diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..751553b --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +*.bak diff --git a/README.md b/README.md index e3b033e..83c3c21 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,3 @@ -# nginx-configs +# ~vern nginx configurations -~vern nginx configurations \ No newline at end of file +The configurations used by ~vern's nginx server. This is basically just a clone of the /etc/nginx directory. diff --git a/common/gitea.conf b/common/gitea.conf new file mode 100644 index 0000000..8ea8bb3 --- /dev/null +++ b/common/gitea.conf @@ -0,0 +1,11 @@ +add_header Onion-Location http://git.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion$request_uri; + +location / { + client_max_body_size 100m; + proxy_pass http://localhost:3000/; # The / is important! + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_cookie_path / "/; Secure; HttpOnly; SameSite=lax"; +} diff --git a/common/invidious.conf b/common/invidious.conf new file mode 100644 index 0000000..2f11d2e --- /dev/null +++ b/common/invidious.conf @@ -0,0 +1,13 @@ +add_header Onion-Location http://inv.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion$request_uri; + +access_log off; +error_log /var/log/nginx/error.log crit; + +location / { + proxy_pass http://10.7.0.1:2500/; +# proxy_pass http://127.0.0.1:2500/; # in case we cant host it on vps anymore + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Host $host; # so Invidious knows domain + proxy_http_version 1.1; # to keep alive + proxy_set_header Connection ""; # to keep alive +} diff --git a/common/librarian.conf b/common/librarian.conf new file mode 100644 index 0000000..39c2311 --- /dev/null +++ b/common/librarian.conf @@ -0,0 +1,12 @@ +add_header Onion-Location http://lbry.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion$request_uri; + +access_log off; +error_log /var/log/nginx/error.log crit; + +location / { + proxy_pass http://127.0.0.1:3001/; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Host $host; # so Invidious knows domain + proxy_http_version 1.1; # to keep alive + proxy_set_header Connection ""; # to keep alive +} diff --git a/common/libreddit.conf b/common/libreddit.conf new file mode 100644 index 0000000..b8263ce --- /dev/null +++ b/common/libreddit.conf @@ -0,0 +1,9 @@ +add_header Onion-Location http://lr.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion$request_uri; + +location / { + proxy_pass http://localhost:2501/; # The / is important! + proxy_http_version 1.1; + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Proto $scheme; +} diff --git a/common/libretranslate.conf b/common/libretranslate.conf new file mode 100644 index 0000000..0cca7c5 --- /dev/null +++ b/common/libretranslate.conf @@ -0,0 +1,8 @@ +add_header Onion-Location http://lt.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion$request_uri; + +location / { + proxy_pass http://localhost:5001/; # The / is important! + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Proto $scheme; +} diff --git a/common/mail.conf b/common/mail.conf new file mode 100644 index 0000000..31485b5 --- /dev/null +++ b/common/mail.conf @@ -0,0 +1,49 @@ +add_header Onion-Location http://mail.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion$request_uri; + +root /srv/modoboa/instance; + +client_max_body_size 10M; + +access_log /var/log/nginx/mail.vern.cc-access.log; +error_log /var/log/nginx/mail.vern.cc-error.log; + +location /sitestatic/ { + try_files $uri $uri/ =404; +} + +location /media/ { + try_files $uri $uri/ =404; +} + +location ^~ /new-admin { + alias /srv/modoboa/instance/frontend/; + index index.html; + + expires -1; + add_header Pragma "no-cache"; + add_header Cache-Control "no-store, no-cache, must-revalidate, post-check=0, pre-check=0"; + + try_files $uri $uri/ /index.html = 404; +} + +location / { + include uwsgi_params; + uwsgi_param UWSGI_SCRIPT instance.wsgi:application; + uwsgi_pass modoboa; +} + +location ~* ^/autodiscover/autodiscover.xml { + include uwsgi_params; + uwsgi_pass automx; +} +location /mobileconfig { + include uwsgi_params; + uwsgi_pass automx; +} + +location /radicale/ { + proxy_pass http://localhost:5232/; # The / is important! + proxy_set_header X-Script-Name /radicale; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_pass_header Authorization; +} diff --git a/common/mastodon.conf b/common/mastodon.conf new file mode 100644 index 0000000..f0015ff --- /dev/null +++ b/common/mastodon.conf @@ -0,0 +1,51 @@ +add_header Onion-Location http://fedi.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion$request_uri; + +keepalive_timeout 70; +sendfile on; +client_max_body_size 80m; + +root /home/mastodon/live/public; + +gzip on; +gzip_disable "msie6"; +gzip_vary on; +gzip_proxied any; +gzip_comp_level 6; +gzip_buffers 16 8k; +gzip_http_version 1.1; +gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml image/x-icon; + +#add_header Strict-Transport-Security "max-age=31536000" always; + +location / { + try_files $uri @proxy; +} + +location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) { + add_header Cache-Control "public, max-age=31536000, immutable"; + try_files $uri @proxy; +} + +location /sw.js { + add_header Cache-Control "public, max-age=0"; + try_files $uri @proxy; +} + +location @proxy { + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Proxy ""; + proxy_pass_header Server; + + proxy_pass http://backend; + proxy_buffering on; + proxy_redirect off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_cache CACHE; + proxy_cache_valid 200 7d; + proxy_cache_valid 410 24h; +} diff --git a/common/mirror.conf b/common/mirror.conf new file mode 100644 index 0000000..beb7d42 --- /dev/null +++ b/common/mirror.conf @@ -0,0 +1,9 @@ +add_header Onion-Location http://mirror.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion$request_uri; +root /var/mirror/mirror; +ssi on; + +location / { + add_before_body /nav.html; + autoindex on; + autoindex_exact_size off; +} diff --git a/common/nextcloud.conf b/common/nextcloud.conf new file mode 100644 index 0000000..bd5ebc4 --- /dev/null +++ b/common/nextcloud.conf @@ -0,0 +1,144 @@ +add_header Onion-Location http://nc.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion$request_uri; + +# Path to the root of your installation +root /var/www/nextcloud; + +# Prevent nginx HTTP Server Detection +server_tokens off; + +# HSTS settings +# WARNING: Only add the preload option once you read about +# the consequences in https://hstspreload.org/. This option +# will add the domain to a hardcoded list that is shipped +# in all major browsers and getting removed from this list +# could take several months. +#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; + +# set max upload size and increase upload timeout: +client_max_body_size 1024M; +client_body_timeout 300s; +fastcgi_buffers 64 4K; + +# Enable gzip but do not remove ETag headers +gzip on; +gzip_vary on; +gzip_comp_level 4; +gzip_min_length 256; +gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; +gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + +# Pagespeed is not supported by Nextcloud, so if your server is built +# with the `ngx_pagespeed` module, uncomment this line to disable it. + +# HTTP response headers borrowed from Nextcloud `.htaccess` +add_header Referrer-Policy "no-referrer" always; +add_header X-Content-Type-Options "nosniff" always; +add_header X-Download-Options "noopen" always; +add_header X-Frame-Options "SAMEORIGIN" always; +add_header X-Permitted-Cross-Domain-Policies "none" always; +add_header X-Robots-Tag "none" always; +add_header X-XSS-Protection "1; mode=block" always; + +# Remove X-Powered-By, which is an information leak +fastcgi_hide_header X-Powered-By; + +# Specify how to handle directories -- specifying `/index.php$request_uri` +# here as the fallback means that Nginx always exhibits the desired behaviour +# when a client requests a path that corresponds to a directory that exists +# on the server. In particular, if that directory contains an index.php file, +# that file is correctly served; if it doesn't, then the request is passed to +# the front-end controller. This consistent behaviour means that we don't need +# to specify custom rules for certain paths (e.g. images and other assets, +# `/updater`, `/ocm-provider`, `/ocs-provider`), and thus +# `try_files $uri $uri/ /index.php$request_uri` +# always provides the desired behaviour. +index index.php index.html /index.php$request_uri; + +# Rule borrowed from `.htaccess` to handle Microsoft DAV clients +location = / { + if ( $http_user_agent ~ ^DavClnt ) { + return 302 /remote.php/webdav/$is_args$args; + } +} + +location = /robots.txt { + allow all; + log_not_found off; + access_log off; +} + +# Make a regex exception for `/.well-known` so that clients can still +# access it despite the existence of the regex rule +# `location ~ /(\.