phantom/etc-configs
1
0
Fork 0
forked from Fijxu/etc-configs
Code Pull requests Activity

Compare commits

merge into: phantom:main
Branches Tags
phantom:main
phantom:selfhost
phantom:oracle
phantom:vpsus
phantom:veil
phantom:vpscl
phantom:selfhost-old
Fijxu:selfhost
Fijxu:vpsus
Fijxu:main
Fijxu:veil-old
Fijxu:oracle-old
Fijxu:vpscl-old
Fijxu:selfhost-old
...
pull from: phantom:oracle
Branches Tags
phantom:selfhost
phantom:main
phantom:oracle
phantom:vpsus
phantom:veil
phantom:vpscl
phantom:selfhost-old
Fijxu:selfhost
Fijxu:vpsus
Fijxu:main
Fijxu:veil-old
Fijxu:oracle-old
Fijxu:vpscl-old
Fijxu:selfhost-old

No commits in common. "main" and "oracle" have entirely different histories.
main ... oracle

17 changed files with 442 additions and 16 deletions
Show stats Expand all files Collapse all files

16
README.md
View file

@ -1,16 +0,0 @@
You can find my server configs in this repo, they are split in different branches.
- [🌑 Selfhost Branch](https://git.zzls.xyz/Fijxu/etc-configs/src/branch/selfhost)
- [🇺🇸 VPS Branch](https://git.zzls.xyz/Fijxu/etc-configs/src/branch/vpsus)
- [🌌 Veil Branch](https://git.zzls.xyz/Fijxu/etc-configs/src/branch/veil) (**New**)
- [🇨🇱 Oracle VPS Branch](https://git.zzls.xyz/Fijxu/etc-configs/src/branch/oracle)
#### Suggestions or Issues?
If you got any suggestions to the nginx configs or something that is not to your liking within the privacy-focused services I provide; Open an issue or a pull request in any config. You can either create an account with your real E-mail or with a throw away one (But probably you will be considered as a bad actor for me if you don't provide any real identity like GitHub, GitLab, Codeberg or anything like that, so make sure to link any of those).
*Contact*: [https://nadeko.net/contact](https://nadeko.net/contact)

34
nginx/conf.d/count.ayaya.beauty.conf Normal file
View file

@ -0,0 +1,34 @@
server {
server_name count.ayaya.beauty count.nadeko.net;
include configs/general.conf;
include configs/security.conf;
include configs/robotsNone.conf;
location / {
proxy_pass http://counter;
include configs/proxy.conf;
}
# QUIC
include configs/http3.conf;
listen 443 ssl;
http2 on;
}
server {
set $x "";
if ($host = count.ayaya.beauty) {
set $x 1;
}
if ($host = count.nadeko.net) {
set $x 1;
}
if ($x = 1) {
return 301 https://$host$request_uri;
}
server_name count.ayaya.beauty count.nadeko.net;
listen 80;
return 404;
}

44
nginx/conf.d/ri.zzls.xyz.conf Normal file
View file

@ -0,0 +1,44 @@
server {
server_name ri.zzls.xyz ri.nadeko.net;
include configs/general.conf;
include configs/robotsNone.conf;
location / {
proxy_pass http://rimgo;
include configs/proxy.conf;
}
# QUIC
include configs/http3.conf;
listen 443 ssl;
http2 on;
}
# TOR
server {
listen 10040;
server_name rimgo.zzlsghu6mvvwyy75mvga6gaf4znbp3erk5xwfzedb4gg6qqh2j6rlvid.onion rimgo.nadekonfkhwlxwwk4ycbvq42zvcjmvo5iakl4tajojjwxd4a5dcetuyd.onion;
location / {
proxy_pass http://rimgo;
include configs/proxy.conf;
}
}
server {
set $x "";
if ($host = ri.zzls.xyz) {
set $x 1;
}
if ($host = ri.nadeko.net) {
set $x 1;
}
if ($x = 1) {
return 301 https://$host$request_uri;
}
listen 80;
server_name ri.zzls.xyz ri.nadeko.net;
}

