre-compressed files + +# Include external config +include /etc/nginx/conf.d/*.conf; + +events { + multi_accept on; + worker_connections 65535; +} + +stream { + include /etc/nginx/streams/*.conf; +} + +http { + + charset utf-8; + sendfile on; + tcp_nopush on; + tcp_nodelay on; + server_tokens off; + log_not_found off; + types_hash_max_size 4096; + types_hash_bucket_size 64; + + # MIME + include mime.types; + default_type application/octet-stream; + + # SSL + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; + ssl_prefer_server_ciphers off; + # + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; + ssl_session_tickets off; + + # Diffie-Hellman parameter for DHE ciphersuites + ssl_dhparam /etc/nginx/dhparam.pem; + + # OCSP Stapling + #ssl_stapling on; + #ssl_stapling_verify on; + + # Connection header for WebSocket reverse proxy + map $http_upgrade $connection_upgrade { + default upgrade; + "" close; + } + + map $remote_addr $proxy_forwarded_elem { + + # IPv4 addresses can be sent as-is + ~^[0-9.]+$ "for=$remote_addr"; + + # IPv6 addresses need to be bracketed and quoted + ~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\""; + + # Unix domain socket names cannot be represented in RFC 7239 syntax + default "for=unknown"; + } + + map $http_forwarded $proxy_add_forwarded { + + # If the incoming Forwarded header is syntactically valid, append to it + "~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem"; + + # Otherwise, replace it + default "$proxy_forwarded_elem"; + } + + # Include sites-enabled and config + # include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; + +} diff --git a/nginx/sites-available/ayayabeauty.conf b/nginx/sites-available/ayayabeauty.conf new file mode 100755 index 0000000..5dab3e4 --- /dev/null +++ b/nginx/sites-available/ayayabeauty.conf @@ -0,0 +1,33 @@ +server { + server_name ayaya.beauty; + + location /.well-known/matrix/server { + return 200 '{ "m.server": "matrix.ayaya.beauty:443" }'; + } + + location /.well-known/matrix/client { + # If your sever_name here doesn't match your matrix homeserver URL + # (e.g. hostname.com as server_name and matrix.hostname.com as homeserver URL) + add_header Access-Control-Allow-Origin '*'; + return 200 '{ "m.homeserver": { "base_url": "https://matrix.ayaya.beauty" } }'; + } + + listen 443 ssl http2; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/ayaya.beauty/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/ayaya.beauty/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + +} +server { + if ($host = ayaya.beauty) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + listen 80; + server_name ayaya.beauty; + return 404; # managed by Certbot + + +} diff --git a/nginx/sites-available/counter.conf b/nginx/sites-available/counter.conf new file mode 100755 index 0000000..d5e6325 --- /dev/null +++ b/nginx/sites-available/counter.conf @@ -0,0 +1,33 @@ +server { + access_log /var/log/nginx/count.ayaya.beauty.log combined; + + server_name count.ayaya.beauty; + include configs/general.conf; + include configs/securityheaders.conf; + + location / { + proxy_pass http://127.0.0.1:41000/; + include configs/proxyheaders.conf; + } + + # QUIC + add_header Alt-Svc 'h3=":443"; ma=86400'; + + listen 443 http3; + listen 443 http2 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/count.ayaya.beauty/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/count.ayaya.beauty/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + +} +server { + if ($host = count.ayaya.beauty) { + return 301 https://$host$request_uri; + } # managed by Certbot + + server_name count.ayaya.beauty; + + listen 80; + return 404; # managed by Certbot +} diff --git a/nginx/sites-available/matrix.conf b/nginx/sites-available/matrix.conf new file mode 100755 index 0000000..019a1ac --- /dev/null +++ b/nginx/sites-available/matrix.conf @@ -0,0 +1,56 @@ +server { + + listen 443 ssl http2; + listen [::]:443 ssl http2; + + # For the