diff --git a/nginx/nginx.conf b/nginx/nginx.conf index ba0b955..1e54cf3 100755 --- a/nginx/nginx.conf +++ b/nginx/nginx.conf @@ -13,7 +13,6 @@ load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so; # for servi # Include external config #include /etc/nginx/conf.d/*.conf; - events { multi_accept on; worker_connections 65535; @@ -33,7 +32,7 @@ http { log_not_found off; types_hash_max_size 4096; types_hash_bucket_size 64; - client_max_body_size 16M; + client_max_body_size 16M; # MIME @@ -57,31 +56,28 @@ http { #ssl_stapling_verify on; # Logging - access_log /var/log/nginx/access.log; - error_log /var/log/nginx/error.log warn; + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log warn; # General configs, include in every sites-enabled site #include configs/general.conf; - - - - # Connection header for WebSocket reverse proxy + # Connection header for WebSocket reverse proxy map $http_upgrade $connection_upgrade { default upgrade; - "" close; + "" close; } map $remote_addr $proxy_forwarded_elem { # IPv4 addresses can be sent as-is - ~^[0-9.]+$ "for=$remote_addr"; + ~^[0-9.]+$ "for=$remote_addr"; # IPv6 addresses need to be bracketed and quoted ~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\""; # Unix domain socket names cannot be represented in RFC 7239 syntax - default "for=unknown"; + default "for=unknown"; } map $http_forwarded $proxy_add_forwarded { diff --git a/nginx/sites-available/archive.zzls.xyz.conf b/nginx/sites-available/archive.zzls.xyz.conf index 7fc6d45..1dddde8 100755 --- a/nginx/sites-available/archive.zzls.xyz.conf +++ b/nginx/sites-available/archive.zzls.xyz.conf @@ -12,7 +12,7 @@ server { } - listen 443 http3; + listen 443 http3; listen 443 http2 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/archive.zzls.xyz/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/archive.zzls.xyz/privkey.pem; # managed by Certbot @@ -23,13 +23,12 @@ server { server { if ($host = archive.zzls.xyz) { return 301 https://$host$request_uri; - } # managed by Certbot + } # managed by Certbot - listen 80; - - server_name archive.zzls.xyz; - return 404; # managed by Certbot + listen 80; + server_name archive.zzls.xyz; + return 404; # managed by Certbot -} + } diff --git a/nginx/sites-available/gitea.conf b/nginx/sites-available/gitea.zzls.xyz.conf similarity index 100% rename from nginx/sites-available/gitea.conf rename to nginx/sites-available/gitea.zzls.xyz.conf diff --git a/nginx/sites-available/mpd.ayaya.beauty.conf b/nginx/sites-available/mpd.ayaya.beauty.conf index 66e66d9..ee64261 100755 --- a/nginx/sites-available/mpd.ayaya.beauty.conf +++ b/nginx/sites-available/mpd.ayaya.beauty.conf @@ -9,20 +9,20 @@ server { location / { proxy_pass http://192.168.1.2:40420; #include configs/proxyheaders.conf; - proxy_connect_timeout 1; - proxy_send_timeout 1; - proxy_read_timeout 1; + proxy_connect_timeout 1; + proxy_send_timeout 1; + proxy_read_timeout 1; } location /status { # Turn on stats stub_status on; - access_log off; + access_log off; # only allow access from 192.168.1.5 # allow 192.168.1.2; deny all; - } + } - listen 443 http3; + listen 443 http3; listen 443 http2 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/mpd.ayaya.beauty/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/mpd.ayaya.beauty/privkey.pem; # managed by Certbot @@ -33,14 +33,13 @@ server { server { if ($host = mpd.ayaya.beauty) { return 301 https://$host$request_uri; - } # managed by Certbot + } # managed by Certbot + server_name mpd.ayaya.beauty; - server_name mpd.ayaya.beauty; - - listen 80; - return 404; # managed by Certbot + listen 80; + return 404; # managed by Certbot -} + } diff --git a/nginx/sites-available/privatebin.conf b/nginx/sites-available/pbin.zzls.xyz.conf similarity index 100% rename from nginx/sites-available/privatebin.conf rename to nginx/sites-available/pbin.zzls.xyz.conf diff --git a/nginx/sites-available/rimgo.conf b/nginx/sites-available/ri.zzls.xyz.conf similarity index 100% rename from nginx/sites-available/rimgo.conf rename to nginx/sites-available/ri.zzls.xyz.conf diff --git a/nginx/sites-available/search2.zzls.xyz.conf b/nginx/sites-available/search2.zzls.xyz.conf new file mode 100755 index 0000000..e80a68e --- /dev/null +++ b/nginx/sites-available/search2.zzls.xyz.conf @@ -0,0 +1,68 @@ +server { + access_log /var/log/nginx/searx.log; + error_log /dev/null; + + server_name search2.zzls.xyz; + + + if ($server_protocol ~* "HTTP/1.0") { + return 444; + } + if ($http_user_agent ~* (python) ) { + return 403; + } + + location / { + proxy_pass http://127.0.0.1:8888/; + + # + proxy_http_version 1.1; + proxy_cache_bypass $http_upgrade; + + # Proxy headers for the Limiter + proxy_set_header Host $host; + proxy_set_header Connection $http_connection; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Scheme $scheme; + + } + + location /searx/static/ { + alias /usr/local/searxng/searxng-src/searx/static/; + } + + # security headers + add_header Referrer-Policy "no-referrer-when-downgrade" always; + add_header Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self'; form-action 'self'; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"; + add_header Permissions-Policy "interest-cohort=()" always; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-Frame-Options "SAMEORIGIN"; + + # QUIC + add_header Alt-Svc 'h3=":443"; ma=86400'; + + quic_retry on; + quic_gso on; + ssl_early_data on; + + listen 443 http3; + listen 443 http2 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/search2.zzls.xyz/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/search2.zzls.xyz/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + +} +server { + if ($host = search2.zzls.xyz) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + listen 80; + + server_name search2.zzls.xyz; + return 404; # managed by Certbot + + + } diff --git a/nginx/sites-available/searxng.conf b/nginx/sites-available/searxng.conf deleted file mode 100755 index 3541e37..0000000 --- a/nginx/sites-available/searxng.conf +++ /dev/null @@ -1,68 +0,0 @@ -server { - access_log /var/log/nginx/searx.log; - error_log /dev/null; - - server_name search2.zzls.xyz; - - -if ($server_protocol ~* "HTTP/1.0") { - return 444; -} -if ($http_user_agent ~* (python) ) { - return 403; -} - - location / { - proxy_pass http://127.0.0.1:8888/; - - # - proxy_http_version 1.1; - proxy_cache_bypass $http_upgrade; - - # Proxy headers for the Limiter - proxy_set_header Host $host; - proxy_set_header Connection $http_connection; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Scheme $scheme; - - } - - location /searx/static/ { - alias /usr/local/searxng/searxng-src/searx/static/; - } - - # security headers - add_header Referrer-Policy "no-referrer-when-downgrade" always; - add_header Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self'; form-action 'self'; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"; - add_header Permissions-Policy "interest-cohort=()" always; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - add_header X-Frame-Options "SAMEORIGIN"; - - # QUIC - add_header Alt-Svc 'h3=":443"; ma=86400'; - - quic_retry on; - quic_gso on; - ssl_early_data on; - - listen 443 http3; - listen 443 http2 ssl; # managed by Certbot - ssl_certificate /etc/letsencrypt/live/search2.zzls.xyz/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/search2.zzls.xyz/privkey.pem; # managed by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot - -} -server { - if ($host = search2.zzls.xyz) { - return 301 https://$host$request_uri; - } # managed by Certbot - - - listen 80; - - server_name search2.zzls.xyz; - return 404; # managed by Certbot - - -} diff --git a/nginx/sites-available/selfhost.conf b/nginx/sites-available/selfhost.zzls.xyz.conf similarity index 100% rename from nginx/sites-available/selfhost.conf rename to nginx/sites-available/selfhost.zzls.xyz.conf diff --git a/nginx/sites-available/yt.conf b/nginx/sites-available/yt.conf deleted file mode 100755 index 63c0fe4..0000000 --- a/nginx/sites-available/yt.conf +++ /dev/null @@ -1,45 +0,0 @@ -server { - access_log /var/log/nginx/yt.access.log combined; - - server_name yt.zzls.xyz; - - location / { - proxy_pass http://localhost:40003; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Host $host; # so Invidious knows domain - proxy_http_version 1.1; # to keep alive - proxy_set_header Connection ""; # to keep alive - } - - # security headers - add_header Referrer-Policy "no-referrer-when-downgrade" always; - #add_header Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';base-uri 'self';form-action 'self'"; - add_header Permissions-Policy "interest-cohort=()" always; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - add_header X-Frame-Options "SAMEORIGIN"; - - # QUIC - add_header Alt-Svc 'h3=":443"; ma=86400'; - - - listen 443 http3; - listen 443 http2 ssl; # managed by Certbot - ssl_certificate /etc/letsencrypt/live/yt.zzls.xyz/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/yt.zzls.xyz/privkey.pem; # managed by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot - -} -server { - if ($host = yt.zzls.xyz) { - return 301 https://$host$request_uri; - } # managed by Certbot - - - listen 80; - - server_name yt.zzls.xyz; - return 404; # managed by Certbot - - -} diff --git a/nginx/sites-available/yt.zzls.xyz.conf b/nginx/sites-available/yt.zzls.xyz.conf new file mode 100755 index 0000000..1d386d6 --- /dev/null +++ b/nginx/sites-available/yt.zzls.xyz.conf @@ -0,0 +1,45 @@ +server { + access_log /var/log/nginx/yt.access.log combined; + + server_name yt.zzls.xyz; + + location / { + proxy_pass http://localhost:40003; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; # so Invidious knows domain + proxy_http_version 1.1; # to keep alive + proxy_set_header Connection ""; # to keep alive + } + + # security headers + add_header Referrer-Policy "no-referrer-when-downgrade" always; + #add_header Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';base-uri 'self';form-action 'self'"; + add_header Permissions-Policy "interest-cohort=()" always; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-Frame-Options "SAMEORIGIN"; + + # QUIC + add_header Alt-Svc 'h3=":443"; ma=86400'; + + + listen 443 http3; + listen 443 http2 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/yt.zzls.xyz/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/yt.zzls.xyz/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + +} +server { + if ($host = yt.zzls.xyz) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + listen 80; + + server_name yt.zzls.xyz; + return 404; # managed by Certbot + + + }