From b0df13f6adacab025533133da2f3d84b731e0d23 Mon Sep 17 00:00:00 2001 From: Fijxu Date: Tue, 22 Nov 2022 03:44:41 -0300 Subject: [PATCH] caca --- configs/general.conf | 11 ++++ configs/proxyheaders.conf | 20 +++++++ configs/securityheaders.conf | 12 ++++ nginx.conf | 100 +++++++++++++++++++++++++++++++ sites-available/gitea.conf | 39 ++++++++++++ sites-available/ii.zzls.xyz.conf | 40 +++++++++++++ sites-available/privatebin.conf | 37 ++++++++++++ sites-available/rimgo.conf | 40 +++++++++++++ sites-available/selfhost.conf | 42 +++++++++++++ sites-enabled/gitea.conf | 1 + sites-enabled/ii.zzls.xyz.conf | 1 + sites-enabled/privatebin.conf | 1 + sites-enabled/rimgo.conf | 1 + sites-enabled/selfhost.conf | 1 + 14 files changed, 346 insertions(+) create mode 100644 configs/general.conf create mode 100644 configs/proxyheaders.conf create mode 100644 configs/securityheaders.conf create mode 100755 nginx.conf create mode 100755 sites-available/gitea.conf create mode 100755 sites-available/ii.zzls.xyz.conf create mode 100755 sites-available/privatebin.conf create mode 100755 sites-available/rimgo.conf create mode 100755 sites-available/selfhost.conf create mode 120000 sites-enabled/gitea.conf create mode 120000 sites-enabled/ii.zzls.xyz.conf create mode 120000 sites-enabled/privatebin.conf create mode 120000 sites-enabled/rimgo.conf create mode 120000 sites-enabled/selfhost.conf diff --git a/configs/general.conf b/configs/general.conf new file mode 100644 index 0000000..cbd0161 --- /dev/null +++ b/configs/general.conf @@ -0,0 +1,11 @@ +# gzip +gzip on; +gzip_vary on; +gzip_proxied any; +gzip_comp_level 6; +gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml; + +# brotli +#brotli on; +#brotli_comp_level 6; +#brotli_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml; diff --git a/configs/proxyheaders.conf b/configs/proxyheaders.conf new file mode 100644 index 0000000..3d8815b --- /dev/null +++ b/configs/proxyheaders.conf @@ -0,0 +1,20 @@ +proxy_http_version 1.1; +proxy_cache_bypass $http_upgrade; + +# Proxy SSL +proxy_ssl_server_name on; + +# Proxy headers +proxy_set_header Upgrade $http_upgrade; +#proxy_set_header Connection $connection_upgrade; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header Forwarded $proxy_add_forwarded; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $scheme; +proxy_set_header X-Forwarded-Host $host; +proxy_set_header X-Forwarded-Port $server_port; + +# Proxy timeouts +proxy_connect_timeout 60s; +proxy_send_timeout 60s; +proxy_read_timeout 60s; diff --git a/configs/securityheaders.conf b/configs/securityheaders.conf new file mode 100644 index 0000000..7f6e72a --- /dev/null +++ b/configs/securityheaders.conf @@ -0,0 +1,12 @@ +# security headers +add_header X-XSS-Protection "1; mode=block" always; +add_header X-Content-Type-Options "nosniff" always; +add_header Referrer-Policy "no-referrer-when-downgrade" always; +#add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always; +add_header Permissions-Policy "interest-cohort=()" always; +add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + +# . files +location ~ /\.(?!well-known) { + deny all; +} diff --git a/nginx.conf b/nginx.conf new file mode 100755 index 0000000..33fe07d --- /dev/null +++ b/nginx.conf @@ -0,0 +1,100 @@ +worker_processes auto; +worker_rlimit_nofile 65535; + +# Include Modules +include /etc/nginx/modules-enabled/*.conf; +#load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so; +load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so; # for compressing responses on-the-fly +load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so; # for serving pre-compressed files + +# This is where we load NJS modules +#load_module /usr/lib/nginx/modules/ngx_http_js_module.so; +#load_module /usr/lib/nginx/modules/ngx_stream_js_module.so; + +# Include external config +#include /etc/nginx/conf.d/*.conf; + +events { + multi_accept on; + worker_connections 65535; +} + +stream { + include /etc/nginx/streams/*; +} + +http { + + charset utf-8; + sendfile on; + tcp_nopush on; + tcp_nodelay on; + server_tokens off; + log_not_found off; + types_hash_max_size 4096; + types_hash_bucket_size 