|autotest|...)` which would otherwise handle requests +# for `/.well-known`. +location ^~ /.well-known { + # The rules in this block are an adaptation of the rules + # in `.htaccess` that concern `/.well-known`. + + location = /.well-known/carddav { return 301 /remote.php/dav/; } + location = /.well-known/caldav { return 301 /remote.php/dav/; } + + location /.well-known/acme-challenge { try_files $uri $uri/ =404; } + location /.well-known/pki-validation { try_files $uri $uri/ =404; } + + # Let Nextcloud's API for `/.well-known` URIs handle all other + # requests by passing them to the front-end controller. + return 301 /index.php$request_uri; +} + +# Rules borrowed from `.htaccess` to hide certain paths from clients +location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; } +location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } + +# Ensure this block, which passes PHP files to the PHP process, is above the blocks +# which handle static assets (as seen below). If this block is not declared first, +# then Nginx will encounter an infinite rewriting loop when it prepends `/index.php` +# to the URI, resulting in a HTTP 500 error response. +location ~ \.php(?:$|/) { + # Required for legacy support + rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri; + + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + set $path_info $fastcgi_path_info; + + try_files $fastcgi_script_name =404; + + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $path_info; + fastcgi_param HTTPS on; + + fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice + fastcgi_param front_controller_active true; # Enable pretty urls + fastcgi_pass unix:/run/php/php7.4-fpm.sock; + + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + + fastcgi_max_temp_file_size 0; +} + +location ~ \.(?:css|js|svg|gif|png|jpg|ico|wasm|tflite|map)$ { + try_files $uri /index.php$request_uri; + add_header Cache-Control "public, max-age=15778463, $asset_immutable"; + access_log off; # Optional: Don't log access to assets + + location ~ \.wasm$ { + default_type application/wasm; + } +} + +location ~ \.woff2?$ { + try_files $uri /index.php$request_uri; + expires 7d; # Cache-Control policy borrowed from `.htaccess` + access_log off; # Optional: Don't log access to assets +} + +# Rule borrowed from `.htaccess` +location /remote { + return 301 /remote.php$request_uri; +} + +location / { + try_files $uri $uri/ /index.php$request_uri; +} diff --git a/common/nitter.conf b/common/nitter.conf new file mode 100644 index 0000000..a6d3bf7 --- /dev/null +++ b/common/nitter.conf @@ -0,0 +1,9 @@ +add_header Onion-Location http://nt.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion$request_uri; + +location / { + proxy_pass http://localhost:5744/; # The / is important! + proxy_http_version 1.1; + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Proto $scheme; +} diff --git a/common/owncast.conf b/common/owncast.conf new file mode 100644 index 0000000..d846a99 --- /dev/null +++ b/common/owncast.conf @@ -0,0 +1,14 @@ +add_header Onion-Location http://live.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion$request_uri; +root /var/www/owncast; + +location / { + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + proxy_pass http://127.0.0.1:5394; +} diff --git a/common/peertube.conf b/common/peertube.conf new file mode 100644 index 0000000..0f6cd6a --- /dev/null +++ b/common/peertube.conf @@ -0,0 +1,52 @@ +add_header Onion-Location http://pt.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion$request_uri; + +## +# Application +## + +access_log /var/log/nginx/peertube.access.log; # reduce I/0 with buffer=10m flush=5m +error_log /var/log/nginx/peertube.error.log; + +location @api { + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + + client_max_body_size 100k; # default is 1M + + proxy_connect_timeout 10m; + proxy_send_timeout 10m; + proxy_read_timeout 10m; + send_timeout 10m; + + proxy_pass http://ptbackend; +} + +location / { + try_files /dev/null @api; +} + +location = /api/v1/videos/upload-resumable { + client_max_body_size 0; + proxy_request_buffering off; + + try_files /dev/null @api; +} + +location ~ ^/api/v1/videos/(upload|([^/]+/studio/edit))$ { + limit_except POST HEAD { deny all; } + + # This is the maximum upload size, which roughly matches the maximum size of a video file. + # Note that temporary space is needed equal to the total size of all concurrent uploads. + # This data gets stored in /var/lib/nginx by default, so you may want to put this directory + # on a dedicated filesystem. + client_max_body_size 12G; # default is 1M + add_header X-File-Maximum-Size 8G always; # inform backend of the set value in bytes before mime-encoding (x * 1.4 >= client_max_body_size) + + try_files /dev/null @api; +} + +location ~ ^/api/v1/(videos|video-playlists|video-channels|users/me) { + client_max_body_size 6M; # default is 1M + add_header X-File-Maximum-Size 4M always; # inform backend of the set value in bytes before mime-encoding (x * 1.4 >= client_max_body_size) +} diff --git a/common/privatebin.conf b/common/privatebin.conf new file mode 100644 index 0000000..4bf49e4 --- /dev/null +++ b/common/privatebin.conf @@ -0,0 +1,15 @@ +add_header Onion-Location http://pb.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion$request_uri; + +root /var/www/privatebin; +index index.php index.html index.htm; + +location / { + try_files $uri $uri/ /index.php; +} + +location ~ \.php$ { + fastcgi_pass unix:/run/php/php7.4-fpm.sock; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include /etc/nginx/fastcgi_params; +} diff --git a/common/quetre.conf b/common/quetre.conf new file mode 100644 index 0000000..8b603ac --- /dev/null +++ b/common/quetre.conf @@ -0,0 +1,9 @@ +add_header Onion-Location http://quora.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion$request_uri; + +location / { + proxy_pass http://localhost:2498/; # The / is important! + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; +} diff --git a/common/rimgo.conf b/common/rimgo.conf new file mode 100644 index 0000000..a2d5fa8 --- /dev/null +++ b/common/rimgo.conf @@ -0,0 +1,12 @@ +add_header Onion-Location http://rimgo.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion$request_uri; + +access_log off; +error_log /var/log/nginx/error.log crit; + +location / { + proxy_pass http://127.0.0.1:3506/; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Host $host; # so Invidious knows domain + proxy_http_version 1.1; # to keep alive + proxy_set_header Connection ""; # to keep alive +} diff --git a/common/riot.conf b/common/riot.conf new file mode 100644 index 0000000..39d5009 --- /dev/null +++ b/common/riot.conf @@ -0,0 +1,22 @@ +add_header Onion-Location http://riot.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion$request_uri; +root /var/www/matrix; +index index.html; +ssi on; +location / { + try_files $uri $uri/ =404; +} + +location = /index.html { + add_header Cache-Control "no-cache"; +} +location = /version { + add_header Cache-Control "no-cache"; +} +# covers config.json and config.hostname.json requests as it is prefix. +location /config { + add_header Cache-Control "no-cache"; +} + +# redirect server error pages to the static page /50x.html +# +error_page 500 502 503 504 /50x.html; diff --git a/common/scribe.conf b/common/scribe.conf new file mode 100644 index 0000000..f0507bb --- /dev/null +++ b/common/scribe.conf @@ -0,0 +1,10 @@ +add_header Onion-Location http://scribe.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion$request_uri; + +location / { + proxy_pass http://127.0.0.1:5467/; # The / is important! + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_cookie_path / "/; Secure; HttpOnly; SameSite=lax"; +} diff --git a/common/searxng.conf b/common/searxng.conf new file mode 100644 index 0000000..c7caf26 --- /dev/null +++ b/common/searxng.conf @@ -0,0 +1,11 @@ +add_header Onion-Location http://searx.