README.md

@@ -1,11 +0,0 @@
-You can find my server configs in this repo, they are split in different branches.
-
-- [🕋 Selfhost Branch](https://git.zzls.xyz/Fijxu/etc-configs/src/branch/selfhost)
-
-- [🧱 VPS Branch](https://git.zzls.xyz/Fijxu/etc-configs/src/branch/vpsus)
-
-#### Suggestions or Issues?
-
-If you got any suggestions to the nginx configs or something that is not to your liking within the privacy-focused services I provide; Open an issue or a pull request in any config. You can either create an account with your real E-mail or with a throw away one (But probably you will be considered as a bad actor for me if you don't provide any real identity like GitHub, GitLab, Codeberg or anything like that, so make sure to link any of those).
-
-*Contact*: [https://nadeko.net/contact](https://nadeko.net/contact)

conf.d/ckg/ayaya.beauty.conf

@@ -0,0 +1,82 @@
+server {
+	access_log /var/log/nginx/ayaya.beauty.access.log combined;
+	error_log /var/log/nginx/ayaya.beauty.error.log;
+	server_name ayaya.beauty;
+	include configs/general.conf;
+	include configs/security.conf;
+	include configs/robotsNone.conf;
+	include snippets/torblacklist.conf;
+
+	root /var/www/fijxu/uguu/dist/public;
+	autoindex off;
+	index index.html index.php;
+
+	client_max_body_size 512M;
+
+	location ~* \.(css|js|jpg|jpeg|gif|png|ico|xml|eot|woff|woff2|ttf|svg|otf|x-icon|avif|webp|apng)$ {
+		expires 7d;
+	}
+
+	location ~ \.php$ {
+		fastcgi_pass php-fpm;
+		fastcgi_intercept_errors on;
+		fastcgi_index index.php;
+		fastcgi_split_path_info ^(.+\.php)(.*)$;
+		include fastcgi_params;
+		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+	}
+
+	location /torisblocked {
+		alias errors/torisblocked.txt;
+	}
+
+	error_page 403 =302 /torisblocked;
+
+	# QUIC
+	#include configs/http3.conf;
+
+	listen 443 ssl;
+	http2 on;
+
+}
+
+server {
+	access_log /var/log/nginx/i.ayaya.beauty.access.log;
+	server_name i.ayaya.beauty;
+	include configs/general.conf;
+	include configs/security.conf;
+	include configs/robotsNone.conf;
+	root /var/www/fijxu/uguu/files;
+	autoindex off;
+
+	location / {
+		rewrite ^/(.*)/$ /\$1 break;
+		try_files $uri $uri/ =404;
+		error_page 401 402 403 404 =301 https://ayaya.beauty;
+	}
+
+	# QUIC
+	#include configs/http3.conf;
+
+	listen 443 ssl;
+	http2 on; 
+
+}
+
+server {
+	if ($host = i.ayaya.beauty) {
+		return 301 https://$host$request_uri;
+	}
+	listen 80;
+	server_name i.ayaya.beauty;
+	return 404; 
+}
+
+server {
+	if ($host = ayaya.beauty) {
+		return 301 https://$host$request_uri;
+	}
+	listen 80;
+	server_name ayaya.beauty;
+	return 404; 
+}

conf.d/ckg/breezewiki.nadeko.net.conf

@@ -0,0 +1,42 @@
+server {
+	server_name breezewiki.nadeko.net;
+	include configs/general.conf;
+	include configs/security.conf;
+	include configs/robotsNone.conf;
+
+	location / {
+		proxy_pass http://breezewiki;
+		#include configs/proxy.conf;
+	}
+
+	# Onion Service Header
+	add_header Onion-Location http://breezewiki.nadekonfkhwlxwwk4ycbvq42zvcjmvo5iakl4tajojjwxd4a5dcetuyd.onion$request_uri;
+
+	# QUIC
+	include configs/http3.conf;
+
+	listen 443 ssl;
+	http2 on;
+
+}
+
+server {
+	listen 127.0.0.1:10040;
+	server_name breezewiki.nadekonfkhwlxwwk4ycbvq42zvcjmvo5iakl4tajojjwxd4a5dcetuyd.onion;
+	include configs/general.conf;
+	include configs/security.conf;
+	include configs/robotsNone.conf;
+
+}
+server {
+	set $x "";
+	if ($host = breezewiki.nadeko.net) {
+		set $x 1;
+	}
+	if ($x = 1) {
+		return 301 https://$host$request_uri;
+	}
+	listen 80;
+	server_name breezewiki.nadeko.net;
+	return 404;
+}