64; + client_max_body_size 16M; + + + # MIME + include mime.types; + default_type application/octet-stream; + + # SSL + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + # + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; + ssl_session_tickets off; + + # Diffie-Hellman parameter for DHE ciphersuites + ssl_dhparam /etc/nginx/dhparam.pem; + + # OCSP Stapling + #ssl_stapling on; + #ssl_stapling_verify on; + + # Logging + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log warn; + + # General configs, include in every sites-enabled site + #include configs/general.conf; + + + + + # Connection header for WebSocket reverse proxy + map $http_upgrade $connection_upgrade { + default upgrade; + "" close; + } + + map $remote_addr $proxy_forwarded_elem { + + # IPv4 addresses can be sent as-is + ~^[0-9.]+$ "for=$remote_addr"; + + # IPv6 addresses need to be bracketed and quoted + ~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\""; + + # Unix domain socket names cannot be represented in RFC 7239 syntax + default "for=unknown"; + } + + map $http_forwarded $proxy_add_forwarded { + + # If the incoming Forwarded header is syntactically valid, append to it + "~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem"; + + # Otherwise, replace it + default "$proxy_forwarded_elem"; + } + + # Include sites-enabled + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; + +} diff --git a/sites-available/gitea.conf b/sites-available/gitea.conf new file mode 100755 index 0000000..5b222aa --- /dev/null +++ b/sites-available/gitea.conf @@ -0,0 +1,39 @@ +server { + access_log /var/log/nginx/git.access.log combined; + + server_name git.zzls.xyz; + # Security headers and general settings + include configs/securityheaders.conf; + include configs/general.conf; + + location / { + proxy_pass http://unix:/run/gitea/gitea.socket; + include configs/proxyheaders.conf; + } + + #add_header Content-Security-Policy "default-src 'self'; script-src 'report-sample' 'self'; style-src 'report-sample' 'self'; object-src 'none'; base-uri 'self'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self'; manifest-src 'self'; media-src 'self'; worker-src 'none';"; + + # QUIC + add_header Alt-Svc 'h3=":443"; ma=86400'; + + listen 443 http3; + listen 443 http2 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/git.zzls.xyz/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/git.zzls.xyz/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + +} +server { + if ($host = git.zzls.xyz) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + listen 80; + + server_name git.zzls.xyz; + return 404; # managed by Certbot + + + } diff --git a/sites-available/ii.zzls.xyz.conf b/sites-available/ii.zzls.xyz.conf new file mode 100755 index 0000000..7749cd8 --- /dev/null +++ b/sites-available/ii.zzls.xyz.conf @@ -0,0 +1,40 @@ +server { + access_log /var/log/nginx/ii.access.log combined; + error_log /var/log/nginx/ii.error.log; + + root /opt/ImageUpload/ifiles/; + index index.html index.htm index.nginx-debian.html; + + server_name ii.zzls.xyz; + include configs/general.conf; + include configs/securityheaders.conf; + + location /upload { + client_max_body_size 4096M; + auth_basic "Restricted Content"; + auth_basic_user_file /etc/fileupload.htpasswd; + proxy_pass http://localhost:40006; + include configs/proxyheaders.conf; + } + + listen 443 http3; + listen 443 ssl http2; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/ii.zzls.xyz/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/ii.zzls.xyz/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + +} +server { + if ($host = ii.zzls.xyz) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + listen 80; + + server_name ii.zzls.xyz; + return 404; # managed by Certbot + + + } diff --git a/sites-available/privatebin.conf b/sites-available/privatebin.conf new file mode 100755 index 0000000..3383197 --- /dev/null +++ b/sites-available/privatebin.conf @@ -0,0 +1,37 @@ +server { + access_log /var/log/nginx/pbin.access.log combined; + + server_name pbin.zzls.xyz; + include configs/general.conf; + + location / { + proxy_pass http://localhost:40001; + include configs/proxyheaders.conf; + } + + #include