From 2f25519215dacc7ea52d487979bcd7c6d695937f Mon Sep 17 00:00:00 2001
From: Fijxu <fijxu@zzls.xyz>
Date: Tue, 22 Nov 2022 03:45:12 -0300
Subject: [PATCH] caca

---
 configs/general.conf         | 11 +++++++++++
 configs/proxyheaders.conf    | 20 ++++++++++++++++++++
 configs/securityheaders.conf | 12 ++++++++++++
 streams/dns.conf             | 29 +++++++++++++++++++++++++++++
 streams/dns.conf.bak         | 28 ++++++++++++++++++++++++++++
 5 files changed, 100 insertions(+)
 create mode 100644 configs/general.conf
 create mode 100644 configs/proxyheaders.conf
 create mode 100644 configs/securityheaders.conf
 create mode 100644 streams/dns.conf
 create mode 100644 streams/dns.conf.bak

diff --git a/configs/general.conf b/configs/general.conf
new file mode 100644
index 0000000..cbd0161
--- /dev/null
+++ b/configs/general.conf
@@ -0,0 +1,11 @@
+# gzip
+gzip              on;
+gzip_vary         on;
+gzip_proxied      any;
+gzip_comp_level   6;
+gzip_types        text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
+
+# brotli
+#brotli            on;
+#brotli_comp_level 6;
+#brotli_types      text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
diff --git a/configs/proxyheaders.conf b/configs/proxyheaders.conf
new file mode 100644
index 0000000..3d8815b
--- /dev/null
+++ b/configs/proxyheaders.conf
@@ -0,0 +1,20 @@
+proxy_http_version                 1.1;
+proxy_cache_bypass                 $http_upgrade;
+
+# Proxy SSL
+proxy_ssl_server_name              on;
+
+# Proxy headers
+proxy_set_header Upgrade           $http_upgrade;
+#proxy_set_header Connection        $connection_upgrade;
+proxy_set_header X-Real-IP         $remote_addr;
+proxy_set_header Forwarded         $proxy_add_forwarded;
+proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $scheme;
+proxy_set_header X-Forwarded-Host  $host;
+proxy_set_header X-Forwarded-Port  $server_port;
+
+# Proxy timeouts
+proxy_connect_timeout              60s;
+proxy_send_timeout                 60s;
+proxy_read_timeout                 60s;
diff --git a/configs/securityheaders.conf b/configs/securityheaders.conf
new file mode 100644
index 0000000..7f6e72a
--- /dev/null
+++ b/configs/securityheaders.conf
@@ -0,0 +1,12 @@
+# security headers
+add_header X-XSS-Protection          "1; mode=block" always;
+add_header X-Content-Type-Options    "nosniff" always;
+add_header Referrer-Policy           "no-referrer-when-downgrade" always;
+#add_header Content-Security-Policy   "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always;
+add_header Permissions-Policy        "interest-cohort=()" always;
+add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+
+# . files
+location ~ /\.(?!well-known) {
+    deny all;
+}
diff --git a/streams/dns.conf b/streams/dns.conf
new file mode 100644
index 0000000..393346d
--- /dev/null
+++ b/streams/dns.conf
@@ -0,0 +1,29 @@
+# DNS logging.  This log file will show the DNS requests geting forwarded to UNBOUND
+#log_format  dns   '$remote_addr [$time_local] $protocol "$dns_qname"';
+#access_log /var/log/nginx/dns-access.log dns; 
+
+    # Include the NJS module.  Get the file from  https://github.com/TuxInvader/nginx-dns/tree/master/njs.d
+    #js_include /etc/nginx/njs.d/nginx_stream.js;
+
+    # The $dns_qname variable can be populated by preread calls, and can be used for DNS routing
+    #js_set $dns_qname dns_get_qname;
+
+
+upstream dns {
+    zone dns 64k;
+    server	127.0.0.1:5445;
+    #server	127.0.0.1:53;
+}
+server {
+  #listen 853 http3;
+  listen 853 ssl; # managed by Certbot
+  ssl_certificate /etc/letsencrypt/live/dns.zzls.xyz/fullchain.pem; # managed by Certbot
+  ssl_certificate_key /etc/letsencrypt/live/dns.zzls.xyz/privkey.pem; # managed by Certbot
+  ssl_protocols        TLSv1.2 TLSv1.3;
+  ssl_ciphers          HIGH:!aNULL:!MD5;
+
+  ssl_handshake_timeout    10s;
+  ssl_session_cache        shared:SSL:20m;
+  ssl_session_timeout      4h;
+  proxy_pass dns;
+}
diff --git a/streams/dns.conf.bak b/streams/dns.conf.bak
new file mode 100644
index 0000000..fe75fa9
--- /dev/null
+++ b/streams/dns.conf.bak
@@ -0,0 +1,28 @@
+# DNS logging.  This log file will show the DNS requests geting forwarded to UNBOUND
+log_format  dns   '$remote_addr [$time_local] $protocol';
+access_log /var/log/nginx/dns-access.log dns; 
+
+    # Include the NJS module.  Get the file from  https://github.com/TuxInvader/nginx-dns/tree/master/njs.d
+    #js_include /etc/nginx/njs.d/nginx_stream.js;
+
+    # The $dns_qname variable can be populated by preread calls, and can be used for DNS routing
+    #js_set $dns_qname dns_get_qname;
+
+
+upstream dns-servers {
+    #zone dns 64k;
+    server    127.0.0.1:53;
+}
+server {
+  #listen 853 http3;
+  listen 853; # managed by Certbot
+  ssl_certificate /etc/letsencrypt/live/dns.zzls.xyz/fullchain.pem; # managed by Certbot
+  ssl_certificate_key /etc/letsencrypt/live/dns.zzls.xyz/privkey.pem; # managed by Certbot
+  ssl_protocols        TLSv1.2 TLSv1.3;
+  ssl_ciphers          HIGH:!aNULL:!MD5;
+
+  ssl_handshake_timeout    10s;
+  ssl_session_cache        shared:SSL:20m;
+  ssl_session_timeout      4h;
+  proxy_pass dns-servers;
+}