diff --git a/configs/proxy.conf b/configs/proxy.conf index 9da3006..418a306 100644 --- a/configs/proxy.conf +++ b/configs/proxy.conf @@ -19,6 +19,6 @@ proxy_set_header X-Forwarded-Port $server_port; proxy_set_header Host $host; # Proxy timeouts -#proxy_connect_timeout 60s; -#proxy_send_timeout 60s; -#proxy_read_timeout 60s; +proxy_connect_timeout 30s; +proxy_send_timeout 60s; +proxy_read_timeout 60s; diff --git a/configs/upstreams.conf b/configs/upstreams.conf index ecf03bd..b089e24 100644 --- a/configs/upstreams.conf +++ b/configs/upstreams.conf @@ -5,11 +5,11 @@ upstream php-fpm-8.3 { lua_shared_dict servers 12k; upstream inv { server 127.0.0.1:11101; - server 127.0.0.1:11102; - server 127.0.0.1:11103; - server 127.0.0.1:11104; - server 127.0.0.1:11105; - balancer_by_lua_file "conf/lua/invidious-balancer.lua"; + # server 127.0.0.1:11102; + # server 127.0.0.1:11103; + # server 127.0.0.1:11104; + # server 127.0.0.1:11105; + # balancer_by_lua_file "conf/lua/invidious-balancer.lua"; } upstream invidious-1 { @@ -42,6 +42,16 @@ upstream inv-feed-receiver { server 127.0.0.1:20090; } +upstream http3-ytproxy-backend1 { + keepalive 512; + server 127.0.0.1:10081; +} + +upstream invidious-companion-backend1 { + keepalive 128; + server 127.0.0.1:10080; +} + upstream http3-ytproxy { keepalive 128; server unix:/tmp/http3-ytproxy.sock; @@ -108,4 +118,4 @@ upstream forgejo { server unix:/run/forgejo/forgejo.sock backup; } -include configs/debug-upstreams.conf; \ No newline at end of file +include configs/debug-upstreams.conf; diff --git a/http.d/git.conf b/http.d/git.conf index 7a7de28..848d42d 100644 --- a/http.d/git.conf +++ b/http.d/git.conf @@ -8,11 +8,11 @@ server { include configs/robots.conf; location / { - if ($blocked_agent = 1) { - return 200 " - 1. The Industrial Revolution and its consequences have been a disaster for the human race. They have greatly increased the life-expectancy of those of us who live in “advanced” countries, but they have destabilized society, have made life unfulfilling, have subjected human beings to indignities, have led to widespread psychological suffering (in the Third World to physical suffering as well) and have inflicted severe damage on the natural world. The continued development of technology will worsen the situation. It will certainly subject human beings to greater indignities and inflict greater damage on the natural world, it will probably lead to greater social disruption and psychological suffering, and it may lead to increased physical suffering even in “advanced” countries. - "; - } + # if ($blocked_agent = 1) { + # return 200 " + # 1. The Industrial Revolution and its consequences have been a disaster for the human race. They have greatly increased the life-expectancy of those of us who live in “advanced” countries, but they have destabilized society, have made life unfulfilling, have subjected human beings to indignities, have led to widespread psychological suffering (in the Third World to physical suffering as well) and have inflicted severe damage on the natural world. The continued development of technology will worsen the situation. It will certainly subject human beings to greater indignities and inflict greater damage on the natural world, it will probably lead to greater social disruption and psychological suffering, and it may lead to increased physical suffering even in “advanced” countries. + # "; + # } proxy_pass http://forgejo; include configs/proxy.conf; client_max_body_size 1024M; diff --git a/http.d/inv.conf b/http.d/inv.conf index 9daf70d..dd23019 100644 --- a/http.d/inv.conf +++ b/http.d/inv.conf @@ -7,11 +7,11 @@ map $host $invidious_backend { inv5.nadeko.net invidious-5; } -map $invidious_backend $cache_case { - default ""; - inv $cookie_INVIDIOUS_SERVER_ID; - invidious-* $invidious_backend; -} +# map $invidious_backend $cache_case { +# default ""; +# inv $cookie_INVIDIOUS_SERVER_ID; +# invidious-* $invidious_backend; +# } # CLEARNET TOR AND I2P # (Tor and I2P listens on 