From b9663af58475c7cfe2222f929fe0168ea5fd7f0f Mon Sep 17 00:00:00 2001 From: "sf.nadeko.net" Date: Sat, 24 Aug 2024 23:09:07 -0400 Subject: [PATCH] h7yt8w34f56h7yg8fw45h67yg8bw4e7tgh6ywber67yh8g9nf235qv7ygn89354wqvy8mg93524q78yh9m345qv879hm345qv789hm --- nginx/conf.d/git.conf | 2 +- nginx/conf.d/inv-i2p.conf.locations | 83 ++++++++++++++ nginx/conf.d/inv-tor.conf.locations | 47 ++++---- nginx/conf.d/inv.conf.locations | 138 ++++++++++++++++------- nginx/conf.d/luna.conf | 3 + nginx/conf.d/matrix.conf | 88 +++++++++++++++ nginx/conf.d/redirector.conf | 6 +- nginx/configs/general.conf | 22 ++-- nginx/configs/http3.conf | 4 +- nginx/configs/upstreams.conf | 18 ++- nginx/nginx.conf | 9 ++ tmpfiles.d/docker-unix-socket-binds.conf | 3 + 12 files changed, 340 insertions(+), 83 deletions(-) create mode 100644 nginx/conf.d/inv-i2p.conf.locations create mode 100644 nginx/conf.d/matrix.conf create mode 100644 tmpfiles.d/docker-unix-socket-binds.conf diff --git a/nginx/conf.d/git.conf b/nginx/conf.d/git.conf index a2aac47..ade0861 100644 --- a/nginx/conf.d/git.conf +++ b/nginx/conf.d/git.conf @@ -13,7 +13,7 @@ server { } # QUIC - # include configs/http3.conf; + include configs/http3.conf; listen 443 ssl; http2 on; diff --git a/nginx/conf.d/inv-i2p.conf.locations b/nginx/conf.d/inv-i2p.conf.locations new file mode 100644 index 0000000..21e53c6 --- /dev/null +++ b/nginx/conf.d/inv-i2p.conf.locations @@ -0,0 +1,83 @@ +location @upstream-i2p { + proxy_pass http://inv-i2p; + include configs/proxy.conf; + limit_rate 1000k; + # Disable buffering and cache so i don't kill my + # SSD and bandwidth usage + proxy_buffering off; + proxy_request_buffering off; + proxy_cache off; + proxy_intercept_errors on; + proxy_connect_timeout 10s; + proxy_read_timeout 20s; + #error_page 502 = @fallback; + + if ($request_method = OPTIONS) { + return 204; + } +} + +location @http3-proxy { + # Woops! Sorry. I don't want to kill my SSD lol! + proxy_buffering off; + proxy_request_buffering off; + proxy_cache off; + #proxy_buffers 1024 16k; + proxy_set_header X-Forwarded-For ""; + proxy_hide_header "alt-svc"; + sendfile_max_chunk 512k; + proxy_hide_header Cache-Control; + proxy_hide_header etag; + proxy_http_version 1.1; + proxy_intercept_errors on; + proxy_set_header Connection keep-alive; + #proxy_max_temp_file_size 32m; + proxy_pass http://http3-ytproxy; + add_header Cache-Control private always; + limit_rate 8000k; +} + +location ~ (^/videoplayback/) { + try_files $uri @http3-proxy; +} + +location ~ (^/vi/) { + try_files $uri @http3-proxy; +} + +location ~ (^/vi) { + try_files $uri @upstream-i2p; +} + +location / { + try_files $uri @upstream-i2p; +} + +location /search { + try_files $uri @upstream-i2p; +} + +location /watch { + try_files $uri @upstream-i2p; +} + +location /api/v1 { + try_files $uri @upstream-i2p; +} + +location /api/v1/storyboards { + try_files $uri @upstream-i2p; +} + +location /api/v1/captions { + try_files $uri @upstream-i2p; +} + +location /api/v1/comments { + try_files $uri @upstream-i2p; +} + +location ~ ^/api/v1/channels/(.+)/shorts { + try_files $uri @upstream-i2p; +} + diff --git a/nginx/conf.d/inv-tor.conf.locations b/nginx/conf.d/inv-tor.conf.locations index be49383..7014569 100644 --- a/nginx/conf.d/inv-tor.conf.locations +++ b/nginx/conf.d/inv-tor.conf.locations @@ -1,4 +1,4 @@ -location @upstream { +location @upstream-tor { proxy_pass http://inv-tor; include configs/proxy.conf; limit_rate 1000k; @@ -17,7 +17,7 @@ location @upstream { } } -location ~ (^/videoplayback) { +location @http3-proxy { # Woops! Sorry. I don't want to kill my SSD lol! proxy_buffering