rg.vern.cc and lemmy

2022-08-09 16:33:01 -04:00 · 2022-08-09 16:33:01 -04:00 · 4497614dcf
parent b53efa73e1
commit 4497614dcf
7 changed files with 103 additions and 14 deletions
--- a/common/lemmy.conf
+++ b/common/lemmy.conf
@ -0,0 +1,50 @@
+# Enable compression for JS/CSS/HTML bundle, for improved client load times.
+# It might be nice to compress JSON, but leaving that out to protect against potential
+# compression+encryption information leak attacks like BREACH.
+gzip on;
+gzip_types text/css application/javascript image/svg+xml;
+gzip_vary on;
+# Various content security headers
+add_header Referrer-Policy "same-origin";
+add_header X-Content-Type-Options "nosniff";
+add_header X-Frame-Options "DENY";
+add_header X-XSS-Protection "1; mode=block";
+client_max_body_size 20M;
+# frontend
+location / {
+	# The default ports:
+	# lemmy_ui_port: 1235
+ 	# lemmy_port: 8536
+
+ 	set $proxpass "http://0.0.0.0:1235";
+	if ($http_accept ~ "^application/.*$") {
+  	set $proxpass "http://0.0.0.0:8536";
+ 	}
+ 	if ($request_method = POST) {
+   	set $proxpass "http://0.0.0.0:8536";
+ 	}
+ 	proxy_pass $proxpass;
+
+ 	rewrite ^(.+)/+$ $1 permanent;
+
+ 	proxy_set_header Host $host;
+ 	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+}
+
+# backend
+location ~ ^/(api|pictrs|feeds|nodeinfo|.well-known) {
+	proxy_pass http://0.0.0.0:8536;
+  	proxy_http_version 1.1;
+  	proxy_set_header Upgrade $http_upgrade;
+  	proxy_set_header Connection "upgrade";
+  	proxy_set_header X-Real-IP $remote_addr;
+  	proxy_set_header Host $host;
+  	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+}
+
+
+# Redirect pictshare images to pictrs
+location ~ /pictshare/(.*)$ {
+	return 301 /pictrs/image/$1;
+}
+
--- a/sites-available/0x0.conf
+++ b/sites-available/0x0.conf
@ -19,22 +19,13 @@ server {
 server {
 	listen 80;
 	listen [::]:80;
-	server_name 0.vern.cc vern0.me;
+	server_name 0.vern.cc;

 	location / {
 		return 301 https://$host$request_uri;
 	}
 }

-server {
-	listen 443 ssl http2;
-	server_name vern0.me;
-	ssl_certificate_key /etc/letsencrypt/live/vern0.me/privkey.pem;
-	ssl_certificate /etc/letsencrypt/live/vern0.me/fullchain.pem;
-
-	include snippets/headers.conf;
-	include common/0x0.conf;
-}

 server {
 	listen 443 ssl http2;
--- a/sites-available/lemmy.conf
+++ b/sites-available/lemmy.conf
@ -0,0 +1,47 @@
+
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name lm.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion lemmy.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion;
+
+	include common/lemmy.conf;
+}
+
+server {
+	listen 11028;
+	listen [::]:11028;
+
+	server_name vernyxzw3aktrg3v5qpkj4eyiwc4iucdw3czwesop6f466joq6wa.b32.i2p;
+
+	include common/lemmy.conf;
+}
+
+server {
+	listen 80;
+	listen [::]:80;
+	server_name lm.vern.cc lemmy.vern.cc;
+	location / {
+		return 301 https://$host$request_uri;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+	server_name lm.vern.cc lemmy.vern.cc;
+
+	include snippets/lets-encrypt.conf;
+
+	# Various TLS hardening settings
+	# https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
+	ssl_protocols TLSv1.2 TLSv1.3;
+	ssl_prefer_server_ciphers on;
+	ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+	ssl_session_timeout  10m;
+	ssl_session_tickets on;
+	ssl_stapling on;
+	ssl_stapling_verify on;
+    	add_header Strict-Transport-Security "max-age=63072000";
+	include common/lemmy.conf;
+}
--- a/sites-available/rimgo.conf
+++ b/sites-available/rimgo.conf
@ -2,7 +2,7 @@ server {
 	listen 80;
 	listen [::]:80;

-	server_name rimgo.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion imgur.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion;
+	server_name rg.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion rimgo.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion imgur.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion;

 	include common/rimgo.conf;
 }
@ -19,7 +19,7 @@ server {
 server {
 	listen 443 ssl http2;
 	listen [::]:443 ssl http2;
-	server_name rimgo.vern.cc imgur.vern.cc;
+	server_name rg.vern.cc rimgo.vern.cc imgur.vern.cc;
 	include snippets/lets-encrypt.conf;
 	include snippets/headers.conf;
 	include common/rimgo.conf;
@ -27,7 +27,7 @@ server {

 server {
 	listen 80;
-	server_name rimgo.vern.cc imgur.vern.cc;
+	server_name rg.vern.cc rimgo.vern.cc imgur.vern.cc;
 	listen [::]:80;
 	return 301 https://$host$request_uri;
 }
--- a/sites-enabled/00website.conf
+++ b/sites-enabled/00website.conf
--- a/sites-enabled/lemmy.conf
+++ b/sites-enabled/lemmy.conf
@ -0,0 +1 @@
+/etc/nginx/sites-available/lemmy.conf
--- a/snippets/headers.conf
+++ b/snippets/headers.conf
@ -9,4 +9,4 @@ ssl_stapling_verify on;
 ssl_protocols TLSv1.2 TLSv1.3;
 ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
 ssl_prefer_server_ciphers off;
-add_header Referrer-Policy "no-referrer" always;
+add_header Referrer-Policy "same-origin" always;