From 49594e86a2b8b6a48591fe65245a6377612bc768 Mon Sep 17 00:00:00 2001 From: root Date: Fri, 5 Aug 2022 23:45:00 -0400 Subject: [PATCH] 0x0 new domain, remove peertube --- common/piped.conf | 6 +++ sites-available/0x0.conf | 17 ++++++-- sites-available/aryak.ml.conf | 30 ------------- sites-available/ldap.conf | 18 -------- sites-available/mail.vern.cc.conf | 3 +- sites-available/peertube.conf | 71 ------------------------------- sites-available/piped.conf | 50 ++++++++++++++++++++++ sites-enabled/peertube.conf | 1 - sites-enabled/piped.conf | 1 + snippets/headers.conf | 7 +++ snippets/lets-encrypt.conf | 2 +- snippets/user.vern.conf | 8 +++- snippets/ytproxy.conf | 26 +++++++++++ 13 files changed, 113 insertions(+), 127 deletions(-) create mode 100644 common/piped.conf delete mode 100644 sites-available/aryak.ml.conf delete mode 100644 sites-available/ldap.conf delete mode 100644 sites-available/peertube.conf create mode 100644 sites-available/piped.conf delete mode 120000 sites-enabled/peertube.conf create mode 120000 sites-enabled/piped.conf create mode 100644 snippets/ytproxy.conf diff --git a/common/piped.conf b/common/piped.conf new file mode 100644 index 0000000..fec54a8 --- /dev/null +++ b/common/piped.conf @@ -0,0 +1,6 @@ +add_header Onion-Location http://piped.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion$request_uri; + +location / { + proxy_pass http://localhost:8005/; # The / is important! + proxy_set_header Host $host; +} diff --git a/sites-available/0x0.conf b/sites-available/0x0.conf index 41e6be9..6fd2e87 100644 --- a/sites-available/0x0.conf +++ b/sites-available/0x0.conf @@ -19,7 +19,7 @@ server { server { listen 80; listen [::]:80; - server_name 0.vern.cc; + server_name 0.vern.cc vern0.me; location / { return 301 https://$host$request_uri; @@ -28,8 +28,19 @@ server { server { listen 443 ssl http2; - server_name 0.vern.cc; - include /etc/nginx/snippets/lets-encrypt.conf; + server_name vern0.me; + ssl_certificate_key /etc/letsencrypt/live/vern0.me/privkey.pem; + ssl_certificate /etc/letsencrypt/live/vern0.me/fullchain.pem; + include snippets/headers.conf; include common/0x0.conf; } + +server { + listen 443 ssl http2; + server_name 0.vern.cc; + include snippets/lets-encrypt.conf; + include snippets/headers.conf; + include common/0x0.conf; + +} diff --git a/sites-available/aryak.ml.conf b/sites-available/aryak.ml.conf deleted file mode 100644 index 88feccc..0000000 --- a/sites-available/aryak.ml.conf +++ /dev/null @@ -1,30 +0,0 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - listen 8448 ssl http2; - listen [::]:8448 ssl http2; - server_name matrix.aryak.ml; - merge_slashes off; - - location /_matrix/ { - proxy_pass http://10.7.0.4:6167$request_uri; - proxy_set_header Host $http_host; - proxy_buffering off; - } -ssl_certificate /etc/letsencrypt/live/matrix.aryak.ml/fullchain.pem; # EDIT THIS -ssl_certificate_key /etc/letsencrypt/live/matrix.aryak.ml/privkey.pem; # EDIT THIS - - - location /.well-known/matrix/server { - add_header Access-Control-Allow-Origin '*' always; - add_header Content-Type application/json; - return 200 '{"m.server": "matrix.aryak.ml:443"}'; - } - - location /.well-known/matrix/client { - add_header Access-Control-Allow-Origin '*' always; - add_header Content-Type application/json; - return 200 '{"m.homeserver": {"base_url": "https://matrix.aryak.ml"}}'; - } -} - diff --git a/sites-available/ldap.conf b/sites-available/ldap.conf deleted file mode 100644 index 224ab76..0000000 --- a/sites-available/ldap.conf +++ /dev/null @@ -1,18 +0,0 @@ -server { -listen 443 ssl http2; -server_name ldapadmin.vern.cc; -include