Disable tor relay since my lap is shit

nginx/nginx.conf

@@ -7,12 +7,9 @@ include /etc/nginx/modules-enabled/*.conf;
 load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so; # for compressing responses on-the-fly
 load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so; # for serving pre-compressed files
 
-# This is where we load NJS modules
-#load_module /usr/lib/nginx/modules/ngx_http_js_module.so;
-#load_module /usr/lib/nginx/modules/ngx_stream_js_module.so;
+#Include external config
+include /etc/nginx/conf.d/*.conf;
 
-# Include external config
-#include /etc/nginx/conf.d/*.conf;
 events {
     multi_accept on;
     worker_connections 65535;
@@ -24,6 +21,7 @@ stream {
 
 http {
 
+    # Basic Settings
     charset utf-8;
     sendfile on;
     tcp_nopush on;
@@ -32,8 +30,9 @@ http {
     log_not_found off;
     types_hash_max_size 4096;
     types_hash_bucket_size 64;
-    client_max_body_size 16M;
 
+    # Virtual Host Configs
+    include /etc/nginx/sites-enabled/*.conf;
 
     # MIME
     include mime.types;
@@ -41,43 +40,54 @@ http {
 
     # SSL
     ssl_protocols TLSv1.2 TLSv1.3;
-    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
     ssl_prefer_server_ciphers off;
     #
     ssl_session_timeout 1d;
     ssl_session_cache shared:MozSSL:10m;
     ssl_session_tickets off;
 
-    # Diffie-Hellman parameter for DHE ciphersuites
+	# Diffie-Hellman parameter for DHE ciphersuites
     ssl_dhparam /etc/nginx/dhparam.pem;
 
-    # OCSP Stapling
-    #ssl_stapling on;
-    #ssl_stapling_verify on;
+    # HTTP2 Settings
+    http2_max_field_size 64k;
+    http2_max_header_size 512k;
 
-    # Logging
-    access_log /var/log/nginx/access.log;
-    error_log /var/log/nginx/error.log warn;
+    # DDOS Protection
+    limit_conn_zone $binary_remote_addr zone=perip:10m;
+    limit_conn perip 100;
 
-    # General configs, include in every sites-enabled site
-    #include configs/general.conf;
+    limit_req_zone $binary_remote_addr zone=engine:10m rate=2r/s;
+    limit_req_zone $binary_remote_addr zone=static:10m rate=100r/s;
 
-    # Connection header for WebSocket reverse proxy
+    # reset timed out connections freeing ram
+    reset_timedout_connection on;
+    # maximum time between packets the client can pause when sending nginx any data
+    client_body_timeout 10s;
+    # maximum time the client has to send the entire header to nginx
+    client_header_timeout 10s;
+    # timeout which a single keep-alive client connection will stay open
+    keepalive_timeout 65s;
+    # maximum time between packets nginx is allowed to pause when sending the client data
+    send_timeout 10s;
+
+	# Connection header for WebSocket reverse proxy
     map $http_upgrade $connection_upgrade {
         default upgrade;
-        "" close;
+        ""      close;
     }
 
     map $remote_addr $proxy_forwarded_elem {
 
         # IPv4 addresses can be sent as-is
-        ~^[0-9.]+$ "for=$remote_addr";
+        ~^[0-9.]+$        "for=$remote_addr";
 
         # IPv6 addresses need to be bracketed and quoted
         ~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\"";
 
         # Unix domain socket names cannot be represented in RFC 7239 syntax
-        default "for=unknown";
+        default           "for=unknown";
     }
 
     map $http_forwarded $proxy_add_forwarded {
@@ -89,9 +99,5 @@ http {
         default "$proxy_forwarded_elem";
     }
 
-    # Include sites-enabled
-    include /etc/nginx/conf.d/*.conf;
-    include /etc/nginx/sites-enabled/*;
-
 }
 

nginx/sites-available/ayaya.beauty.conf

@@ -1,11 +1,17 @@
 server {
-    listen            80;
+    access_log /var/log/nginx/ayaya.beauty.log combined;
+    error_log /var/log/nginx/ayaya.beauty.error.log;
+
     server_name       ayaya.beauty;
+    include configs/general.conf;
+    include configs/securityheaders.conf;
 
     root              /var/www/uguu/dist/public/;
     autoindex         off;
-    access_log        off;
-    index index.html  index.php;  
+    # access_log        off;
+    index index.html  index.php;
+
+    client_max_body_size 64M;
 
     location ~* \.(css|js|jpg|jpeg|gif|png|ico|xml|eot|woff|woff2|ttf|svg|otf|x-icon|avif|webp|apng)$ {
       expires         30d;
@@ -19,4 +25,25 @@ server {
     include          fastcgi_params;
     fastcgi_param    SCRIPT_FILENAME $document_root$fastcgi_script_name;
     }
+
+    listen 443 http3;
+    listen 443 http2 ssl; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/ayaya.beauty/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/ayaya.beauty/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
 }
+
+server {
+    if ($host = ayaya.beauty) {
+        return 301 https://$host$request_uri;
+        } # managed by Certbot
+
+
+        listen 80;
+        server_name ayaya.beauty;
+        return 404; # managed by Certbot
+
+
+    }