federation port + listen 8448 ssl http2 default_server; + listen [::]:8448 ssl http2 default_server; + + server_name matrix.zzls.xyz; + + location ~ ^(/_matrix|/_synapse/client) { + # note: do not add a path (even a single /) after the port in `proxy_pass`, + # otherwise nginx will canonicalise the URI and cause signature verification + # errors. + proxy_pass http://localhost:8008; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + + add_header Referrer-Policy "no-referrer-when-downgrade" always; + add_header Permissions-Policy "interest-cohort=()" always; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-Frame-Options "sameorigin"; + + # Nginx by default only allows file uploads up to 1M in size + # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml + client_max_body_size 50M; + } + + location /.well-known/matrix/client { + return 200 '{"m.homeserver": {"base_url": "https://matrix.zzls.xyz"}}'; + default_type application/json; + add_header Access-Control-Allow-Origin *; +} + + ssl_certificate /etc/letsencrypt/live/matrix.zzls.xyz/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/matrix.zzls.xyz/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + +} + +server { + if ($host = matrix.zzls.xyz) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + listen 80; + + server_name matrix.zzls.xyz; + return 404; # managed by Certbot + + +} diff --git a/nginx/sites-available/matrix2.conf b/nginx/sites-available/matrix2.conf new file mode 100755 index 0000000..e2a30d4 --- /dev/null +++ b/nginx/sites-available/matrix2.conf @@ -0,0 +1,38 @@ +server { + server_name matrix.ayaya.beauty; # EDIT THIS + access_log /var/log/nginx/matrix.log; + #merge_slashes off; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_read_timeout 600; + + location /_matrix/ { + proxy_pass http://127.0.0.1:8008; + # proxy_set_header Host $http_host; + # proxy_buffering off; + } + client_max_body_size 20M; + + listen 443 ssl http2; # managed by Certbot + listen 8448 ssl http2; + listen [::]:8448 ssl http2; + + ssl_certificate /etc/letsencrypt/live/matrix.ayaya.beauty/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/matrix.ayaya.beauty/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + +} +server { + if ($host = matrix.ayaya.beauty) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + listen 80; + server_name matrix.ayaya.beauty; + return 404; # managed by Certbot + + +} diff --git a/nginx/sites-available/nimuvt.multex.software.conf b/nginx/sites-available/nimuvt.multex.software.conf new file mode 100755 index 0000000..250508f --- /dev/null +++ b/nginx/sites-available/nimuvt.multex.software.conf @@ -0,0 +1,42 @@ +error_log /var/log/nginx/nimuerr.log; +access_log /var/log/nginx/nimu.log; + +upstream nimuvt-botsite { + server unix:///tmp/remote_socket; +} + +upstream nimuvt-websocket { + server unix:///var/run/pajbot/nimuvt/websocket.sock; +} + +server { + #listen 443 ssl http2; + #listen [::]:443 ssl http2; + + #ssl_certificate /etc/letsencrypt/live/multex.software/fullchain.pem; + #ssl_certificate_key /etc/letsencrypt/live/multex.software/privkey.pem; +listen 80; + server_name nimuvt.multex.software; + + charset utf-8; + + location /api/ { + uwsgi_pass nimuvt-botsite; + include uwsgi_params; + expires epoch; + } + + location / { + uwsgi_pass nimuvt-botsite; + include uwsgi_params; + expires epoch; + add_header Cache-Control "public"; + } + + location /clrsocket { + proxy_pass http://nimuvt-websocket/; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + } +} diff --git a/nginx/sites-available/searxng.conf b/nginx/sites-available/searxng.conf new file mode 100755 index 0000000..7ed7fbb --- /dev/null +++ b/nginx/sites-available/searxng.conf @@ -0,0 +1,68 @@ +server { + access_log /dev/null; + error_log /dev/null; + + server_name search.zzls.xyz; + include configs/general.conf; + include configs/securityheaders.conf; + + + if ($server_protocol ~* "HTTP/1.0") { + return 444; + } + if ($http_user_agent ~* (python) ) { + return 403; + } + + location / { + proxy_pass http://127.0.0.1:8888/; + # + proxy_http_version 1.1; + proxy_cache_bypass $http_upgrade; + + # Proxy headers for the Limiter + proxy_set_header Host $host; + proxy_set_header Connection $http_connection; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Scheme $scheme; + } + + location /searx/static/ { + alias /usr/local/searx/searx-src/searx/static/; + } + + # Onion Service Header + add_header Onion-Location http://searxdr3pqz4nydgnqocsia2xbywptxbkympa2emn7zlgggrir4bkfad.onion$request_uri; + + # QUIC + add_header Alt-Svc 'h3=":443"; ma=86400'; + + quic_retry on; + quic_gso on; + ssl_early_data on; + ssl_session_ticket_key /etc/nginx/http3key.key; + + listen 443 http3; + listen 443 ssl http2; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/search.zzls.xyz/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/search.zzls.xyz/privkey.pem; # managed by Certbot + #include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + + + +} + +server { + if ($host = search.zzls.xyz) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + listen 80; + + server_name search.zzls.xyz; + return 404; # managed by Certbot + + + } diff --git a/nginx/sites-enabled/counter.conf b/nginx/sites-enabled/counter.conf new file mode 120000 index 0000000..6999b67 --- /dev/null +++ b/nginx/sites-enabled/counter.conf @@ -0,0 +1 @@ +/etc/nginx/sites-available/counter.conf \ No newline at end of file diff --git a/nginx/sites-enabled/searxng.conf b/nginx/sites-enabled/searxng.conf new file mode 120000 index 0000000..dfc6d1c --- /dev/null +++ b/nginx/sites-enabled/searxng.conf @@ -0,0 +1 @@ +/etc/nginx/sites-available/searxng.conf \ No newline at end of file diff --git a/nginx/streams/dns.conf b/nginx/streams/dns.conf new file mode 100644 index 0000000..50567ba --- /dev/null +++ b/nginx/streams/dns.conf @@ -0,0 +1,28 @@ +# DNS logging. This log file will show the DNS requests geting forwarded to UNBOUND +#log_format dns '$remote_addr [$time_local] $protocol "$dns_qname"'; +#access_log /var/log/nginx/dns-access.log dns; + + # Include the NJS module. Get the file from https://github.com/TuxInvader/nginx-dns/tree/master/njs.d + #js_include /etc/nginx/njs.d/nginx_stream.js; + + # The $dns_qname variable can be populated by preread calls, and can be used for DNS routing + #js_set $dns_qname dns_get_qname; + + +upstream dns { + zone dns 64k; + server 127.0.0.1:53; +} +server { + #listen 853 http3; + listen 853 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/dns.zzls.xyz/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/dns.zzls.xyz/privkey.pem; # managed by Certbot + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5; + + ssl_handshake_timeout 10s; + ssl_session_cache shared:SSL:20m; + ssl_session_timeout 4h; + proxy_pass dns; +} diff --git a/nginx/streams/dns.conf.bak b/nginx/streams/dns.conf.bak new file mode 100644 index 0000000..fe75fa9 --- /dev/null +++ b/nginx/streams/dns.conf.bak @@ -0,0 +1,28 @@ +# DNS logging. This log file will show the DNS requests geting forwarded to UNBOUND +log_format dns '$remote_addr [$time_local] $protocol'; +access_log /var/log/nginx/dns-access.log dns; + + # Include the NJS module. Get the file from https://github.com/TuxInvader/nginx-dns/tree/master/njs.d + #js_include /etc/nginx/njs.d/nginx_stream.js; + + # The $dns_qname variable can be populated by preread calls, and can be used for DNS routing + #js_set $dns_qname dns_get_qname; + + +upstream dns-servers { + #zone dns 64k; + server 127.0.0.1:53; +} +server { + #listen 853 http3; + listen 853; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/dns.zzls.xyz/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/dns.zzls.xyz/privkey.pem; # managed by Certbot + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5; + + ssl_handshake_timeout 10s; + ssl_session_cache shared:SSL:20m; + ssl_session_timeout 4h; + proxy_pass dns-servers; +}