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion$request_uri; + +location / { + proxy_pass http://localhost:8090/; + proxy_set_header Host $host; + proxy_set_header Connection $http_connection; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Scheme $scheme; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; +} diff --git a/common/simplytranslate.conf b/common/simplytranslate.conf new file mode 100644 index 0000000..31876a0 --- /dev/null +++ b/common/simplytranslate.conf @@ -0,0 +1,8 @@ +add_header Onion-Location http://tl.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion$request_uri; + +location / { + proxy_pass http://localhost:2502/; # The / is important! + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Proto $scheme; +} diff --git a/common/speedtest.conf b/common/speedtest.conf new file mode 100644 index 0000000..e2d5e0b --- /dev/null +++ b/common/speedtest.conf @@ -0,0 +1,3 @@ +add_header Onion-Location http://ls.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion$request_uri; +root /var/www/speedtest; +ssi on; diff --git a/common/website.conf b/common/website.conf new file mode 100644 index 0000000..99279f5 --- /dev/null +++ b/common/website.conf @@ -0,0 +1,52 @@ +add_header Onion-Location http://vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion$request_uri; +root /var/www/website; +index index.html; +ssi on; + +location / { + rewrite ^(/.*)\.html(\?.*)?$ $1$2 permanent; + rewrite ^/(.*)/$ /$1 permanent; + try_files $uri $uri/index.html $uri.html $uri/ @extensionless-php; + + error_page 403 /errors/403; + error_page 404 /errors/404; + error_page 503 /errors/503; +} + +location /errors/.* { + internal; +} + +location ~ \.php$ { + try_files $uri =404; + #NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini + include fastcgi.conf; + fastcgi_pass unix:/run/php/php7.4-fpm.sock; + fastcgi_buffers 16 16k; + fastcgi_buffer_size 32k; +} + +location @extensionless-php { + rewrite ^(.*)$ $1.php last; +} + +location /.well-known/matrix/server { + default_type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '{"m.server": "mtrx.vern.cc:443"}'; +} + +location /.well-known/matrix/client { + default_type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '{"m.homeserver": {"base_url": "https://mtrx.vern.cc"}, "m.identity_server": { "base_url": "https://vector.im" }}'; +} + +location /media/ { + autoindex on; +} + +## users +location ~ ^/(~|u/)(?[\w-]+)(?/.*)?$ { + return 301 $scheme://$user.vern.cc; +} diff --git a/common/whoogle.conf b/common/whoogle.conf new file mode 100644 index 0000000..4abeeec --- /dev/null +++ b/common/whoogle.conf @@ -0,0 +1,12 @@ +add_header Onion-Location http://whoogle.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion$request_uri; + +access_log off; +error_log /var/log/nginx/error.log crit; + +location / { + proxy_pass http://127.0.0.1:6942/; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Host $host; # so Whoogle knows domain + proxy_http_version 1.1; # to keep alive + proxy_set_header Connection ""; # to keep alive +} diff --git a/default.apps-available/morty.conf b/default.apps-available/morty.conf new file mode 100644 index 0000000..07dfd88 --- /dev/null +++ b/default.apps-available/morty.conf @@ -0,0 +1,11 @@ +# https://example.org/morty + +location /morty { + proxy_pass http://127.0.0.1:3000/; + + proxy_set_header Host $host; + proxy_set_header Connection $http_connection; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Scheme $scheme; +} diff --git a/default.apps-available/searxng.conf b/default.apps-available/searxng.conf new file mode 100644 index 0000000..3ddfd33 --- /dev/null +++ b/default.apps-available/searxng.conf @@ -0,0 +1,16 @@ +# https://example.org/searx + +location /searx { + proxy_pass http://127.0.0.1:4004/; + + proxy_set_header Host $host; + proxy_set_header Connection $http_connection; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Scheme $scheme; + proxy_set_header X-Script-Name /; +} + +location /searx/static/ { + alias /usr/local/searx/searx-src/searx/static/; +} diff --git a/default.d/morty.conf b/default.d/morty.conf new file mode 120000 index 0000000..893a80b --- /dev/null +++ b/default.d/morty.conf @@ -0,0 +1 @@ +/etc/nginx/default.apps-available/morty.conf \ No newline at end of file diff --git a/default.d/searxng.conf b/default.d/searxng.conf new file mode 120000 index 0000000..3ccb051 --- /dev/null +++ b/default.d/searxng.conf @@ -0,0 +1 @@ +/etc/nginx/default.apps-available/searxng.conf \ No newline at end of file diff --git a/dhparam.pem b/dhparam.pem new file mode 100644 index 0000000..3ab97d7 --- /dev/null +++ b/dhparam.pem @@ -0,0 +1,13 @@ +-----BEGIN DH PARAMETERS----- +MIICCAKCAgEAuS47EwdD9aegi3le7HT6v6a6TiYAe8l2G0AQTdxNqAqAJF/bM9Qy +q6ZHpvI3hZZ5fLJ2yf7lrCxKKCxHsSSUoKc7+DMHrUZsmXyMHnCK/oGerNicR5MN +pU0d+X4Rub+CgSARazispPDqjdBNLavhEMDIvoDJm2frjq3h0qgdWKI6HKwGzWG6 +DwgSgUhN04xqF1HXpolwv+u9svdj/B9CcAyzEupdAJ5q5ehjKZaV4tid0zAlG8/2 +ecA4XR8VlaYzXKDraQbfZuolOOCwpX47NsG4JwTEYVmE+V5jVa1BgOGxyhxEq9Kr +svIj6WF6wgtMmgMMIdK9RaWSie65hoxtvRCDwxr6HpocO1P5oaIpdNdgKbupEumi +ywDLz5wKCtcJ+JQfPX9LpXS/uiDutZxkFuMzHhq0Rkv2r6eRlc9UL9hJLS9iKp1y +3pzbAY7EUDbOrqLzIjKV6CHSMvCeUCQq5A23mTATK5bQt8d3QDzX/xGFEU4omm47 +xnBql1FX+MX3XGfonBsY6CxML9HLqZXPJZViazdHLj4HOJ4ZTQRazyxsqnizotkA ++Ttqo9w748X2P08jfxFbhkm+4gH8yHWoGfPw7nL/5E3jXVGNaRl5J196RFK5b9el +CeUu/rLig70EWJaLQ692qu/bG7VV87t/z1or83LLpEQTQmWGtz28NvsCAQI= +-----END DH PARAMETERS----- diff --git a/fastcgi.conf b/fastcgi.conf new file mode 100644 index 0000000..bcd102e --- /dev/null +++ b/fastcgi.conf @@ -0,0 +1,26 @@ +fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; +fastcgi_param QUERY_STRING $query_string; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; + +fastcgi_param SCRIPT_NAME $fastcgi_script_name; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; +fastcgi_param REQUEST_SCHEME $scheme; +fastcgi_param HTTPS $https if_not_empty; + +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param REMOTE_USER $remote_user; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_NAME $server_name; + +# PHP only, required if PHP was built with --enable-force-cgi-redirect +fastcgi_param REDIRECT_STATUS 200; diff --git a/fastcgi_params b/fastcgi_params new file mode 100644 index 0000000..8acfabc --- /dev/null +++ b/fastcgi_params @@ -0,0 +1,25 @@ +fastcgi_param QUERY_STRING $query_string; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; + +fastcgi_param SCRIPT_NAME $fastcgi_script_name; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; +fastcgi_param REQUEST_SCHEME $scheme; +fastcgi_param HTTPS $https if_not_empty; + +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param REMOTE_USER $remote_user; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_NAME $server_name; + +# PHP only, required if PHP was built with --enable-force-cgi-redirect +fastcgi_param REDIRECT_STATUS 200; diff --git a/include.d/generic_worker.conf b/include.d/generic_worker.conf new file mode 100644 index 0000000..ecc378c --- /dev/null +++ b/include.d/generic_worker.conf @@ -0,0 +1,332 @@ +# Generic Worker +# +# note: +# http://localhost:8083 -> matrix-synchrotron-balancer +# generic_worker_lc -> upstream_proxy (least_conn) +# generic_worker_ih -> upstream_proxy (ip_hash) +# + +## Sync requests +location ~ ^/_matrix/client/(r0|v3)/sync$ { + include include.d/synapse-proxy.conf; + proxy_pass http://localhost:8083; +} + +location ~ ^/_matrix/client/(api/v1|r0|v3)/events$ { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/client/(api/v1|r0|v3)/initialSync$ { + include include.d/synapse-proxy.conf; + proxy_pass http://localhost:8083; +} + +location ~ ^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$ { + include include.d/synapse-proxy.conf; + proxy_pass http://localhost:8083; +} + + +## Federation requests +location ~ ^/_matrix/federation/v1/event/ { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/federation/v1/state/ { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/federation/v1/state_ids/ { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/federation/v1/backfill/ { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/federation/v1/get_missing_events/ { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/federation/v1/publicRooms { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/federation/v1/query/ { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/federation/v1/make_join/ { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/federation/v1/make_leave/ { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/federation/(v1|v2)/send_join/ { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/federation/(v1|v2)/send_leave/ { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/federation/(v1|v2)/invite/ { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/federation/v1/event_auth/ { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/federation/v1/exchange_third_party_invite/ { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/federation/v1/user/devices/ { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/federation/v1/get_groups_publicised$ { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/key/v2/query { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/federation/(v1|unstable/org.matrix.msc2946)/hierarchy/ { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + + +## Inbound federation transaction request +location ~ ^/_matrix/federation/v1/send/ { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_ih; +} + + +## Client API requests +location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/createRoom$ { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/publicRooms$ { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/joined_members$ { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/context/.