87
nginx/conf.d/search.zzls.xyz.conf Normal file
View file

@ -0,0 +1,87 @@
server {
server_name search.zzls.xyz search.nadeko.net;
include configs/general.conf;
location @socket {
uwsgi_pass searxng;
include uwsgi_params;
uwsgi_param HTTP_HOST $host;
uwsgi_param HTTP_CONNECTION $http_connection;
# see flaskfix.py
uwsgi_param HTTP_X_SCHEME $scheme;
#uwsgi_param HTTP_X_SCRIPT_NAME /searxng;
# see limiter.py
uwsgi_param HTTP_X_REAL_IP $remote_addr;
uwsgi_param HTTP_X_FORWARDED_FOR $proxy_add_x_forwarded_for;
}
location / {
try_files $uri @socket;
}
location /search {
try_files $uri @socket;
if ($server_protocol ~* "HTTP/1.1") {
return 444;
}
}
# Onion Service Header
add_header Onion-Location http://search.nadekonfkhwlxwwk4ycbvq42zvcjmvo5iakl4tajojjwxd4a5dcetuyd.onion$request_uri;
# QUIC
include configs/http3.conf;
# CSP + Security Headers
add_header Permissions-Policy "interest-cohort=()" always;
add_header Strict-Transport-Security "max-age=63072000; preload" always;
add_header Content-Security-Policy "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/tiekoetter/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src 'self' https://www.youtube-nocookie.com https://invidious.tiekoetter.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com https://open.spotify.com/" always;
listen 443 ssl;
http2 on;
}
server {
listen 10040;
server_name search.nadekonfkhwlxwwk4ycbvq42zvcjmvo5iakl4tajojjwxd4a5dcetuyd.onion;
include configs/general.conf;
location @socket {
uwsgi_pass searxng;
include uwsgi_params;
uwsgi_param HTTP_HOST $host;
uwsgi_param HTTP_CONNECTION $http_connection;
# see flaskfix.py
uwsgi_param HTTP_X_SCHEME $scheme;
#uwsgi_param HTTP_X_SCRIPT_NAME /searxng;
# see limiter.py
uwsgi_param HTTP_X_REAL_IP $remote_addr;
uwsgi_param HTTP_X_FORWARDED_FOR $proxy_add_x_forwarded_for;
}
location / {
try_files $uri @socket;
}
# CSP + Security Headers
add_header Permissions-Policy "interest-cohort=()" always;
add_header Strict-Transport-Security "max-age=63072000; preload" always;
add_header Content-Security-Policy "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/tiekoetter/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src 'self' https://www.youtube-nocookie.com https://invidious.tiekoetter.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com https://open.spotify.com/" always;
}
server {
set $x "";
if ($host = search.zzls.xyz) {
set $x 1;
}
if ($host = search.nadeko.net) {
set $x 1;
}
if ($x = 1) {
return 301 https://$host$request_uri;
}
listen 80;
server_name search.zzls.xyz search.nadeko.net;
return 404;
}

11
nginx/configs/general.conf Normal file
View file

@ -0,0 +1,11 @@
# gzip
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
if ($poop) {
return 444;
}

2
nginx/configs/http3.conf Normal file
View file

@ -0,0 +1,2 @@
add_header Alt-Svc 'h3=":443"; ma=86400';
listen 443 quic;

21
nginx/configs/proxy.conf Normal file
View file

@ -0,0 +1,21 @@
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
# Proxy SSL
proxy_ssl_server_name on;
# Proxy headers
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Forwarded $proxy_add_forwarded;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
# Proxy timeouts
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;

1
nginx/configs/robotsNone.conf Normal file
View file

@ -0,0 +1 @@
location /robots.txt { return 200 "User-agent: *\nDisallow: /";}

7
nginx/configs/security.conf Normal file
View file

@ -0,0 +1,7 @@
# security headers
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "same-origin" always;
add_header X-Frame-Options "sameorigin" always;
add_header Permissions-Policy "interest-cohort=()" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

5
nginx/configs/ssl.conf Normal file
View file

@ -0,0 +1,5 @@
# ECDSA
ssl_certificate /etc/ssl/nadeko.net/fullchain.ec.crt;
ssl_certificate_key /etc/ssl/nadeko.net/nadeko.net.ec.key;
include configs/sslConfig.conf;

12
nginx/configs/sslConfig.conf Normal file
View file

@ -0,0 +1,12 @@
# SSL
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
ssl_prefer_server_ciphers off;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_early_data on;
# Custom 4096bits Diffie-Hellman parameter for DHE ciphersuites (Not the one bundled with letsencrypt
# Changed to a custom one for trust purposes
ssl_dhparam /etc/nginx/dhparam.pem;

11
nginx/configs/upstreams.conf Normal file
View file

@ -0,0 +1,11 @@
upstream rimgo {
server 127.0.0.1:10001;
}
upstream counter {
server 127.0.0.1:10002;
}
upstream searxng {
server unix:/usr/local/searxng/run/socket;
}