snippets/lets-encrypt.conf; -# document root -root /usr/share/phpldapadmin/htdocs; -index index.php index.html index.htm; - -location / { - try_files $uri $uri/ /index.php; -} -location ~ \.php$ { - fastcgi_pass unix:/run/php/php7.4-fpm.sock; - fastcgi_index index.php; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - include /etc/nginx/fastcgi_params; -} -} diff --git a/sites-available/mail.vern.cc.conf b/sites-available/mail.vern.cc.conf index 3ef0a7a..a74affe 100644 --- a/sites-available/mail.vern.cc.conf +++ b/sites-available/mail.vern.cc.conf @@ -28,6 +28,7 @@ server { server_name mail.vern.cc; include snippets/lets-encrypt.conf; - include snippets/headers.conf; +# include snippets/headers.conf; include common/mail.conf; + ssl_protocols TLSv1.2 TLSv1.3; } diff --git a/sites-available/peertube.conf b/sites-available/peertube.conf deleted file mode 100644 index 087202c..0000000 --- a/sites-available/peertube.conf +++ /dev/null @@ -1,71 +0,0 @@ -# Minimum Nginx version required: 1.13.0 (released Apr 25, 2017) -# Please check your Nginx installation features the following modules via 'nginx -V': -# STANDARD HTTP MODULES: Core, Proxy, Rewrite, Access, Gzip, Headers, HTTP/2, Log, Real IP, SSL, Thread Pool, Upstream, AIO Multithreading. -# THIRD PARTY MODULES: None. - -server { - listen 80; - listen [::]:80; - server_name pt.vern.cc; - - location /.well-known/acme-challenge/ { - default_type "text/plain"; - root /var/www/certbot; - } - location / { return 301 https://$host$request_uri; } -} - -server { - listen 80; - listen [::]:80; - - server_name pt.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion; - - include common/peertube.conf; -} - -server { - listen 11011; - listen [::]:11011; - - server_name verncceu2kgz54wi7r5jatgmx2mqtsh3knxhiy4m5shescuqtqfa.b32.i2p; - - include common/peertube.conf; -} - -upstream ptbackend { - server 127.0.0.1:9000; -} - -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name pt.vern.cc; - - ## - # Certificates - # you need a certificate to run in production. see https://letsencrypt.org/ - ## - include snippets/lets-encrypt.conf; - location ^~ '/.well-known/acme-challenge' { - default_type "text/plain"; - root /var/www/certbot; - } - - ## - # Security hardening (as of Nov 15, 2020) - # based on Mozilla Guideline v5.6 - ## - - ssl_protocols TLSv1.2 TLSv1.3; - ssl_prefer_server_ciphers on; - ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; # add ECDHE-RSA-AES256-SHA if you want compatibility with Android 4 - ssl_session_timeout 1d; # defaults to 5m - ssl_session_tickets off; - ssl_stapling on; - ssl_stapling_verify on; - # HSTS (https://hstspreload.org), requires to be copied in 'location' sections that have add_header directives - #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; - - include common/peertube.conf; -} diff --git a/sites-available/piped.conf b/sites-available/piped.conf new file mode 100644 index 0000000..9aeed10 --- /dev/null +++ b/sites-available/piped.conf @@ -0,0 +1,50 @@ +server { + listen 80; + listen [::]:80; + + server_name piped.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion pipedapi.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion pipedproxy.