off; proxy_request_buffering off; @@ -37,55 +37,50 @@ location ~ (^/videoplayback) { limit_rate 8000k; } +location ~ (^/videoplayback/) { + try_files $uri @http3-proxy; +} + location ~ (^/vi/) { - # Woops! Sorry. I don't want to kill my SSD lol! - proxy_buffering off; - proxy_request_buffering off; - proxy_cache off; - #proxy_buffers 1024 16k; - proxy_set_header X-Forwarded-For ""; - proxy_hide_header "alt-svc"; - proxy_hide_header Cache-Control; - proxy_hide_header etag; - proxy_http_version 1.1; - proxy_intercept_errors on; - proxy_set_header Connection keep-alive; - #proxy_max_temp_file_size 32m; - proxy_pass http://http3-ytproxy; - add_header Cache-Control private always; - limit_rate 800k; + try_files $uri @http3-proxy; +} + +location ~ (^/vi) { + try_files $uri @upstream-tor; } location / { - try_files $uri @upstream; + try_files $uri @upstream-tor; } location /search { - try_files $uri @upstream; + try_files $uri @upstream-tor; } location /watch { - try_files $uri @upstream; + try_files $uri @upstream-tor; + #limit_req zone=invidious-watchrl nodelay burst=5; } location /api/v1 { - try_files $uri @upstream; + try_files $uri @upstream-tor; + #limit_req zone=invidious-apirl nodelay burst=10; } location /api/v1/storyboards { - try_files $uri @upstream; + try_files $uri @upstream-tor; } location /api/v1/captions { - try_files $uri @upstream; + try_files $uri @upstream-tor; } location /api/v1/comments { - try_files $uri @upstream; + try_files $uri @upstream-tor; } location ~ ^/api/v1/channels/(.+)/shorts { - try_files $uri @upstream; + try_files $uri @upstream-tor; } #location @fallback { diff --git a/nginx/conf.d/inv.conf.locations b/nginx/conf.d/inv.conf.locations index ad0a182..cbeb2d2 100644 --- a/nginx/conf.d/inv.conf.locations +++ b/nginx/conf.d/inv.conf.locations @@ -7,26 +7,29 @@ location @upstream { proxy_buffering off; proxy_request_buffering off; proxy_cache off; - proxy_intercept_errors on; - proxy_connect_timeout 10s; - proxy_read_timeout 20s; + #proxy_intercept_errors on; + #proxy_connect_timeout 10s; + #proxy_read_timeout 20s; #error_page 502 = @fallback; if ($request_method = OPTIONS) { return 204; } - proxy_hide_header Access-Control-Allow-Origin; - add_header Access-Control-Allow-Credentials true; - add_header Access-Control-Allow-Origin "https://materialious.nadeko.net" always; - add_header Access-Control-Allow-Methods "GET, POST, OPTIONS, HEAD, PATCH, PUT, DELETE" always; - add_header Access-Control-Allow-Headers "User-Agent, Authorization, Content-Type" always; + proxy_hide_header Access-Control-Allow-Origin; + add_header Access-Control-Allow-Credentials true; + add_header Access-Control-Allow-Origin "*" always; + add_header Access-Control-Allow-Methods "GET, POST, OPTIONS, HEAD, PATCH, PUT, DELETE" always; + add_header Access-Control-Allow-Headers "User-Agent, Authorization, Content-Type" always; - # TOR - add_header Onion-Location http://inv.nadekonw7plitnjuawu6ytjsl7jlglk2t6pyq6eftptmiv3dvqndwvyd.onion$request_uri; + # TOR + add_header Onion-Location http://inv.nadekonw7plitnjuawu6ytjsl7jlglk2t6pyq6eftptmiv3dvqndwvyd.onion$request_uri; + + # QUIC + # add_header Alt-Svc 'h3=":443"; ma=86400'; } -location ~ (^/videoplayback) { +location @http3-proxy { # Woops! Sorry. I don't want to kill my SSD lol! proxy_buffering off; proxy_request_buffering off; @@ -44,60 +47,119 @@ location ~ (^/videoplayback) { proxy_pass http://http3-ytproxy; add_header Cache-Control private always; limit_rate 8000k; - limit_req zone=invidious-videoplaybackrl nodelay burst=10; + #limit_req zone=invidious-videoplaybackrl nodelay burst=10; + #limit_conn