conf.d/ckg/search.nadeko.net.conf

@@ -0,0 +1,87 @@
+server {
+	server_name search.zzls.xyz search.nadeko.net;
+	include configs/general.conf;
+
+	location @socket {
+		uwsgi_pass searxng;
+		include uwsgi_params;
+		uwsgi_param    HTTP_HOST             $host;
+		uwsgi_param    HTTP_CONNECTION       $http_connection;
+		# see flaskfix.py
+		uwsgi_param    HTTP_X_SCHEME         $scheme;
+		#uwsgi_param    HTTP_X_SCRIPT_NAME    /searxng;
+		# see limiter.py
+		uwsgi_param    HTTP_X_REAL_IP        $remote_addr;
+		uwsgi_param    HTTP_X_FORWARDED_FOR  $proxy_add_x_forwarded_for;
+	}
+
+	location / {
+		try_files $uri @socket;
+	}
+
+	location /search {
+		try_files $uri @socket;
+		if ($server_protocol ~* "HTTP/1.1") {
+			return 444;
+		}
+	}
+
+	# Onion Service Header
+	add_header Onion-Location http://search.nadekonfkhwlxwwk4ycbvq42zvcjmvo5iakl4tajojjwxd4a5dcetuyd.onion$request_uri;
+
+	# QUIC
+	include configs/http3.conf;
+
+	# CSP + Security Headers
+	add_header Permissions-Policy        "interest-cohort=()" always;
+	add_header Strict-Transport-Security "max-age=63072000; preload" always;
+	add_header Content-Security-Policy "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/tiekoetter/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src 'self' https://www.youtube-nocookie.com https://invidious.tiekoetter.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com https://open.spotify.com/" always;
+
+	listen 443 ssl;
+	http2 on;
+
+}
+
+server {
+	listen 127.0.0.1:10040;
+	server_name search.nadekonfkhwlxwwk4ycbvq42zvcjmvo5iakl4tajojjwxd4a5dcetuyd.onion;
+	include configs/general.conf;
+
+	location @socket {
+		uwsgi_pass searxng;
+		include uwsgi_params;
+		uwsgi_param    HTTP_HOST             $host;
+		uwsgi_param    HTTP_CONNECTION       $http_connection;
+		# see flaskfix.py
+		uwsgi_param    HTTP_X_SCHEME         $scheme;
+		#uwsgi_param    HTTP_X_SCRIPT_NAME    /searxng;
+		# see limiter.py
+		uwsgi_param    HTTP_X_REAL_IP        $remote_addr;
+		uwsgi_param    HTTP_X_FORWARDED_FOR  $proxy_add_x_forwarded_for;
+	}
+
+	location / {
+		try_files $uri @socket;
+	}
+
+	# CSP + Security Headers
+	add_header Permissions-Policy        "interest-cohort=()" always;
+	add_header Strict-Transport-Security "max-age=63072000; preload" always;
+	add_header Content-Security-Policy "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/tiekoetter/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src 'self' https://www.youtube-nocookie.com https://invidious.tiekoetter.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com https://open.spotify.com/" always;
+
+}
+server {
+	set $x "";
+	if ($host = search.zzls.xyz) {
+		set $x 1;
+	}       
+	if ($host = search.nadeko.net) {
+		set $x 1;
+	}
+	if ($x = 1) {
+		return 301 https://$host$request_uri;
+	}
+	listen 80;
+	server_name search.zzls.xyz search.nadeko.net;
+	return 404;
+}

configs/general.conf

@@ -0,0 +1,10 @@
+# gzip
+gzip              on;
+gzip_vary         on;
+gzip_proxied      any;
+gzip_comp_level   6;
+gzip_types        text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
+
+if ($poop) {
+	return 444;
+}

configs/http3.conf

@@ -0,0 +1,2 @@
+add_header Alt-Svc 'h3=":443"; ma=86400';
+listen 443 quic;

configs/proxy.conf

@@ -0,0 +1,20 @@
+proxy_http_version                 1.1;
+proxy_cache_bypass                 $http_upgrade;
+
+# Proxy SSL
+proxy_ssl_server_name              on;
+
+# Proxy headers
+proxy_set_header Upgrade           $http_upgrade;
+#proxy_set_header Connection        $connection_upgrade;
+proxy_set_header X-Real-IP         $remote_addr;
+proxy_set_header Forwarded         $proxy_add_forwarded;
+proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $scheme;
+proxy_set_header X-Forwarded-Host  $host;
+proxy_set_header X-Forwarded-Port  $server_port;
+
+# Proxy timeouts
+proxy_connect_timeout              60s;
+proxy_send_timeout                 60s;
+proxy_read_timeout                 60s;

configs/robotsNone.conf

@@ -0,0 +1 @@
+location /robots.txt { return 200 "User-agent: *\nDisallow: /";}

configs/security.conf

@@ -0,0 +1,6 @@
+# security headers
+add_header X-Content-Type-Options    "nosniff" always;
+add_header Referrer-Policy           "same-origin" always;
+add_header X-Frame-Options           "sameorigin" always;
+add_header Permissions-Policy        "interest-cohort=()" always;
+add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

configs/ssl.conf

@@ -0,0 +1,5 @@
+# ECDSA
+ssl_certificate /etc/ssl/nadeko.net/fullchain.ec.crt;
+ssl_certificate_key /etc/ssl/nadeko.net/nadeko.net.ec.key;
+
+include configs/sslConfig.conf;