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion; + + include common/piped.conf; +} + +#server { +# listen 11013; +# listen [::]:11013; +# +# server_name vernnflenvsqccuanaun7yydnmturi4jkyxlyzhn6ultpje66c3q.b32.i2p; +# +# include common/quetre.conf; +#} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name piped.vern.cc; + include snippets/lets-encrypt.conf; + include snippets/headers.conf; + include common/piped.conf; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name pipedapi.vern.cc; + include snippets/lets-encrypt.conf; + include snippets/headers.conf; + include common/piped.conf; +} +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name pipedproxy.vern.cc; + include snippets/lets-encrypt.conf; + include snippets/headers.conf; + include common/piped.conf; +} + +server { + listen 80; + listen [::]:80; + return 301 https://$host$request_uri; + server_name piped.vern.cc pipedapi.vern.cc pipedproxy.vern.cc; +} diff --git a/sites-enabled/peertube.conf b/sites-enabled/peertube.conf deleted file mode 120000 index 351c1c2..0000000 --- a/sites-enabled/peertube.conf +++ /dev/null @@ -1 +0,0 @@ -/etc/nginx/sites-available/peertube.conf \ No newline at end of file diff --git a/sites-enabled/piped.conf b/sites-enabled/piped.conf new file mode 120000 index 0000000..2018563 --- /dev/null +++ b/sites-enabled/piped.conf @@ -0,0 +1 @@ +/etc/nginx/sites-available/piped.conf \ No newline at end of file diff --git a/snippets/headers.conf b/snippets/headers.conf index 0fe51b2..f4031df 100644 --- a/snippets/headers.conf +++ b/snippets/headers.conf @@ -3,3 +3,10 @@ add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; #add_header Content-Security-Policy "default-src 'self'; font-src 'self'; img-src 'self' https://i.creativecommons.org/ https://licensebuttons.net/; style-src 'self' 'unsafe-inline'" always; add_header X-Frame-Options "SAMEORIGIN" always; +ssl_stapling on; +ssl_stapling_verify on; +# intermediate configuration +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; +ssl_prefer_server_ciphers off; +add_header Referrer-Policy "no-referrer" always; diff --git a/snippets/lets-encrypt.conf b/snippets/lets-encrypt.conf index 8280be4..4e83bb4 100644 --- a/snippets/lets-encrypt.conf +++ b/snippets/lets-encrypt.conf @@ -8,4 +8,4 @@ ssl_dhparam /etc/letsencrypt/live/vern.cc/dhparam; # ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates; # replace with the IP address of your resolver -resolver 9.9.9.9; +resolver 213.186.33.99; diff --git a/snippets/user.vern.conf b/snippets/user.vern.conf index 9e250d5..b154625 100644 --- a/snippets/user.vern.conf +++ b/snippets/user.vern.conf @@ -1,11 +1,15 @@ add_header Onion-Location http://$user.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion$request_uri; -error_log /var/log/nginx/vern.cc-error.log crit; +error_log /var/log/nginx/vern.cc-error.log info; root /sshfs/home/$user/public_html; index index.html index.php index.cgi index.py index.sh index.pl index.lua; +location @extensionless-php { + rewrite ^(.*)$ $1.php last; +} + location ~ \.php$ { - fastcgi_pass 192.168.122.30:9000; + fastcgi_pass unix:/sshfs/run/phpfpm/mypool.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; } diff --git a/snippets/ytproxy.conf b/snippets/ytproxy.conf new file mode 100644 index 0000000..7fc0e47 --- /dev/null +++ b/snippets/ytproxy.conf @@ -0,0 +1,26 @@ +add_header Access-Control-Allow-Origin *; +add_header Access-Control-Allow-Headers *; +if ($request_method = OPTIONS ) { + return 200; +} +proxy_buffering on; +proxy_set_header Host $arg_host; +proxy_ssl_server_name on; +proxy_set_header X-Forwarded-For ""; +proxy_set_header CF-Connecting-IP ""; +proxy_hide_header "alt-svc"; +sendfile on; +sendfile_max_chunk 512k; +tcp_nopush on; +aio threads=default; +aio_write on; +directio 2m; +proxy_hide_header Cache-Control; +proxy_hide_header etag; +proxy_http_version 1.1; +proxy_set_header Connection keep-alive; +proxy_max_temp_file_size 0; +access_log off; +proxy_pass http://unix:/var/run/ytproxy/http-proxy.sock; + +