*$ { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/members$ { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state$ { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/client/(v1|unstable/org.matrix.msc2946)/rooms/.*/hierarchy$ { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$ { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/client/(r0|v3|unstable)/account/3pid$ { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/client/(r0|v3|unstable)/devices$ { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/client/versions$ { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/voip/turnServer$ { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/client/(r0|v3|unstable)/joined_groups$ { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/client/(r0|v3|unstable)/publicised_groups$ { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/client/(r0|v3|unstable)/publicised_groups/ { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/event/ { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/joined_rooms$ { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/search$ { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + + +## Encryption requests +location ~ ^/_matrix/client/(r0|v3|unstable)/keys/query$ { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/client/(r0|v3|unstable)/keys/changes$ { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/client/(r0|v3|unstable)/keys/claim$ { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/client/(r0|v3|unstable)/room_keys/ { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + + +## Registration/login requests +location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/login$ { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/client/(r0|v3|unstable)/register$ { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/client/v1/register/m.login.registration_token/validity$ { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + + +# STREAM WRITERS +## Event sending requests +location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/redact { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/send { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state/ { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)$ { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/join/ { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/profile/ { + include include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +## Typing +location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/typing { + include include.d/synapse-proxy.conf; + proxy_pass http://additional; +} + +## Device requests +location ~ ^/_matrix/client/(r0|v3|unstable)/sendToDevice/ { + include include.d/synapse-proxy.conf; + proxy_pass http://additional; +} + +## Account data requests +location ~ ^/_matrix/client/(r0|v3|unstable)/.*/tags { + include include.d/synapse-proxy.conf; + proxy_pass http://additional; +} + +location ~ ^/_matrix/client/(r0|v3|unstable)/.*/account_data { + include include.d/synapse-proxy.conf; + proxy_pass http://additional; +} + +## Receipts requests +location ~ ^/_matrix/client/(r0|v3|unstable)/rooms/.*/receipt { + include include.d/synapse-proxy.conf; + proxy_pass http://additional; +} + +location ~ ^/_matrix/client/(r0|v3|unstable)/rooms/.*/read_markers { + include include.d/synapse-proxy.conf; + proxy_pass http://additional; +} + +## Presence requests +location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/presence/ { + include include.d/synapse-proxy.conf; + proxy_pass http://presence; +} + diff --git a/include.d/synapse-admin.conf b/include.d/synapse-admin.conf new file mode 100644 index 0000000..c5f9ef3 --- /dev/null +++ b/include.d/synapse-admin.conf @@ -0,0 +1,21 @@ +location ~ ^/_synapse/admin/v1/users/@(mjolnir|root):vern.cc/admin$ { + include include.d/synapse-proxy.conf; + proxy_pass http://localhost:8008; +} +location ~ ^/_synapse/admin/v1/whois/@(mjolnir|root):vern.cc$ { + include include.d/synapse-proxy.conf; + proxy_pass http://localhost:8008; +} + +location ~ ^/_synapse/admin/v1/deactivate { + include include.d/synapse-proxy.conf; + proxy_pass http://localhost:8008; +} + +location ~ ^/_synapse/admin { + allow 127.0.0.1; + deny all; + include include.d/synapse-proxy.conf; + proxy_pass http://localhost:8008; +} + diff --git a/include.d/synapse-proxy.conf b/include.d/synapse-proxy.conf new file mode 100644 index 0000000..9ef5fae --- /dev/null +++ b/include.d/synapse-proxy.conf @@ -0,0 +1,15 @@ +proxy_set_header Host $http_host; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $remote_addr; +proxy_set_header X-Forwarded-Proto $scheme; + +port_in_redirect off; +proxy_redirect off; +proxy_connect_timeout 3600; +proxy_read_timeout 3600; +proxy_send_timeout 3600; + +proxy_buffering off; +proxy_buffers 8 16k; +proxy_buffer_size 32k; + diff --git a/include.d/upstream_workers.conf b/include.d/upstream_workers.conf new file mode 100644 index 0000000..0f472fb --- /dev/null +++ b/include.d/upstream_workers.conf @@ -0,0 +1,26 @@ +upstream generic_worker_ih { + ip_hash; + server localhost:8510; + server localhost:8511; + server localhost:8512; + server localhost:8513; +} + +upstream generic_worker_lc { + least_conn; + server localhost:8510; + server localhost:8511; + server localhost:8512; + server localhost:8513; +} + +upstream additional { + least_conn; + server localhost:8514; +} + +upstream presence { + least_conn; + server localhost:8516; +} + diff --git a/koi-utf b/koi-utf new file mode 100644 index 0000000..98cd4db --- /dev/null +++ b/koi-utf @@ -0,0 +1,109 @@ + +# This map is not a full koi8-r <> utf8 map: it does not contain +# box-drawing and some other characters. Besides this map contains +# several koi8-u and Byelorussian letters which are not in koi8-r. +# If you need a full and standard map, use contrib/unicode2nginx/koi-utf +# map instead. + +charset_map koi8-r utf-8 { + + 80 E282AC ; # euro + + 95 E280A2 ; # bullet + + 9A C2A0 ; #   + + 9E C2B7 ; # · + + A3 D191 ; # small yo + A4 D194 ; # small Ukrainian ye + + A6 D196 ; # small Ukrainian i + A7 D197 ; # small Ukrainian yi + + AD D291 ; # small Ukrainian soft g + AE D19E ; # small Byelorussian short u + + B0 C2B0 ; # ° + + B3 D081 ; # capital YO + B4 D084 ; # capital Ukrainian YE + + B6 D086 ; # capital Ukrainian I + B7 D087 ; # capital Ukrainian YI + + B9 E28496 ; # numero sign + + BD D290 ; # capital Ukrainian soft G + BE D18E ; # capital Byelorussian short U + + BF C2A9 ; # (C) + + C0 D18E ; # small yu + C1 D0B0 ; # small a + C2 D0B1 ; # small b + C3 D186 ; # small ts + C4 D0B4 ; # small d + C5 D0B5 ; # small ye + C6 D184 ; # small f + C7 D0B3 ; # small g + C8 D185 ; # small kh + C9 D0B8 ; # small i + CA D0B9 ; # small j + CB D0BA ; # small k + CC D0BB ; # small l + CD D0BC ; # small m + CE D0BD ; # small n + CF D0BE ; # small o + + D0 D0BF ; # small p + D1 D18F ; # small ya + D2 D180 ; # small r + D3 D181 ; # small s + D4 D182 ; # small t + D5 D183 ; # small u + D6 D0B6 ; # small zh + D7 D0B2 ; # small v + D8 D18C ; # small soft sign + D9 D18B ; # small y + DA D0B7 ; # small z + DB D188 ; # small sh + DC D18D ; # small e + DD D189 ; # small shch + DE D187 ; # small ch + DF D18A ; # small hard sign + + E0 D0AE ; # capital YU + E1 D090 ; # capital A + E2 D091 ; # capital B + E3 D0A6 ; # capital TS + E4 D094 ; # capital D + E5 D095 ; # capital YE + E6 D0A4 ; # capital F + E7 D093 ; # capital G + E8 D0A5 ; # capital KH + E9 D098 ; # capital I + EA D099 ; # capital J + EB D09A ; # capital K + EC D09B ; # capital L + ED D09C ; # capital M + EE D09D ; # capital N + EF D09E ; # capital O + + F0 D09F ; # capital P + F1 D0AF ; # capital YA + F2 D0A0 ; # capital R + F3 D0A1 ; # capital S + F4 D0A2 ; # capital T + F5 D0A3 ; # capital U + F6 D096 ; # capital ZH + F7 D092 ; # capital V + F8 D0AC ; # capital soft sign + F9 D0AB ; # capital Y + FA D097 ; # capital Z + FB D0A8 ; # capital SH + FC D0AD ; # capital E + FD D0A9 ; # capital SHCH + FE D0A7 ; # capital CH + FF D0AA ; # capital hard sign +} diff --git a/koi-win b/koi-win new file mode 100644 index 0000000..e3de1f7 --- /dev/null +++ b/koi-win @@ -0,0 +1,103 @@ + +charset_map koi8-r windows-1251 { + + 80 88 ; # euro + + 95 95 ; # bullet + + 9A A0 ; #   + + 9E B7 ; # · + + A3 B8 ; # small yo + A4 BA ; # small Ukrainian ye + + A6 B3 ; # small Ukrainian i + A7 BF ; # small Ukrainian yi + + AD B4 ; # small Ukrainian soft g + AE A2 ; # small Byelorussian short u + + B0 B0 ; # ° + + B3 A8 ; # capital YO + B4 AA ; # capital Ukrainian YE + + B6 B2 ; # capital Ukrainian I + B7 AF ; # capital Ukrainian YI + + B9 B9 ; # numero sign + + BD A5 ; # capital Ukrainian soft G + BE A1 ; # capital Byelorussian short U + + BF A9 ; # (C) + + C0 FE ; # small yu + C1 E0 ; # small a + C2 E1 ; # small b + C3 F6 ; # small ts + C4 E4 ; # small d + C5 E5 ; # small ye + C6 F4 ; # small f + C7 E3 ; # small g + C8 F5 ; # small kh + C9 E8 ; # small i + CA E9 ; # small j + CB EA ; # small k + CC EB ; # small l + CD EC ; # small m + CE ED ; # small n + CF EE ; # small o + + D0 EF ; # small p + D1 FF ; # small ya + D2 F0 ; # small r + D3 F1 ; # small s + D4 F2 ; # small t + D5 F3 ; # small u + D6 E6 ; # small zh + D7 E2 ; # small v + D8 FC ; # small soft sign + D9 FB ; # small y + DA E7 ; # small z + DB F8 ; # small sh + DC FD ; # small e + DD F9 ; # small shch + DE F7 ; # small ch + DF FA ; # small hard sign + + E0 DE ; # capital YU + E1 C0 ; # capital A + E2 C1 ; # capital B + E3 D6 ; # capital TS + E4 C4 ; # capital D + E5 C5 ; # capital YE + E6 D4 ; # capital F + E7 C3 ; # capital G + E8 D5 ; # capital KH + E9 C8 ; # capital I + EA C9 ; # capital J + EB CA ; # capital K + EC CB ; # capital L + ED CC ; # capital M + EE CD ; # capital N + EF CE ; # capital O + + F0 CF ; # capital P + F1 DF ; # capital YA + F2 D0 ; # capital R + F3 D1 ; # capital S + F4 D2 ; # capital T + F5 D3 ; # capital U + F6 C6 ; # capital ZH + F7 C2 ; # capital V + F8 DC ; # capital soft sign + F9 DB ; # capital Y + FA C7 ; # capital Z + FB D8 ; # capital SH + FC DD ; # capital E + FD D9 ; # capital SHCH + FE D7 ; # capital CH + FF DA ; # capital hard sign +} diff --git a/mime.types b/mime.types new file mode 100644 index 0000000..ff75d32 --- /dev/null +++ b/mime.types @@ -0,0 +1,89 @@ + +types { + text/html html htm shtml; + text/css css; + text/xml xml; + image/gif gif; + image/jpeg jpeg jpg; + application/javascript js; + application/atom+xml atom; + application/rss+xml rss; + + text/mathml mml; + text/plain txt; + text/vnd.sun.j2me.app-descriptor jad; + text/vnd.wap.wml wml; + text/x-component htc; + + image/png png; + image/tiff tif tiff; + image/vnd.wap.wbmp wbmp; + image/x-icon ico; + image/x-jng jng; + image/x-ms-bmp bmp; + image/svg+xml svg svgz; + image/webp webp; + + application/font-woff woff; + application/java-archive jar war ear; + application/json json; + application/mac-binhex40 hqx; + application/msword doc; + application/pdf pdf; + application/postscript ps eps ai; + application/rtf rtf; + application/vnd.apple.mpegurl m3u8; + application/vnd.ms-excel xls; + application/vnd.ms-fontobject eot; + application/vnd.ms-powerpoint ppt; + application/vnd.wap.wmlc wmlc; + application/vnd.google-earth.kml+xml kml; + application/vnd.google-earth.kmz kmz; + application/x-7z-compressed 7z; + application/x-cocoa cco; + application/x-java-archive-diff jardiff; + application/x-java-jnlp-file jnlp; + application/x-makeself run; + application/x-perl pl pm; + application/x-pilot prc pdb; + application/x-rar-compressed rar; + application/x-redhat-package-manager rpm; + application/x-sea sea; + application/x-shockwave-flash swf; + application/x-stuffit sit; + application/x-tcl tcl tk; + application/x-x509-ca-cert der pem crt; + application/x-xpinstall xpi; + application/xhtml+xml xhtml; + application/xspf+xml xspf; + application/zip zip; + + application/octet-stream bin exe dll; + application/octet-stream deb; + application/octet-stream dmg; + application/octet-stream iso img; + application/octet-stream msi msp msm; + + application/vnd.openxmlformats-officedocument.wordprocessingml.document docx; + application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; + application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; + + audio/midi mid midi kar; + audio/mpeg mp3; + audio/ogg ogg; + audio/x-m4a m4a; + audio/x-realaudio ra; + + video/3gpp 3gpp 3gp; + video/mp2t ts; + video/mp4 mp4; + video/mpeg mpeg mpg; + video/quicktime mov; + video/webm webm; + video/x-flv flv; + video/x-m4v m4v; + video/x-mng mng; + video/x-ms-asf asx asf; + video/x-ms-wmv wmv; + video/x-msvideo avi; +} diff --git a/modules-enabled/50-mod-http-auth-pam.conf b/modules-enabled/50-mod-http-auth-pam.conf new file mode 120000 index 0000000..2c9098d --- /dev/null +++ b/modules-enabled/50-mod-http-auth-pam.conf @@ -0,0 +1 @@ +/usr/share/nginx/modules-available/mod-http-auth-pam.conf \ No newline at end of file diff --git a/modules-enabled/50-mod-http-dav-ext.conf b/modules-enabled/50-mod-http-dav-ext.conf new file mode 120000 index 0000000..4bcd08d --- /dev/null +++ b/modules-enabled/50-mod-http-dav-ext.conf @@ -0,0 +1 @@ +/usr/share/nginx/modules-available/mod-http-dav-ext.conf \ No newline at end of file diff --git a/modules-enabled/50-mod-http-echo.conf b/modules-enabled/50-mod-http-echo.conf new file mode 120000 index 0000000..2ca55aa --- /dev/null +++ b/modules-enabled/50-mod-http-echo.conf @@ -0,0 +1 @@ +/usr/share/nginx/modules-available/mod-http-echo.conf \ No newline at end of file diff --git a/modules-enabled/50-mod-http-geoip.conf b/modules-enabled/50-mod-http-geoip.conf new file mode 120000 index 0000000..390fab2 --- /dev/null +++ b/modules-enabled/50-mod-http-geoip.conf @@ -0,0 +1 @@ +/usr/share/nginx/modules-available/mod-http-geoip.conf \ No newline at end of file diff --git a/modules-enabled/50-mod-http-geoip2.conf b/modules-enabled/50-mod-http-geoip2.conf new file mode 120000 index 0000000..e2655c3 --- /dev/null +++ b/modules-enabled/50-mod-http-geoip2.conf @@ -0,0 +1 @@ +/usr/share/nginx/modules-available/mod-http-geoip2.conf \ No newline at end of file diff --git a/modules-enabled/50-mod-http-image-filter.conf b/modules-enabled/50-mod-http-image-filter.conf new file mode 120000 index 0000000..fa27cd3 --- /dev/null +++ b/modules-enabled/50-mod-http-image-filter.conf @@ -0,0 +1 @@ +/usr/share/nginx/modules-available/mod-http-image-filter.conf \ No newline at end of file diff --git a/modules-enabled/50-mod-http-subs-filter.conf b/modules-enabled/50-mod-http-subs-filter.conf new file mode 120000 index 0000000..60fc893 --- /dev/null +++ b/modules-enabled/50-mod-http-subs-filter.conf @@ -0,0 +1 @@ +/usr/share/nginx/modules-available/mod-http-subs-filter.conf \ No newline at end of file diff --git a/modules-enabled/50-mod-http-upstream-fair.conf b/modules-enabled/50-mod-http-upstream-fair.conf new file mode 120000 index 0000000..2dc0c72 --- /dev/null +++ b/modules-enabled/50-mod-http-upstream-fair.conf @@ -0,0 +1 @@ +/usr/share/nginx/modules-available/mod-http-upstream-fair.conf \ No newline at end of file diff --git a/modules-enabled/50-mod-http-xslt-filter.conf b/modules-enabled/50-mod-http-xslt-filter.conf new file mode 120000 index 0000000..51d7ca7 --- /dev/null +++ b/modules-enabled/50-mod-http-xslt-filter.conf @@ -0,0 +1 @@ +/usr/share/nginx/modules-available/mod-http-xslt-filter.conf \ No newline at end of file diff --git a/modules-enabled/50-mod-mail.conf b/modules-enabled/50-mod-mail.conf new file mode 120000 index 0000000..baa6ea9 --- /dev/null +++ b/modules-enabled/50-mod-mail.conf @@ -0,0 +1 @@ +/usr/share/nginx/modules-available/mod-mail.conf \ No newline at end of file diff --git a/modules-enabled/50-mod-stream.conf b/modules-enabled/50-mod-stream.conf new file mode 120000 index 0000000..7f65cc5 --- /dev/null +++ b/modules-enabled/50-mod-stream.conf @@ -0,0 +1 @@ +/usr/share/nginx/modules-available/mod-stream.conf \ No newline at end of file diff --git a/modules-enabled/70-mod-stream-geoip.conf b/modules-enabled/70-mod-stream-geoip.conf new file mode 120000 index 0000000..4acbe4f --- /dev/null +++ b/modules-enabled/70-mod-stream-geoip.conf @@ -0,0 +1 @@ +/usr/share/nginx/modules-available/mod-stream-geoip.conf \ No newline at end of file diff --git a/modules-enabled/70-mod-stream-geoip2.conf b/modules-enabled/70-mod-stream-geoip2.conf new file mode 120000 index 0000000..612a5e1 --- /dev/null +++ b/modules-enabled/70-mod-stream-geoip2.conf @@ -0,0 +1 @@ +/usr/share/nginx/modules-available/mod-stream-geoip2.conf \ No newline at end of file diff --git a/nginx.conf b/nginx.conf new file mode 100644 index 0000000..a03735a --- /dev/null +++ b/nginx.conf @@ -0,0 +1,82 @@ +user www-data; +worker_processes auto; +pid /run/nginx.pid; +include /etc/nginx/modules-enabled/*.conf; + +events { + worker_connections 768; + # multi_accept on; +} + +http { + ## + # Basic Settings + ## + + sendfile on; + tcp_nopush on; + types_hash_max_size 2048; + # server_tokens off; + + server_names_hash_bucket_size 128; + # server_name_in_redirect off; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + ## + # SSL Settings + ## + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE + ssl_prefer_server_ciphers on; + + ## + # Logging Settings + ## + + access_log off; + error_log /var/log/nginx/error.log; + + ## + # Gzip Settings + ## + + gzip on; + + # gzip_vary on; + # gzip_proxied any; + # gzip_comp_level 6; + # gzip_buffers 16 8k; + # gzip_http_version 1.1; + # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + + ## + # Virtual Host Configs + ## + + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; +} + + +#mail { +# # See sample authentication script at: +# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript +# +# # auth_http localhost/auth.php; +# # pop3_capabilities "TOP" "USER"; +# # imap_capabilities "IMAP4rev1" "UIDPLUS"; +# +# server { +# listen localhost:110; +# protocol pop3; +# proxy on; +# } +# +# server { +# listen localhost:143; +# protocol imap; +# proxy on; +# } +#} diff --git a/proxy_params b/proxy_params new file mode 100644 index 0000000..df75bc5 --- /dev/null +++ b/proxy_params @@ -0,0 +1,4 @@ +proxy_set_header Host $http_host; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $scheme; diff --git a/scgi_params b/scgi_params new file mode 100644 index 0000000..6d4ce4f --- /dev/null +++ b/scgi_params @@ -0,0 +1,17 @@ + +scgi_param REQUEST_METHOD $request_method; +scgi_param REQUEST_URI $request_uri; +scgi_param QUERY_STRING $query_string; +scgi_param CONTENT_TYPE $content_type; + +scgi_param DOCUMENT_URI $document_uri; +scgi_param DOCUMENT_ROOT $document_root; +scgi_param SCGI 1; +scgi_param SERVER_PROTOCOL $server_protocol; +scgi_param REQUEST_SCHEME $scheme; +scgi_param HTTPS $https if_not_empty; + +scgi_param REMOTE_ADDR $remote_addr; +scgi_param REMOTE_PORT $remote_port; +scgi_param SERVER_PORT $server_port; +scgi_param SERVER_NAME $server_name; diff --git a/sites-available/aryak.ml.conf b/sites-available/aryak.ml.conf new file mode 100644 index 0000000..f97c655 --- /dev/null +++ b/sites-available/aryak.ml.conf @@ -0,0 +1,30 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + listen 8448 ssl http2; + listen [::]:8448 ssl http2; + server_name matrix.aryak.ml; + merge_slashes off; + + location /_matrix/ { + proxy_pass http://10.7.0.4:6167$request_uri; + proxy_set_header Host $http_host; + proxy_buffering off; + } +ssl_certificate /etc/letsencrypt/live/matrix.aryak.ml/fullchain.pem; # EDIT THIS +ssl_certificate_key /etc/letsencrypt/live/matrix.aryak.ml/privkey.pem; # EDIT THIS + + + location /.well-known/matrix/server { + add_header Access-Control-Allow-Origin '*' always; + add_header Content-Type application/json; + return 200 '{"m.server": "matrix.aryak.ml:443"}'; + } + + location /.well-known/matrix/client { + add_header Access-Control-Allow-Origin '*' always; + add_header Content-Type application/json; + return 200 '{"m.homeserver": {"base_url": "https://matrix.aryak.ml"}}'; + } +} + diff --git a/sites-available/autoconfig.vern.cc.conf b/sites-available/autoconfig.vern.cc.conf new file mode 100644 index 0000000..64c8693 --- /dev/null +++ b/sites-available/autoconfig.vern.cc.conf @@ -0,0 +1,19 @@ +# This file was automatically installed on 2022-06-06T12:55:58.280671 +upstream automx { + server unix:/run/uwsgi/app/automx_instance/socket fail_timeout=0; +} + +server { + listen 80; + listen [::]:80; + server_name autoconfig.vern.cc; + root /srv/automx/instance; + + access_log /var/log/nginx/autoconfig.vern.cc-access.log; + error_log /var/log/nginx/autoconfig.vern.cc-error.log; + + location /mail/config-v1.1.xml { + include uwsgi_params; + uwsgi_pass automx; + } +} diff --git a/sites-available/cryptpad.conf b/sites-available/cryptpad.conf new file mode 100644 index 0000000..fdec82a --- /dev/null +++ b/sites-available/cryptpad.conf @@ -0,0 +1,240 @@ +# This file is included strictly as an example of how Nginx can be configured +# to work with CryptPad. This example WILL NOT WORK AS IS. For best results, +# compare the sections of this configuration file against a working CryptPad +# installation (http server by the Nodejs process). If you are using CryptPad +# in production and require professional support please contact sales@cryptpad.fr + +server { + listen 443 ssl http2; + + # CryptPad serves static assets over these two domains. + # `main_domain` is what users will enter in their address bar. + # Privileged computation such as key management is handled in this scope + # UI content is loaded via the `sandbox_domain`. + # "Content Security Policy" headers prevent content loaded via the sandbox + # from accessing privileged information. + # These variables must be different to take advantage of CryptPad's sandboxing techniques. + # In the event of an XSS vulnerability in CryptPad's front-end code + # this will limit the amount of information accessible to attackers. + set $main_domain "pad.vern.cc"; + set $sandbox_domain "crypt-sandbox.vern.cc"; + + # By default CryptPad allows remote domains to embed CryptPad documents in iframes. + # This behaviour can be blocked by changing $allowed_origins from "*" to the + # sandbox domain, which must be permitted to load content from the main domain + # in order for CryptPad to work as expected. + # + # An example is given below which can be uncommented if you want to block + # remote sites from including content from your server + set $allowed_origins "*"; + # set $allowed_origins "https://${sandbox_domain}"; + + # CryptPad's dynamic content (websocket traffic and encrypted blobs) + # can be served over separate domains. Using dedicated domains (or subdomains) + # for these purposes allows you to move them to a separate machine at a later date + # if you find that a single machine cannot handle all of your users. + # If you don't use dedicated domains, this can be the same as $main_domain + # If you do, they can be added as exceptions to any rules which block connections to remote domains. + # You can find these variables referenced below in the relevant places + set $api_domain "pad.vern.cc"; + set $files_domain "pad.vern.cc"; + + # nginx doesn't let you set server_name via variables, so you need to hardcode your domains here + server_name pad.vern.cc crypt-sandbox.vern.cc; + + # You'll need to Set the path to your certificates and keys here + # IMPORTANT: this config is intended to serve assets for at least two domains + # (your main domain and your sandbox domain). As such, you'll need to generate a single SSL certificate + # that includes both domains in order for things to work as expected. + include snippets/lets-encrypt.conf; + # Speeds things up a little bit when resuming a session + ssl_session_timeout 5m; + ssl_session_cache shared:SSL:5m; + + # You'll need nginx 1.13.0 or better to support TLSv1.3 + ssl_protocols TLSv1.2 TLSv1.3; + + # https://cipherli.st/ + ssl_ciphers EECDH+AESGCM:EDH+AESGCM; + ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Content-Type-Options nosniff; + add_header Access-Control-Allow-Origin "${allowed_origins}"; + # add_header X-Frame-Options "SAMEORIGIN"; + + # Opt out of Google's FLoC Network + add_header Permissions-Policy interest-cohort=(); + + # Enable SharedArrayBuffer in Firefox (for .xlsx export) + add_header Cross-Origin-Resource-Policy cross-origin; + add_header Cross-Origin-Embedder-Policy require-corp; + + # Insert the path to your CryptPad repository root here + root /home/cryptpad/cryptpad; + index index.html; + error_page 404 /customize.dist/404.html; + + # any static assets loaded with "ver=" in their URL will be cached for a year + if ($args ~ ver=) { + set $cacheControl max-age=31536000; + } + if ($uri ~ ^/.