invgloballimit 64; + + # proxy_hide_header Access-Control-Allow-Origin; + # add_header Access-Control-Allow-Credentials true; + # add_header Access-Control-Allow-Origin "*" always; + # add_header Access-Control-Allow-Methods "GET, POST, OPTIONS, HEAD, PATCH, PUT, DELETE" always; + # add_header Access-Control-Allow-Headers "User-Agent, Authorization, Content-Type" always; + + # QUIC + # add_header Alt-Svc 'h3=":443"; ma=86400'; +} + +# location ~ (^/videoplayback/) { +# # Woops! Sorry. I don't want to kill my SSD lol! +# proxy_buffering off; +# proxy_request_buffering off; +# proxy_cache off; +# #proxy_buffers 1024 16k; +# proxy_set_header X-Forwarded-For ""; +# proxy_hide_header "alt-svc"; +# sendfile_max_chunk 512k; +# proxy_hide_header Cache-Control; +# proxy_hide_header etag; +# proxy_http_version 1.1; +# proxy_intercept_errors on; +# proxy_set_header Connection keep-alive; +# #proxy_max_temp_file_size 32m; +# proxy_pass http://http3-ytproxy; +# add_header Cache-Control private always; +# limit_rate 8000k; +# #limit_req zone=invidious-videoplaybackrl nodelay burst=10; +# #limit_conn invgloballimit 64; +# +# # proxy_hide_header Access-Control-Allow-Origin; +# # add_header Access-Control-Allow-Credentials true; +# # add_header Access-Control-Allow-Origin "*" always; +# # add_header Access-Control-Allow-Methods "GET, POST, OPTIONS, HEAD, PATCH, PUT, DELETE" always; +# # add_header Access-Control-Allow-Headers "User-Agent, Authorization, Content-Type" always; +# +# # QUIC +# add_header Alt-Svc 'h3=":443"; ma=86400'; +# } +# +# location ~ (^/vi/) { +# # Woops! Sorry. I don't want to kill my SSD lol! +# proxy_buffering off; +# proxy_request_buffering off; +# proxy_cache off; +# #proxy_buffers 1024 16k; +# proxy_set_header X-Forwarded-For ""; +# proxy_hide_header "alt-svc"; +# sendfile_max_chunk 512k; +# proxy_hide_header Cache-Control; +# proxy_hide_header etag; +# proxy_http_version 1.1; +# proxy_intercept_errors on; +# proxy_set_header Connection keep-alive; +# #proxy_max_temp_file_size 32m; +# proxy_pass http://http3-ytproxy; +# add_header Cache-Control private always; +# limit_rate 1000k; +# +# # QUIC +# add_header Alt-Svc 'h3=":443"; ma=86400'; +# +# limit_conn invgloballimit 128; +# } +# +# + +location ~ (^/videoplayback/) { + try_files $uri @http3-proxy; } location ~ (^/vi/) { - # Woops! Sorry. I don't want to kill my SSD lol! - proxy_buffering off; - proxy_request_buffering off; - proxy_cache off; - #proxy_buffers 1024 16k; - proxy_set_header X-Forwarded-For ""; - proxy_hide_header "alt-svc"; - proxy_hide_header Cache-Control; - proxy_hide_header etag; - proxy_http_version 1.1; - proxy_intercept_errors on; - proxy_set_header Connection keep-alive; - #proxy_max_temp_file_size 32m; - proxy_pass http://http3-ytproxy; - add_header Cache-Control private always; - limit_rate 800k; + try_files $uri @http3-proxy; } location / { - try_files $uri @upstream; + try_files $uri @upstream; + limit_conn invgloballimit 256; } location /search { - try_files $uri @upstream; + try_files $uri @upstream; + limit_req zone=invidious-searchrl nodelay burst=5; } location /watch { - try_files $uri @upstream; - limit_req zone=invidious-watchrl nodelay burst=5; + try_files $uri @upstream; + limit_req zone=invidious-watchrl nodelay burst=5; } location /api/v1 { - limit_req zone=invidious-apirl nodelay burst=10; - try_files $uri @upstream; + limit_req zone=invidious-apirl nodelay burst=10; + try_files $uri @upstream; } location /api/v1/storyboards { - try_files $uri @upstream; + try_files $uri @upstream; } location /api/v1/captions { - try_files $uri @upstream; + try_files $uri @upstream; } location /api/v1/comments { - try_files $uri @upstream; + try_files $uri @upstream; } location ~ ^/api/v1/channels/(.