configs/sslConfig.conf

@@ -0,0 +1,12 @@
+# SSL
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
+ssl_prefer_server_ciphers off;
+ssl_session_timeout 1d;
+ssl_session_cache shared:SSL:10m;
+ssl_session_tickets off;
+ssl_early_data on;
+
+# Custom 4096bits Diffie-Hellman parameter for DHE ciphersuites (Not the one bundled with letsencrypt
+# Changed to a custom one for trust purposes
+ssl_dhparam /etc/nginx/dhparam.pem;

configs/upstreams.conf

@@ -0,0 +1,11 @@
+upstream php-fpm {
+	server unix:/run/php/php-fpm.sock;
+}
+
+upstream searxng {
+	server unix:/usr/local/searxng/run/socket;
+}
+
+upstream breezewiki {
+	server 127.0.0.1:10001;
+}

fastcgi.conf

@@ -0,0 +1,27 @@
+
+fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
+fastcgi_param  QUERY_STRING       $query_string;
+fastcgi_param  REQUEST_METHOD     $request_method;
+fastcgi_param  CONTENT_TYPE       $content_type;
+fastcgi_param  CONTENT_LENGTH     $content_length;
+
+fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
+fastcgi_param  REQUEST_URI        $request_uri;
+fastcgi_param  DOCUMENT_URI       $document_uri;
+fastcgi_param  DOCUMENT_ROOT      $document_root;
+fastcgi_param  SERVER_PROTOCOL    $server_protocol;
+fastcgi_param  REQUEST_SCHEME     $scheme;
+fastcgi_param  HTTPS              $https if_not_empty;
+
+fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
+fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
+
+fastcgi_param  REMOTE_ADDR        $remote_addr;
+fastcgi_param  REMOTE_PORT        $remote_port;
+fastcgi_param  REMOTE_USER        $remote_user;
+fastcgi_param  SERVER_ADDR        $server_addr;
+fastcgi_param  SERVER_PORT        $server_port;
+fastcgi_param  SERVER_NAME        $server_name;
+
+# PHP only, required if PHP was built with --enable-force-cgi-redirect
+fastcgi_param  REDIRECT_STATUS    200;

nginx.conf

@@ -0,0 +1,65 @@
+user www-data;
+worker_processes auto;
+worker_rlimit_nofile 65535;
+pid /run/nginx.pid;
+
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+	worker_connections 4096;
+	multi_accept off;
+}
+
+http {
+	log_format limited '$remote_addr - $remote_user [$time_local] '
+		'"$request_method /bogus $server_protocol" $status $body_bytes_sent '
+		'"-" "Bogus/66.6"';
+
+	access_log off;
+	error_log /dev/null;
+
+	# Basic Settings
+	charset utf-8;
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+	server_tokens off;
+	log_not_found off;
+	types_hash_max_size 1024;
+	types_hash_bucket_size 64;
+	server_names_hash_bucket_size 128;
+
+	# MIME
+	include mime.types;
+
+	# SSL
+	include configs/ssl.conf;
+
+	# reset timed out connections freeing ram
+	reset_timedout_connection on;
+	# maximum time between packets the client can pause when sending nginx any data
+	client_body_timeout 10s;
+	# maximum time the client has to send the entire header to nginx
+	client_header_timeout 10s;
+	# timeout which a single keep-alive client connection will stay open
+	keepalive_timeout 65s;
+	# maximum time between packets nginx is allowed to pause when sending the client data
+	send_timeout 10s;
+
+	# PERFORMANCE / ASYNC I/O
+	aio threads=default;
+	aio_write on;
+	directio 2m;
+
+	# Maps
+	include /etc/nginx/snippets/maps.conf;
+	include /etc/nginx/snippets/poop.conf;
+
+	# Upstreams
+	include /etc/nginx/configs/upstreams.conf;
+
+	# Aqui esta wisp.conf
+	include /etc/nginx/conf.d/root/*.conf;
+	# Aqui deje mi carpeta para mis configuraciones, para evitar confusiones.
+	include /etc/nginx/conf.d/ckg/*.conf;
+}

snippets/maps.conf

@@ -0,0 +1,27 @@
+# Connection header for WebSocket reverse proxy
+
+    map $http_upgrade $connection_upgrade {
+        default upgrade;
+        ""      close;
+    }
+
+    map $remote_addr $proxy_forwarded_elem {
+
+        # IPv4 addresses can be sent as-is
+        ~^[0-9.]+$        "for=$remote_addr";
+
+        # IPv6 addresses need to be bracketed and quoted
+        ~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\"";
+
+        # Unix domain socket names cannot be represented in RFC 7239 syntax
+        default           "for=unknown";
+    }
+
+    map $http_forwarded $proxy_add_forwarded {
+
+        # If the incoming Forwarded header is syntactically valid, append to it
+        "~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
+
+        # Otherwise, replace it
+        default "$proxy_forwarded_elem";
+    }

snippets/poop.conf

@@ -0,0 +1,9 @@
+map $http_user_agent $poop {
+	default			0;
+	~*my-tiny-bot		1;
+	~*thesis-research-bot	1;
+	~*SemrushBot		1;
+	~*Bytespider		1;
+	~*PetalBot			1;
+	~*Amazonbot			1;
+}