nginx/sites-available/gitea.zzls.xyz.conf

@@ -11,8 +11,6 @@ server {
         include configs/proxyheaders.conf;
     }
 
-    #add_header Content-Security-Policy "default-src 'self'; script-src 'report-sample' 'self'; style-src 'report-sample' 'self'; object-src 'none'; base-uri 'self'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self'; manifest-src 'self'; media-src 'self'; worker-src 'none';";
-
     # QUIC
     add_header Alt-Svc 'h3=":443"; ma=86400';
 

nginx/sites-available/i.ayaya.beauty.conf

@@ -1,9 +1,39 @@
 server {
-    listen           80;
-    server_name      i.ayaya.beauty;
+    access_log /var/log/nginx/i.ayaya.beauty.log combined;
+    error_log /var/log/nginx/i.ayaya.beauty.error.log;
+
+    server_name i.ayaya.beauty;
+    include configs/general.conf;
+    include configs/securityheaders.conf;
 
     root             /var/www/files/;
     autoindex        off;
-    access_log       off;
+    # access_log       off;
     index            index.html;
+
+    location / {
+    error_page 403 =301 https://ayaya.beauty;
+    error_page 404 = /404.gif;
+    }
+
+    listen 443 http3;
+    listen 443 http2 ssl; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/i.ayaya.beauty/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/i.ayaya.beauty/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
 }
+
+server {
+    if ($host = i.ayaya.beauty) {
+        return 301 https://$host$request_uri;
+        } # managed by Certbot
+
+
+        listen 80;
+        server_name i.ayaya.beauty;
+        return 404; # managed by Certbot
+
+
+    }

tor/torrc

@@ -55,10 +55,10 @@ DataDirectory /var/lib/tor
 
 ## The port on which Tor will listen for local connections from Tor
 ## controller applications, as documented in control-spec.txt.
-ControlPort 9051
+#ControlPort 9051
 ## If you enable the controlport, be sure to enable one of these
 ## authentication methods, to prevent attackers from accessing it.
-HashedControlPassword 16:B4DC8983B0D19C5F60350CFF5B88B209B219D43E7AB9FE1EE87E808592
+#HashedControlPassword 16:B4DC8983B0D19C5F60350CFF5B88B209B219D43E7AB9FE1EE87E808592
 #CookieAuthentication 1
 
 ############### This section is just for location-hidden services ###
@@ -82,7 +82,7 @@ HashedControlPassword 16:B4DC8983B0D19C5F60350CFF5B88B209B219D43E7AB9FE1EE87E808
 ## See https://www.torproject.org/docs/tor-doc-relay for details.
 
 ## Required: what port to advertise for incoming Tor connections.
-ORPort 9001
+#ORPort 9001
 ## If you want to listen on a port other than the one advertised in
 ## ORPort (e.g. to advertise 443 but bind to 9090), you can do it as
 ## follows.  You'll need to do ipchains or other port forwarding
@@ -111,7 +111,7 @@ ORPort 9001
 ## Nicknames must be between 1 and 19 characters inclusive, and must
 ## contain only the characters [a-zA-Z0-9].
 ## If not set, "Unnamed" will be used.
-Nickname forsenE
+#Nickname forsenE
 
 ## Define these to limit how much relayed traffic you will allow. Your
 ## own traffic is still unthrottled. Note that RelayBandwidthRate must
@@ -119,8 +119,8 @@ Nickname forsenE
 ## Note that units for these config options are bytes (per second), not
 ## bits (per second), and that prefixes are binary prefixes, i.e. 2^10,
 ## 2^20, etc.
-RelayBandwidthRate 3 Mbytes  # Throttle traffic to 100KB/s (800Kbps)
-RelayBandwidthBurst 3 Mbytes # But allow bursts up to 200KB (1600Kb)
+#RelayBandwidthRate 3 Mbytes  # Throttle traffic to 100KB/s (800Kbps)
+#RelayBandwidthBurst 3 Mbytes # But allow bursts up to 200KB (1600Kb)
 
 ## Use these to restrict the maximum traffic per day, week, or month.
 ## Note that this threshold applies separately to sent and received bytes,
@@ -174,7 +174,7 @@ RelayBandwidthBurst 3 Mbytes # But allow bursts up to 200KB (1600Kb)
 ## If you are running multiple relays, you MUST set this option.
 ##
 ## Note: do not use MyFamily on bridge relays.
-MyFamily $7D530ECD3A9F4BADA4D11825E910ED0DF2AC5D60,$282A63D9228513E8998C5B12E2926E6398DBF109
+#MyFamily $7D530ECD3A9F4BADA4D11825E910ED0DF2AC5D60,$282A63D9228513E8998C5B12E2926E6398DBF109
 
 ## Uncomment this if you want your relay to be an exit, with the default
 ## exit policy (or whatever exit policy you set below).