*(\/|\.html)$) { + set $cacheControl no-cache; + } + # Will not set any header if it is emptystring + add_header Cache-Control $cacheControl; + + # CSS can be dynamically set inline, loaded from the same domain, or from $main_domain + set $styleSrc "'unsafe-inline' 'self' https://${main_domain}"; + + # connect-src restricts URLs which can be loaded using script interfaces + # if you have configured your instance to use a dedicated $files_domain or $api_domain + # you will need to add them below as: https://${files_domain} and https://${api_domain} + set $connectSrc "'self' https://${main_domain} blob: wss://${api_domain} https://${sandbox_domain}"; + + # fonts can be loaded from data-URLs or the main domain + set $fontSrc "'self' data: https://${main_domain}"; + + # images can be loaded from anywhere, though we'd like to deprecate this as it allows the use of images for tracking + set $imgSrc "'self' data: blob: https://${main_domain}"; + + # frame-src specifies valid sources for nested browsing contexts. + # this prevents loading any iframes from anywhere other than the sandbox domain + set $frameSrc "'self' https://${sandbox_domain} blob:"; + + # specifies valid sources for loading media using video or audio + set $mediaSrc "blob:"; + + # defines valid sources for webworkers and nested browser contexts + # deprecated in favour of worker-src and frame-src + set $childSrc "https://${main_domain}"; + + # specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts. + # supercedes child-src but is unfortunately not yet universally supported. + set $workerSrc "'self'"; + + # script-src specifies valid sources for javascript, including inline handlers + set $scriptSrc "'self' resource: https://${main_domain}"; + + # frame-ancestors specifies which origins can embed your CryptPad instance + # this must include 'self' and your main domain (over HTTPS) in order for CryptPad to work + # if you have enabled remote embedding via the admin panel then this must be more permissive. + # note: cryptpad.fr permits web pages served via https: and vector: (element desktop app) + #set $frameAncestors "'self' https://${main_domain}"; + set $frameAncestors "'self' https: vector:"; + + set $unsafe 0; + # the following assets are loaded via the sandbox domain + # they unfortunately still require exceptions to the sandboxing to work correctly. + if ($uri ~ ^\/(sheet|doc|presentation)\/inner.html.*$) { set $unsafe 1; } + if ($uri ~ ^\/common\/onlyoffice\/.*\/.*\.html.*$) { set $unsafe 1; } + + # everything except the sandbox domain is a privileged scope, as they might be used to handle keys + if ($host != $sandbox_domain) { set $unsafe 0; } + # this iframe is an exception. Office file formats are converted outside of the sandboxed scope + # because of bugs in Chromium-based browsers that incorrectly ignore headers that are supposed to enable + # the use of some modern APIs that we require when javascript is run in a cross-origin context. + # We've applied other sandboxing techniques to mitigate the risk of running WebAssembly in this privileged scope + if ($uri ~ ^\/unsafeiframe\/inner\.html.*$) { set $unsafe 1; } + + # privileged contexts allow a few more rights than unprivileged contexts, though limits are still applied + if ($unsafe) { + set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' resource: https://${main_domain}"; + } + + # Finally, set all the rules you composed above. + add_header Content-Security-Policy "default-src 'none'; child-src $childSrc; worker-src $workerSrc; media-src $mediaSrc; style-src $styleSrc; script-src $scriptSrc; connect-src $connectSrc; font-src $fontSrc; img-src $imgSrc; frame-src $frameSrc; frame-ancestors $frameAncestors"; + + # The nodejs process can handle all traffic whether accessed over websocket or as static assets + # We prefer to serve static content from nginx directly and to leave the API server to handle + # the dynamic content that only it can manage. This is primarily an optimization + location ^~ /cryptpad_websocket { + proxy_pass http://localhost:3475; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # WebSocket support (nginx 1.4) + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection upgrade; + } + + location ^~ /customize.dist/ { + # This is needed in order to prevent infinite recursion between /customize/ and the root + } + # try to load customizeable content via /customize/ and fall back to the default content + # located at /customize.dist/ + # This is what allows you to override behaviour. + location ^~ /customize/ { + rewrite ^/customize/(.*)$ $1 break; + try_files /customize/$uri /customize.dist/$uri; + } + + # /api/config is loaded once per page load and is used to retrieve + # the caching variable which is applied to every other resource + # which is loaded during that session. + location ~ ^/api/.*$ { + proxy_pass http://localhost:3475; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # These settings prevent both NGINX and the API server + # from setting the same headers and creating duplicates + proxy_hide_header Cross-Origin-Resource-Policy; + add_header Cross-Origin-Resource-Policy cross-origin; + proxy_hide_header Cross-Origin-Embedder-Policy; + add_header Cross-Origin-Embedder-Policy require-corp; + } + + # encrypted blobs are immutable and are thus cached for a year + location ^~ /blob/ { + if ($request_method = 'OPTIONS') { + add_header 'Access-Control-Allow-Origin' "${allowed_origins}"; + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; + add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range'; + add_header 'Access-Control-Max-Age' 1728000; + add_header 'Content-Type' 'application/octet-stream; charset=utf-8'; + add_header 'Content-Length' 0; + return 204; + } + add_header X-Content-Type-Options nosniff; + add_header Cache-Control max-age=31536000; + add_header 'Access-Control-Allow-Origin' "${allowed_origins}"; + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; + add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length'; + add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length'; + try_files $uri =404; + } + + # the "block-store" serves encrypted payloads containing users' drive keys + # these payloads are unlocked via login credentials. They are mutable + # and are thus never cached. They're small enough that it doesn't matter, in any case. + location ^~ /block/ { + add_header X-Content-Type-Options nosniff; + add_header Cache-Control max-age=0; + try_files $uri =404; + } + + # This block provides an alternative means of loading content + # otherwise only served via websocket. This is solely for debugging purposes, + # and is thus not allowed by default. + #location ^~ /datastore/ { + #add_header Cache-Control max-age=0; + #try_files $uri =404; + #} + + # The nodejs server has some built-in forwarding rules to prevent + # URLs like /pad from resulting in a 404. This simply adds a trailing slash + # to a variety of applications. + location ~ ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet|support|admin|notifications|teams|calendar|presentation|doc|form|report|convert|checkup)$ { + rewrite ^(.*)$ $1/ redirect; + } + + # Finally, serve anything the above exceptions don't govern. + try_files /www/$uri /www/$uri/index.html /customize/$uri; +} + diff --git a/sites-available/gitea.conf b/sites-available/gitea.conf new file mode 100644 index 0000000..55a3369 --- /dev/null +++ b/sites-available/gitea.conf @@ -0,0 +1,24 @@ +server { + listen 80; + listen [::]:80; + + server_name git.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion; + server_name vernccz7eh2z3adn74wbnyv62xsjqnifc62kdmfnqhbsg4i2gy4q.b32.i2p; + + include common/gitea.conf; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name git.vern.cc; + include snippets/lets-encrypt.conf; + include snippets/headers.conf; + include common/gitea.conf; +} +server { + listen 80; + listen [::]:80; + server_name git.vern.cc; + return 301 https://$host$request_uri; +} diff --git a/sites-available/invidious.conf b/sites-available/invidious.conf new file mode 100644 index 0000000..6b7faa3 --- /dev/null +++ b/sites-available/invidious.conf @@ -0,0 +1,27 @@ +server { + listen 80; + listen [::]:80; + + server_name inv.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion invidious.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion yt.