configs/securityheaders.conf; + # QUIC + add_header Alt-Svc 'h3=":443"; ma=86400'; + + + listen 443 ssl http2; + listen 443 http3; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/pbin.zzls.xyz/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/pbin.zzls.xyz/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + +} +server { + if ($host = pbin.zzls.xyz) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + listen 80; + + server_name pbin.zzls.xyz; + return 404; # managed by Certbot + + + } diff --git a/sites-available/rimgo.conf b/sites-available/rimgo.conf new file mode 100755 index 0000000..fe1fd32 --- /dev/null +++ b/sites-available/rimgo.conf @@ -0,0 +1,40 @@ +server { + access_log /dev/null; + error_log /dev/null; + + server_name ri.zzls.xyz; + include configs/general.conf; + + location / { + proxy_pass http://127.0.0.1:40002/; + include configs/proxyheaders.conf; + } + + # security headers + include configs/securityheaders.conf; + #add_header Content-Security-Policy "default-src 'self'; script-src 'report-sample' 'self'; style-src 'report-sample' 'self'; object-src 'none'; base-uri 'self'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self'; manifest-src 'self'; media-src 'self'; worker-src 'none';"; + + # QUIC + add_header Alt-Svc 'h3=":443"; ma=86400'; + + listen 443 http3; + listen 443 http2 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/ri.zzls.xyz/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/ri.zzls.xyz/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + +} +server { + if ($host = ri.zzls.xyz) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + listen 80; + + server_name ri.zzls.xyz; + return 404; # managed by Certbot + + + } diff --git a/sites-available/selfhost.conf b/sites-available/selfhost.conf new file mode 100755 index 0000000..be6f3d3 --- /dev/null +++ b/sites-available/selfhost.conf @@ -0,0 +1,42 @@ +server { + access_log /var/log/nginx/selfhost.log combined; + root /var/www/html; + index index.html index.htm index.nginx-debian.html; + + server_name selfhost.zzls.xyz; + + location / { + try_files $uri $uri/ =404; + } + + # security headers + add_header Referrer-Policy "no-referrer-when-downgrade" always; + #add_header Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';base-uri 'self';form-action 'self'"; + add_header Permissions-Policy "interest-cohort=()" always; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-Frame-Options "SAMEORIGIN"; + + # QUIC + add_header Alt-Svc 'h3=":443"; ma=86400'; + + listen 443 ssl http2; + listen 443 http3; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/selfhost.zzls.xyz/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/selfhost.zzls.xyz/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + +} +server { + if ($host = selfhost.zzls.xyz) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + listen 80; + + server_name selfhost.zzls.xyz; + return 404; # managed by Certbot + + + } diff --git a/sites-enabled/gitea.conf b/sites-enabled/gitea.conf new file mode 120000 index 0000000..d9c8a67 --- /dev/null +++ b/sites-enabled/gitea.conf @@ -0,0 +1 @@ +/etc/nginx/sites-available/gitea.conf \ No newline at end of file diff --git a/sites-enabled/ii.zzls.xyz.conf b/sites-enabled/ii.zzls.xyz.conf new file mode 120000 index 0000000..0d4d1f8 --- /dev/null +++ b/sites-enabled/ii.zzls.xyz.conf @@ -0,0 +1 @@ +/etc/nginx/sites-available/ii.zzls.xyz.conf \ No newline at end of file diff --git a/sites-enabled/privatebin.conf b/sites-enabled/privatebin.conf new file mode 120000 index 0000000..a148c47 --- /dev/null +++ b/sites-enabled/privatebin.conf @@ -0,0 +1 @@ +/etc/nginx/sites-available/privatebin.conf \ No newline at end of file diff --git a/sites-enabled/rimgo.conf b/sites-enabled/rimgo.conf new file mode 120000 index 0000000..b8713bb --- /dev/null +++ b/sites-enabled/rimgo.conf @@ -0,0 +1 @@ +/etc/nginx/sites-available/rimgo.conf \ No newline at end of file diff --git a/sites-enabled/selfhost.conf b/sites-enabled/selfhost.conf new file mode 120000 index 0000000..239180c --- /dev/null +++ b/sites-enabled/selfhost.conf @@ -0,0 +1 @@ +/etc/nginx/sites-available/selfhost.conf \ No newline at end of file