caca
This commit is contained in:
parent
11fffaa619
commit
d0db1451ad
5 changed files with 193 additions and 0 deletions
85
nginx.conf
Executable file
85
nginx.conf
Executable file
|
|
@ -0,0 +1,85 @@
|
|||
|
||||
worker_processes auto;
|
||||
worker_rlimit_nofile 65535;
|
||||
|
||||
# Include Modules
|
||||
include /etc/nginx/modules-enabled/*.conf;
|
||||
#load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so;
|
||||
load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so; # for compressing responses on-the-fly
|
||||
load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so; # for serving pre-compressed files
|
||||
|
||||
# Include external config
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
|
||||
events {
|
||||
multi_accept on;
|
||||
worker_connections 65535;
|
||||
}
|
||||
|
||||
stream {
|
||||
include /etc/nginx/streams/*.conf;
|
||||
}
|
||||
|
||||
http {
|
||||
|
||||
charset utf-8;
|
||||
sendfile on;
|
||||
tcp_nopush on;
|
||||
tcp_nodelay on;
|
||||
server_tokens off;
|
||||
log_not_found off;
|
||||
types_hash_max_size 4096;
|
||||
types_hash_bucket_size 64;
|
||||
|
||||
# MIME
|
||||
include mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
# SSL
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
|
||||
ssl_prefer_server_ciphers off;
|
||||
#
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m;
|
||||
ssl_session_tickets off;
|
||||
|
||||
# Diffie-Hellman parameter for DHE ciphersuites
|
||||
ssl_dhparam /etc/nginx/dhparam.pem;
|
||||
|
||||
# OCSP Stapling
|
||||
#ssl_stapling on;
|
||||
#ssl_stapling_verify on;
|
||||
|
||||
# Connection header for WebSocket reverse proxy
|
||||
map $http_upgrade $connection_upgrade {
|
||||
default upgrade;
|
||||
"" close;
|
||||
}
|
||||
|
||||
map $remote_addr $proxy_forwarded_elem {
|
||||
|
||||
# IPv4 addresses can be sent as-is
|
||||
~^[0-9.]+$ "for=$remote_addr";
|
||||
|
||||
# IPv6 addresses need to be bracketed and quoted
|
||||
~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\"";
|
||||
|
||||
# Unix domain socket names cannot be represented in RFC 7239 syntax
|
||||
default "for=unknown";
|
||||
}
|
||||
|
||||
map $http_forwarded $proxy_add_forwarded {
|
||||
|
||||
# If the incoming Forwarded header is syntactically valid, append to it
|
||||
"~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
|
||||
|
||||
# Otherwise, replace it
|
||||
default "$proxy_forwarded_elem";
|
||||
}
|
||||
|
||||
# Include sites-enabled and config
|
||||
# include /etc/nginx/conf.d/*.conf;
|
||||
include /etc/nginx/sites-enabled/*;
|
||||
|
||||
}
|
||||
38
sites-available/counter.conf
Executable file
38
sites-available/counter.conf
Executable file
|
|
@ -0,0 +1,38 @@
|
|||
server {
|
||||
access_log /var/log/nginx/count.ayaya.pics.access.log combined;
|
||||
|
||||
server_name count.ayaya.pics;
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:41000/;
|
||||
}
|
||||
|
||||
# security headers
|
||||
add_header Referrer-Policy "no-referrer-when-downgrade" always;
|
||||
add_header Permissions-Policy "interest-cohort=()" always;
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
add_header X-Frame-Options "SAMEORIGIN";
|
||||
|
||||
# QUIC
|
||||
add_header Alt-Svc 'h3=":443"; ma=86400';
|
||||
|
||||
listen 443 http3;
|
||||
listen 443 http2 ssl; # managed by Certbot
|
||||
ssl_certificate /etc/letsencrypt/live/count.ayaya.pics/fullchain.pem; # managed by Certbot
|
||||
ssl_certificate_key /etc/letsencrypt/live/count.ayaya.pics/privkey.pem; # managed by Certbot
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
|
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
|
||||
|
||||
}
|
||||
server {
|
||||
if ($host = count.ayaya.pics) {
|
||||
return 301 https://$host$request_uri;
|
||||
} # managed by Certbot
|
||||
|
||||
|
||||
listen 80;
|
||||
|
||||
server_name count.ayaya.pics;
|
||||
return 404; # managed by Certbot
|
||||
}
|
||||
|
||||
68
sites-available/searxng.conf
Executable file
68
sites-available/searxng.conf
Executable file
|
|
@ -0,0 +1,68 @@
|
|||
server {
|
||||
access_log /dev/null;
|
||||
error_log /dev/null;
|
||||
|
||||
server_name search.zzls.xyz;
|
||||
include configs/general.conf;
|
||||
include configs/securityheaders.conf;
|
||||
|
||||
|
||||
if ($server_protocol ~* "HTTP/1.0") {
|
||||
return 444;
|
||||
}
|
||||
if ($http_user_agent ~* (python) ) {
|
||||
return 403;
|
||||
}
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:8888/;
|
||||
#
|
||||
proxy_http_version 1.1;
|
||||
proxy_cache_bypass $http_upgrade;
|
||||
|
||||
# Proxy headers for the Limiter
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header Connection $http_connection;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Scheme $scheme;
|
||||
}
|
||||
|
||||
location /searx/static/ {
|
||||
alias /usr/local/searx/searx-src/searx/static/;
|
||||
}
|
||||
|
||||
# Onion Service Header
|
||||
add_header Onion-Location http://searxdr3pqz4nydgnqocsia2xbywptxbkympa2emn7zlgggrir4bkfad.onion$request_uri;
|
||||
|
||||
# QUIC
|
||||
add_header Alt-Svc 'h3=":443"; ma=86400';
|
||||
|
||||
quic_retry on;
|
||||
quic_gso on;
|
||||
ssl_early_data on;
|
||||
ssl_session_ticket_key /etc/nginx/http3key.key;
|
||||
|
||||
listen 443 http3;
|
||||
listen 443 ssl http2; # managed by Certbot
|
||||
ssl_certificate /etc/letsencrypt/live/search.zzls.xyz/fullchain.pem; # managed by Certbot
|
||||
ssl_certificate_key /etc/letsencrypt/live/search.zzls.xyz/privkey.pem; # managed by Certbot
|
||||
#include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
|
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
|
||||
|
||||
|
||||
|
||||
}
|
||||
|
||||
server {
|
||||
if ($host = search.zzls.xyz) {
|
||||
return 301 https://$host$request_uri;
|
||||
} # managed by Certbot
|
||||
|
||||
|
||||
listen 80;
|
||||
|
||||
server_name search.zzls.xyz;
|
||||
return 404; # managed by Certbot
|
||||
|
||||
|
||||
}
|
||||
1
sites-enabled/counter.conf
Symbolic link
1
sites-enabled/counter.conf
Symbolic link
|
|
@ -0,0 +1 @@
|
|||
/etc/nginx/sites-available/counter.conf
|
||||
1
sites-enabled/searxng.conf
Symbolic link
1
sites-enabled/searxng.conf
Symbolic link
|
|
@ -0,0 +1 @@
|
|||
/etc/nginx/sites-available/searxng.conf
|
||||
Loading…
Reference in a new issue