4080, defined on configs/listen.conf) @@ -23,23 +23,37 @@ server { inv.nadekonw7plitnjuawu6ytjsl7jlglk2t6pyq6eftptmiv3dvqndwvyd.onion ~^inv([1-5])\.nadekonw7plitnjuawu6ytjsl7jlglk2t6pyq6eftptmiv3dvqndwvyd\.onion$; include configs/listen.conf; include configs/robotsNone.conf; + include configs/asn-ban.conf; + include configs/manual-ip-ban.conf; # MAINTENANCE MODE # include configs/maintenance-mode.conf; # The messed up invidious configuration include http.d/locations/inv.conf; - if ($http_user_agent = "") { + if ($blocked_agent = 1) { + return 403 " + Hi! You got blocked by network security!!! + Nah, just kidding, your IP range is blocked from + accessing this server/service. + + If you think this is an error, contact me at: + https://nadeko.net/contact + "; + } + + if ($ssl_cipher = "ECDHE-ECDSA-CHACHA20-POLY1305") { return 444; } - if ($request_method = OPTIONS) { - return 204; - } + # + # if ($http_user_agent = "") { + # return 444; + # } error_page 502 /502.html; error_page 503 /503.html; - #rewrite_by_lua_file conf/lua/rewrite-invidious/init.lua; +#rewrite_by_lua_file conf/lua/rewrite-invidious/init.lua; location = /503.html { content_by_lua_file conf/lua/503-invidious.lua; @@ -49,9 +63,9 @@ server { content_by_lua_file conf/lua/502-invidious.lua; } - location = /switchbackend { - content_by_lua_file conf/lua/switchbackend.lua; - } + # location = /switchbackend { + # content_by_lua_file conf/lua/switchbackend.lua; + # } } # CLEARNET FEED @@ -62,18 +76,37 @@ server { include configs/listen.conf; include configs/robotsNone.conf; - # The messed up invidious configuration +# The messed up invidious configuration include http.d/locations/inv-feed.conf; } # INVIDIOUS COMPANION +server { + server_name inv-cl1-c.nadeko.net; + include configs/listen.conf; + include configs/robotsNone.conf; + + location / { + proxy_pass http://invidious-companion-backend1; + include configs/proxy.conf; + } +} + server { server_name inv-cl1.nadeko.net; include configs/listen.conf; include configs/robotsNone.conf; location / { - proxy_pass http://127.0.0.1:10080; + limit_rate 4000k; + proxy_pass http://http3-ytproxy-backend1; include configs/proxy.conf; + sendfile_max_chunk 512k; + tcp_nopush on; + aio threads=default; + aio_write on; + directio 16m; + proxy_hide_header Cache-Control; + add_header Cache-Control private always; } } diff --git a/http.d/locations/inv.conf b/http.d/locations/inv.conf index c2ed548..f9408c1 100644 --- a/http.d/locations/inv.conf +++ b/http.d/locations/inv.conf @@ -7,16 +7,13 @@ location @upstream { proxy_pass http://$invidious_backend; include configs/proxy.conf; + proxy_intercept_errors on; limit_rate 1000k; # To reduce the load in the main storage proxy_buffering off; proxy_request_buffering off; #proxy_cache off; - - if ($request_method = OPTIONS) { - return 204; - } } location @http3-proxy { @@ -43,11 +40,12 @@ location /index.html { } location ~ (^/videoplayback) { - return 403 " - Videoplayback requests are not allowed in this endpoint. - Yes, this is an error. If you find it, please report it to - https://git.nadeko.net/Fijxu/invidious"; - try_files $uri @http3-proxy; + # return 403 " + # Videoplayback requests are not allowed in this endpoint. + # Yes, this is an error. If you find it, please report it to + # https://git.nadeko.net/Fijxu/invidious"; + #try_files $uri @http3-proxy; + try_files $uri @upstream; } location / { @@ -59,8 +57,20 @@ location /search { limit_req zone=invidious-searchrl nodelay burst=3; } -location /watch { +location /watch_ajax { try_files $uri @upstream; +} + +location /watch { + proxy_pass http://$invidious_backend; + include configs/proxy.conf; + limit_rate 1000k; + + # To reduce the load in the main storage + proxy_buffering off; + proxy_request_buffering off; + # proxy_cache off; + # try_files $uri @upstream; limit_req zone=invidious-watchrl nodelay burst=3; } diff --git a/http.d/matrix.conf b/http.d/matrix.conf index a056181..6c5802c 100644 --- a/http.d/matrix.conf +++ b/http.d/matrix.conf @@ -38,6 +38,7 @@ # } # server { + access_log /var/log/nginx/matrix.nadeko.net.access.log; server_name matrix.nadeko.net; include configs/listen.conf; include configs/general.conf; @@ -65,13 +66,25 @@ server { location ~ ^(/_matrix|/_synapse/client|/health|/_synapse/metrics|/_synapse/admin) { proxy_pass http://127.0.0.1:10022; include configs/proxy.conf; - client_max_body_size 32M; + client_max_body_size 64M; } + # location ~ ^(/_matrix/client|/matrix/federation|/_matrix/key/v2/query|/_synapse/client) { + # proxy_pass http://127.0.0.1:10022; + # include configs/proxy.conf; + # client_max_body_size 64M; + # } + # + # location ~ ^(/_matrix/media|/_matrix/client/v1/media|/_matrix/federation/v1/media) { + # proxy_pass http://127.0.0.1:10023; + # include configs/proxy.conf; + # client_max_body_size 64M; + # } + location / { - proxy_pass http://127.0.0.1:10023; + proxy_pass http://127.0.0.1:10024; include configs/proxy.conf; - client_max_body_size 32M; + client_max_body_size 64M; } #listen 443 ssl reuseport; diff --git a/http.d/pbin.conf b/http.d/pbin.conf index dac6540..bc6ad10 100644 --- a/http.d/pbin.conf +++ b/http.d/pbin.conf @@ -7,6 +7,7 @@ server { include configs/general.conf; include configs/security.conf; include configs/robotsNone.conf; + include configs/asn-ban.conf; client_max_body_size 128M; location / { diff --git a/http.d/redirector.conf b/http.d/redirector.conf new file mode 100644 index 0000000..19eea25 --- /dev/null +++ b/http.d/redirector.conf @@ -0,0 +1,14 @@ +# https://stackoverflow.com/a/39563133 +server { + server_name ~^(?\w+)\.zzls\.xyz$; + rewrite ^ https://$name.nadeko.net$request_uri? permanent; + + listen 80; +} + +# HTTPS Redirector +server { + listen 80 default_server; + server_name _; + return 301 https://$host$request_uri; +} diff --git a/http.d/redlib.conf b/http.d/redlib.conf index b4973ab..8c8d73d 100644 --- a/http.d/redlib.conf +++ b/http.d/redlib.conf @@ -1,4 +1,5 @@ server { + access_log /var/log/nginx/redlib.access.log; server_name redlib.nadeko.net redlib.nadekonw7plitnjuawu6ytjsl7jlglk2t6pyq6eftptmiv3dvqndwvyd.onion; @@ -9,6 +10,11 @@ server { include configs/robotsNone.conf; location / { + # return 200 " + # Adding captcha, instance is being bombed with bots, + # with random IPs and random user agents. + # Why we can't have nice things anymore? + # "; if ($blocked_agent = 1) { return 200 " 1. The Industrial Revolution and its consequences have been a disaster for the human race. They have greatly increased the life-expectancy of those of us who live in “advanced” countries, but they have destabilized society, have made life unfulfilling, have subjected human beings to indignities, have led to widespread psychological suffering (in the Third World to physical suffering as well) and have inflicted severe damage on the natural world. The continued development of technology will worsen the situation. It will certainly subject human beings to greater indignities and inflict greater damage on the natural world, it will probably lead to greater social disruption and psychological suffering, and it may lead to increased physical suffering even in “advanced” countries. diff --git a/lua/503-invidious.lua b/lua/503-invidious.lua index 8eadc40..31b561c 100644 --- a/lua/503-invidious.lua +++ b/lua/503-invidious.lua @@ -1,6 +1,5 @@ ngx.header.content_type = 'text/html'; --- local backend_num = ngx.shared.servers:get("invidious-servers"); -local backend_num = 4; +local backend_num = ngx.shared.servers:get("inv-backends"); local function generate_backend_list() local html = "" diff --git a/nginx.conf b/nginx.conf index f46d3f7..8816b8b 100644 --- a/nginx.conf +++ b/nginx.conf @@ -10,11 +10,19 @@ events { quic_bpf on; http { + map_hash_max_size 4096; + map_hash_bucket_size 128; + map $server_addr $unix { default 0; "~unix:" 1; } + + log_format detailed-debug '$remote_addr - $remote_user [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent" "$ssl_cipher"'; + include configs/cache.conf; include configs/luaconfig.conf;