caca
This commit is contained in:
parent
d0db1451ad
commit
2f25519215
5 changed files with 100 additions and 0 deletions
11
configs/general.conf
Normal file
11
configs/general.conf
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
# gzip
|
||||||
|
gzip on;
|
||||||
|
gzip_vary on;
|
||||||
|
gzip_proxied any;
|
||||||
|
gzip_comp_level 6;
|
||||||
|
gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
|
||||||
|
|
||||||
|
# brotli
|
||||||
|
#brotli on;
|
||||||
|
#brotli_comp_level 6;
|
||||||
|
#brotli_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
|
20
configs/proxyheaders.conf
Normal file
20
configs/proxyheaders.conf
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_cache_bypass $http_upgrade;
|
||||||
|
|
||||||
|
# Proxy SSL
|
||||||
|
proxy_ssl_server_name on;
|
||||||
|
|
||||||
|
# Proxy headers
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
#proxy_set_header Connection $connection_upgrade;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header Forwarded $proxy_add_forwarded;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
proxy_set_header X-Forwarded-Host $host;
|
||||||
|
proxy_set_header X-Forwarded-Port $server_port;
|
||||||
|
|
||||||
|
# Proxy timeouts
|
||||||
|
proxy_connect_timeout 60s;
|
||||||
|
proxy_send_timeout 60s;
|
||||||
|
proxy_read_timeout 60s;
|
12
configs/securityheaders.conf
Normal file
12
configs/securityheaders.conf
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
# security headers
|
||||||
|
add_header X-XSS-Protection "1; mode=block" always;
|
||||||
|
add_header X-Content-Type-Options "nosniff" always;
|
||||||
|
add_header Referrer-Policy "no-referrer-when-downgrade" always;
|
||||||
|
#add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always;
|
||||||
|
add_header Permissions-Policy "interest-cohort=()" always;
|
||||||
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||||
|
|
||||||
|
# . files
|
||||||
|
location ~ /\.(?!well-known) {
|
||||||
|
deny all;
|
||||||
|
}
|
29
streams/dns.conf
Normal file
29
streams/dns.conf
Normal file
|
@ -0,0 +1,29 @@
|
||||||
|
# DNS logging. This log file will show the DNS requests geting forwarded to UNBOUND
|
||||||
|
#log_format dns '$remote_addr [$time_local] $protocol "$dns_qname"';
|
||||||
|
#access_log /var/log/nginx/dns-access.log dns;
|
||||||
|
|
||||||
|
# Include the NJS module. Get the file from https://github.com/TuxInvader/nginx-dns/tree/master/njs.d
|
||||||
|
#js_include /etc/nginx/njs.d/nginx_stream.js;
|
||||||
|
|
||||||
|
# The $dns_qname variable can be populated by preread calls, and can be used for DNS routing
|
||||||
|
#js_set $dns_qname dns_get_qname;
|
||||||
|
|
||||||
|
|
||||||
|
upstream dns {
|
||||||
|
zone dns 64k;
|
||||||
|
server 127.0.0.1:5445;
|
||||||
|
#server 127.0.0.1:53;
|
||||||
|
}
|
||||||
|
server {
|
||||||
|
#listen 853 http3;
|
||||||
|
listen 853 ssl; # managed by Certbot
|
||||||
|
ssl_certificate /etc/letsencrypt/live/dns.zzls.xyz/fullchain.pem; # managed by Certbot
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/dns.zzls.xyz/privkey.pem; # managed by Certbot
|
||||||
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
|
ssl_ciphers HIGH:!aNULL:!MD5;
|
||||||
|
|
||||||
|
ssl_handshake_timeout 10s;
|
||||||
|
ssl_session_cache shared:SSL:20m;
|
||||||
|
ssl_session_timeout 4h;
|
||||||
|
proxy_pass dns;
|
||||||
|
}
|
28
streams/dns.conf.bak
Normal file
28
streams/dns.conf.bak
Normal file
|
@ -0,0 +1,28 @@
|
||||||
|
# DNS logging. This log file will show the DNS requests geting forwarded to UNBOUND
|
||||||
|
log_format dns '$remote_addr [$time_local] $protocol';
|
||||||
|
access_log /var/log/nginx/dns-access.log dns;
|
||||||
|
|
||||||
|
# Include the NJS module. Get the file from https://github.com/TuxInvader/nginx-dns/tree/master/njs.d
|
||||||
|
#js_include /etc/nginx/njs.d/nginx_stream.js;
|
||||||
|
|
||||||
|
# The $dns_qname variable can be populated by preread calls, and can be used for DNS routing
|
||||||
|
#js_set $dns_qname dns_get_qname;
|
||||||
|
|
||||||
|
|
||||||
|
upstream dns-servers {
|
||||||
|
#zone dns 64k;
|
||||||
|
server 127.0.0.1:53;
|
||||||
|
}
|
||||||
|
server {
|
||||||
|
#listen 853 http3;
|
||||||
|
listen 853; # managed by Certbot
|
||||||
|
ssl_certificate /etc/letsencrypt/live/dns.zzls.xyz/fullchain.pem; # managed by Certbot
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/dns.zzls.xyz/privkey.pem; # managed by Certbot
|
||||||
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
|
ssl_ciphers HIGH:!aNULL:!MD5;
|
||||||
|
|
||||||
|
ssl_handshake_timeout 10s;
|
||||||
|
ssl_session_cache shared:SSL:20m;
|
||||||
|
ssl_session_timeout 4h;
|
||||||
|
proxy_pass dns-servers;
|
||||||
|
}
|
Reference in a new issue