+)/shorts { - try_files $uri @upstream; + try_files $uri @upstream; } #location @fallback { diff --git a/nginx/conf.d/luna.conf b/nginx/conf.d/luna.conf index f170d7b..d2cfc0e 100644 --- a/nginx/conf.d/luna.conf +++ b/nginx/conf.d/luna.conf @@ -26,6 +26,9 @@ server { add_header Access-Control-Allow-Origin *; } + # QUIC + include configs/http3.conf; + listen 443 ssl; http2 on; diff --git a/nginx/conf.d/matrix.conf b/nginx/conf.d/matrix.conf new file mode 100644 index 0000000..b6a1727 --- /dev/null +++ b/nginx/conf.d/matrix.conf @@ -0,0 +1,88 @@ +# server { +# server_name matrix.zzls.xyz; +# include configs/general.conf; +# include configs/robotsNone.conf; +# include configs/security.conf; +# +# location /.well-known/matrix/server { +# return 200 '{ "m.server": "matrix.zzls.xyz:8448" }'; +# } +# +# location /.well-known/matrix/client { +# default_type application/json; +# add_header Access-Control-Allow-Origin '*'; +# return 200 '{ "m.homeserver": { "base_url": "https://matrix.zzls.xyz" }, "org.matrix.msc3575.proxy": {"url": "https://matrix.zzls.xyz"}}'; +# } +# +# #location ~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync) { +# # proxy_pass http://127.0.0.1:40022; +# # proxy_set_header X-Forwarded-For $remote_addr; +# # proxy_set_header X-Forwarded-Proto $scheme; +# # proxy_set_header Host $host; +# #} +# +# location ~ ^(/_matrix|/_synapse/client|/health|/_synapse/metrics) { +# proxy_pass http://matrix; +# include configs/proxy.conf; +# client_max_body_size 64M; +# } +# +# # QUIC +# include configs/http3.conf; +# +# listen 443 ssl; +# listen 8448 ssl; +# listen 8448 quic; +# http2 on; +# } +# +server { + server_name matrix.nadeko.net; + include configs/general.conf; + include configs/robotsNone.conf; + include configs/security.conf; + + location /.well-known/matrix/support { + return 200 '{"contacts": [{"matrix_id": "@fijxu:nadeko.net","email_address": "fijxu@nadeko.net","role": "m.role.admin"},{"email_address": "fijxu@nadeko.net","role": "m.role.security"}],"support_page": "https://nadeko.net/contact" }'; + } + + location /.well-known/matrix/server { + return 200 '{ "m.server": "matrix.nadeko.net:8448" }'; + } + + location /.well-known/matrix/client { + default_type application/json; + add_header Access-Control-Allow-Origin '*'; + return 200 '{ "m.homeserver": { "base_url": "https://matrix.nadeko.net" }, "org.matrix.msc3575.proxy": {"url": "https://matrix.nadeko.net"}}'; + } + + location ~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync) { + proxy_pass http://127.0.0.1:10024; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + } + + location ~ ^(/_matrix|/_synapse/client|/health|/_synapse/metrics) { + proxy_pass http://127.0.0.1:10022; + include configs/proxy.conf; + client_max_body_size 64M; + } + + location / { + proxy_pass http://127.0.0.1:10023; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + client_max_body_size 64M; + proxy_http_version 1.1; + } + + # QUIC + include configs/http3.conf; + + listen 443 ssl reuseport; + listen 8448 ssl default_server reuseport; + listen 8448 quic default_server reuseport; + http2 on; +} diff --git a/nginx/conf.d/redirector.conf b/nginx/conf.d/redirector.conf index 32478b4..e5d90ee 100644 --- a/nginx/conf.d/redirector.conf +++ b/nginx/conf.d/redirector.conf @@ -8,7 +8,7 @@ server { # HTTPS Redirector server { - listen 80; - + listen 80 default_server; + server_name _; return 301 https://$host$request_uri; -} \ No newline at end of file +} diff --git a/nginx/configs/general.conf b/nginx/configs/general.conf index 16ea15d..552591c 100644 --- a/nginx/configs/general.conf +++ b/nginx/configs/general.conf @@ -1,3 +1,14 @@ +# ZSTD +# https://github.com/tokers/zstd-nginx-module +zstd on; +zstd_comp_level 1; +zstd_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml; + +# BROTLI +brotli on; +brotli_comp_level 6; +brotli_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml; + # GZIP gzip on; gzip_vary on; @@ -5,12 +16,7 @@ gzip_proxied any; gzip_comp_level 6; gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml; -# BROTLI -brotli on; -brotli_comp_level 6; -brotli_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml; - # fuck bots .kill -if ($poop) { - return 444; -} +# if ($poop) { +# return 444; +# } diff --git a/nginx/configs/http3.conf b/nginx/configs/http3.conf index 5b826b1..2b11b14 100644 --- a/nginx/configs/http3.conf +++ b/nginx/configs/http3.conf @@ -1,2 +1,2 @@ -add_header Alt-Svc 'h3=":443"; ma=86400'; -listen 443 quic; +add_header Alt-Svc 'h3=":8443"; ma=86400'; +listen 8443 quic; diff --git a/nginx/configs/upstreams.conf b/nginx/configs/upstreams.conf index 8379003..7074908 100644 --- a/nginx/configs/upstreams.conf +++ b/nginx/configs/upstreams.conf @@ -1,21 +1,29 @@ upstream php-fpm-8.3 { - server unix:/run/php-fpm/php-fpm.sock; + server unix:/run/php-fpm/php-fpm.sock; } upstream php-fpm-8.1 { - server unix:/run/php-fpm-legacy/php-fpm.sock; + server unix:/run/php-fpm-legacy/php-fpm.sock; } upstream inv { - server 127.0.0.1:10011 max_fails=2 fail_timeout=2s; + server unix:/run/invidious-haproxy/invidious.sock; + server 127.0.0.1:10011 backup; } upstream inv-tor { - server 127.0.0.1:10099 max_fails=2 fail_timeout=2s; + server unix:/run/invidious-haproxy/invidious-tor.sock; + server 127.0.0.1:10098 backup; +} + +upstream inv-i2p { + server unix:/run/invidious-haproxy/invidious-i2p.sock; + server 127.0.0.1:10099 backup; } upstream http3-ytproxy { - server 127.0.0.1:10012 max_fails=2 fail_timeout=5s; + server unix:/run/invidious-haproxy/http3-proxy.sock; + server 127.0.0.1:10012 backup; } upstream materialious { diff --git a/nginx/nginx.conf b/nginx/nginx.conf index ff2abd0..95d5391 100644 --- a/nginx/nginx.conf +++ b/nginx/nginx.conf @@ -4,8 +4,12 @@ worker_rlimit_nofile 65535; include /etc/nginx/modules-enabled/*.conf; load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so; # for compressing responses on-the-fly load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so; # for serving pre-compressed files +load_module /usr/lib/nginx/modules/ngx_http_zstd_filter_module.so; # for compressing responses on-the-fly +load_module /usr/lib/nginx/modules/ngx_http_zstd_static_module.so; # for serving pre-compressed files load_module /usr/lib/nginx/modules/ngx_http_lua_module.so; # ngx_lua +quic_bpf on; + events { worker_connections 4096; multi_accept off; @@ -60,10 +64,15 @@ http { aio_write on; directio 2m; + # QUIC settings + # https://nginx.org/en/docs/http/ngx_http_v3_module.html + quic_gso on; + # Maps include /etc/nginx/snippets/maps.conf; include /etc/nginx/snippets/poop.conf; + include /etc/nginx/configs/general.conf; include /etc/nginx/configs/upstreams.conf; include /etc/nginx/configs/limits.conf; include /etc/nginx/conf.d/*.conf; diff --git a/tmpfiles.d/docker-unix-socket-binds.conf b/tmpfiles.d/docker-unix-socket-binds.conf new file mode 100644 index 0000000..8eeb8ed --- /dev/null +++ b/tmpfiles.d/docker-unix-socket-binds.conf @@ -0,0 +1,3 @@ +d /run/http3-proxy-nginx 0755 root root +d /run/invidious-nginx 0755 root root +d /run/invidious-haproxy 0777 root root