13
nginx/dhparam.pem Normal file
View file

@ -0,0 +1,13 @@
-----BEGIN DH PARAMETERS-----
MIICDAKCAgEAiK/Y67KsiSrOlySdj5iBvVc64vUPIZOBWxQ05ggVhuTWJeZKGjes
/R6VA43Zh9Yo1U2cQl5semyPNzseEk5cwiK1ZOXz9WJiCmrdOFkB9uIpcL0Gz/r6
56m4F9ki1/ikJZzKRiBxvt6rQS9K4FMjkMliOFqwqVCt1Bh3EYYXebUjWrkKHb4t
kraEorQbObFodvKcBVG7dcI4EVZhL6wgznp/xZdHYG65jo1GPC7yTJHiTuvD7Ng9
EsMssnfpdss3f6SmtWGuAkH7vWht7NJse3oePiTRVRiFuW4i4wO5Omu4CJ8kKlwi
dmG8/o4eQbYWNqfMsCZFBx04i33SsUFQAPZXUQGGmLeNNFdncA0g3agN457ZQvuS
buhMpiZUw2sI13UH1D7vZBZSTvc+cleRk2w24wHqcMJ8HAuHQ4WhdrC24w8uD8H8
hJu78K4FibQ7no1syZEhHR/8AkRPAj/dGMlgJQ/dpI07cll/yMiICkytUydYPwT4
+lXbT+oN1rwA7HSttkMFt+z2Oi3RtH9VaIl3zY5bRCk28+GW2mo8+bL5JGl0qooe
OQsYn+mbZLdtUYhYaaYktJaLyPyQ6WtrssJas+gSdW/1RmT+WRkARaIC201WS+aS
guGOj0Lr0My+pW/Jj3wB8Hi6tpm+02KNaQUFubNWgcQZU33Ejj1rnfcCAQICAgFF
-----END DH PARAMETERS-----

99
nginx/mime.types Normal file
View file

@ -0,0 +1,99 @@
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/avif avif;
image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
font/woff woff;
font/woff2 woff2;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.oasis.opendocument.graphics odg;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.text odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
docx;
application/vnd.wap.wmlc wmlc;
application/wasm wasm;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}

59
nginx/nginx.conf Normal file
View file

@ -0,0 +1,59 @@
user www-data;
worker_processes auto;
worker_rlimit_nofile 65535;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 2048;
multi_accept off;
}
http {
log_format limited '$remote_addr - $remote_user [$time_local] '
'"$request_method /bogus $server_protocol" $status $body_bytes_sent '
'"-" "Bogus/66.6"';
access_log off;
error_log /dev/null;
# Basic Settings
charset utf-8;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
log_not_found off;
types_hash_max_size 1024;
types_hash_bucket_size 64;
server_names_hash_bucket_size 128;
# MIME
include mime.types;
# SSL
include configs/ssl.conf;
# reset timed out connections freeing ram
reset_timedout_connection on;
# maximum time between packets the client can pause when sending nginx any data
client_body_timeout 10s;
# maximum time the client has to send the entire header to nginx
client_header_timeout 10s;
# timeout which a single keep-alive client connection will stay open
keepalive_timeout 65s;
# maximum time between packets nginx is allowed to pause when sending the client data
send_timeout 10s;
# PERFORMANCE / ASYNC I/O
aio threads=default;
aio_write on;
directio 2m;
# Maps
include /etc/nginx/snippets/maps.conf;
include /etc/nginx/snippets/poop.conf;
include /etc/nginx/configs/upstreams.conf;
include /etc/nginx/conf.d/*.conf;
}

27
nginx/snippets/maps.conf Normal file
View file

@ -0,0 +1,27 @@
# Connection header for WebSocket reverse proxy
map $http_upgrade $connection_upgrade {
default upgrade;
"" close;
}
map $remote_addr $proxy_forwarded_elem {
# IPv4 addresses can be sent as-is
~^[0-9.]+$ "for=$remote_addr";
# IPv6 addresses need to be bracketed and quoted
~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\"";
# Unix domain socket names cannot be represented in RFC 7239 syntax
default "for=unknown";
}
map $http_forwarded $proxy_add_forwarded {
# If the incoming Forwarded header is syntactically valid, append to it
"~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
# Otherwise, replace it
default "$proxy_forwarded_elem";
}

9
nginx/snippets/poop.conf Normal file
View file

@ -0,0 +1,9 @@
map $http_user_agent $poop {
default 0;
~*my-tiny-bot 1;
~*thesis-research-bot 1;
~*SemrushBot 1;
~*Bytespider 1;
~*PetalBot 1;
~*Amazonbot 1;
}