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion; + server_name vernccdzixves4eekynqgfhb7fjbldgtocepf7cq3c3327ttb7zq.b32.i2p; + + include common/invidious.conf; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name inv.vern.cc invidious.vern.cc yt.vern.cc; + + include snippets/lets-encrypt.conf; + include snippets/headers.conf; + include common/invidious.conf; +} + +server { + listen 80; + listen [::]:80; + return 301 https://$host$request_uri; + server_name inv.vern.cc invidious.vern.cc yt.vern.cc; +} diff --git a/sites-available/jitsi.conf b/sites-available/jitsi.conf new file mode 100644 index 0000000..ac0a64d --- /dev/null +++ b/sites-available/jitsi.conf @@ -0,0 +1,147 @@ +#server_names_hash_bucket_size 64; + +types { +# nginx's default mime.types doesn't include a mapping for wasm + application/wasm wasm; +} +upstream prosody { + zone upstreams 64K; + server 127.0.0.1:5280; + keepalive 2; +} +upstream jvb1 { + zone upstreams 64K; + server 127.0.0.1:9090; + keepalive 2; +} +server { + listen 80; + listen [::]:80; + server_name jitsi.vern.cc; + + location / { + return 301 https://$host$request_uri; + } +} +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name jitsi.vern.cc; + + add_header Strict-Transport-Security "max-age=63072000" always; + set $prefix ""; + + include snippets/lets-encrypt.conf; + root /usr/share/jitsi-meet; + + # ssi on with javascript for multidomain variables in config.js + ssi on; + ssi_types application/x-javascript application/javascript; + + index index.html index.htm; + error_page 404 /static/404.html; + + gzip on; + gzip_types text/plain text/css application/javascript application/json image/x-icon application/octet-stream application/wasm; + gzip_vary on; + gzip_proxied no-cache no-store private expired auth; + gzip_min_length 512; + + location = /config.js { + alias /etc/jitsi/meet/jitsi.vern.cc-config.js; + } + + location = /external_api.js { + alias /usr/share/jitsi-meet/libs/external_api.min.js; + } + + # ensure all static content can always be found first + location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$ + { + add_header 'Access-Control-Allow-Origin' '*'; + alias /usr/share/jitsi-meet/$1/$2; + + # cache all versioned files + if ($arg_v) { + expires 1y; + } + } + + # BOSH + location = /http-bind { + proxy_pass http://prosody/http-bind?prefix=$prefix&$args; + proxy_http_version 1.1; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Host $http_host; + proxy_set_header Connection ""; + } + + # xmpp websockets + location = /xmpp-websocket { + proxy_pass http://prosody/xmpp-websocket?prefix=$prefix&$args; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $http_host; + tcp_nodelay on; + } + + # colibri (JVB) websockets for jvb1 + location ~ ^/colibri-ws/default-id/(.*) { + proxy_pass http://jvb1/colibri-ws/default-id/$1$is_args$args; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + tcp_nodelay on; + } + + # load test minimal client, uncomment when used + #location ~ ^/_load-test/([^/?&:'"]+)$ { + # rewrite ^/_load-test/(.*)$ /load-test/index.html break; + #} + #location ~ ^/_load-test/libs/(.*)$ { + # add_header 'Access-Control-Allow-Origin' '*'; + # alias /usr/share/jitsi-meet/load-test/libs/$1; + #} + + location ~ ^/([^/?&:'"]+)$ { + try_files $uri @root_path; + } + + location @root_path { + rewrite ^/(.*)$ / break; + } + + location ~ ^/([^/?&:'"]+)/config.js$ + { + set $subdomain "$1."; + set $subdir "$1/"; + + alias /etc/jitsi/meet/jitsi.vern.cc-config.js; + } + + # BOSH for subdomains + location ~ ^/([^/?&:'"]+)/http-bind { + set $subdomain "$1."; + set $subdir "$1/"; + set $prefix "$1"; + + rewrite ^/(.*)$ /http-bind; + } + + # websockets for subdomains + location ~ ^/([^/?&:'"]+)/xmpp-websocket { + set $subdomain "$1."; + set $subdir "$1/"; + set $prefix "$1"; + + rewrite ^/(.*)$ /xmpp-websocket; + } + + # Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to / + location ~ ^/([^/?&:'"]+)/(.*)$ { + set $subdomain "$1."; + set $subdir "$1/"; + rewrite ^/([^/?&:'"]+)/(.*)$ /$2; + } +} diff --git a/sites-available/ldap.conf b/sites-available/ldap.conf new file mode 100644 index 0000000..224ab76 --- /dev/null +++ b/sites-available/ldap.conf @@ -0,0 +1,18 @@ +server { +listen 443 ssl http2; +server_name ldapadmin.vern.cc; +include snippets/lets-encrypt.conf; +# document root +root /usr/share/phpldapadmin/htdocs; +index index.php index.html index.htm; + +location / { + try_files $uri $uri/ /index.php; +} +location ~ \.php$ { + fastcgi_pass unix:/run/php/php7.4-fpm.sock; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include /etc/nginx/fastcgi_params; +} +} diff --git a/sites-available/librarian.conf b/sites-available/librarian.conf new file mode 100644 index 0000000..1a8b5fb --- /dev/null +++ b/sites-available/librarian.conf @@ -0,0 +1,25 @@ +server { + listen 80; + listen [::]:80; + + server_name lbry.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion librarian.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion; + server_name verncca2sx2o6g6cxxfjjvllak454aaanqjs42ofa6m4bil6hbva.b32.i2p; + + include common/librarian.conf; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name lbry.vern.cc librarian.vern.cc; + include common/librarian.conf; + include snippets/lets-encrypt.conf; + include snippets/headers.conf; +} + +server { + listen 80; + listen [::]:80; + return 301 https://$host$request_uri; + server_name lbry.vern.cc librarian.vern.cc; +} diff --git a/sites-available/libreddit.conf b/sites-available/libreddit.conf new file mode 100644 index 0000000..6d33004 --- /dev/null +++ b/sites-available/libreddit.conf @@ -0,0 +1,25 @@ +server { + listen 80; + listen [::]:80; + + server_name lr.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion libreddit.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion reddit.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion; + server_name vernccglp4wuobxu7ndh2dbpnczjhjnggh3hmuf2t32qd3lac5oa.b32.i2p; + + include common/libreddit.conf; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + include snippets/lets-encrypt.conf; + server_name lr.vern.cc reddit.vern.cc libreddit.vern.cc; + include snippets/headers.conf; + include common/libreddit.conf; +} + +server { + listen 80; + listen [::]:80; + return 301 https://$host$request_uri; + server_name libreddit.vern.cc lr.vern.cc reddit.vern.cc; +} diff --git a/sites-available/libretranslate.conf b/sites-available/libretranslate.conf new file mode 100644 index 0000000..3cedf93 --- /dev/null +++ b/sites-available/libretranslate.conf @@ -0,0 +1,24 @@ +server { + listen 80; + listen [::]:80; + + server_name lt.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion libretranslate.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion; + server_name vernccoqc6q5wa6p3h55arp3gllizhuwa5d3nomudbkpzn46pgda.b32.i2p; + + include common/libretranslate.conf; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + include snippets/lets-encrypt.conf; + server_name lt.vern.cc libretranslate.vern.cc; + include snippets/headers.conf; + include common/libretranslate.conf; +} +server { + listen 80; + listen [::]:80; + return 301 https://$host$request_uri; + server_name lt.vern.cc libretranslate.vern.cc; +} diff --git a/sites-available/mail.vern.cc.conf b/sites-available/mail.vern.cc.conf new file mode 100644 index 0000000..197a9d4 --- /dev/null +++ b/sites-available/mail.vern.cc.conf @@ -0,0 +1,24 @@ +# This file was automatically installed on 2022-06-06T12:55:58.295391 +upstream modoboa { + server unix:/run/uwsgi/app/modoboa_instance/socket fail_timeout=0; +} + +server { + listen 80; + listen [::]:80; + server_name mail.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion; + server_name vernccapspxuupmhjbsizhynlvqbs76ci447ez5uz27bazy3q5wq.b32.i2p; + +# rewrite ^ https://$server_name$request_uri permanent; + include common/mail.conf; +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name mail.vern.cc; + + include snippets/lets-encrypt.conf; + include snippets/headers.conf; + include common/mail.conf; +} diff --git a/sites-available/mastodon.conf b/sites-available/mastodon.conf new file mode 100644 index 0000000..a88bd62 --- /dev/null +++ b/sites-available/mastodon.conf @@ -0,0 +1,52 @@ +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +upstream backend { + server 127.0.0.1:3999 fail_timeout=0; +} + +upstream streaming { + server 127.0.0.1:4000 fail_timeout=0; +} + +proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=1g; + +server { + listen 80; + listen [::]:80; + + server_name fedi.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion mastodon.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion; + server_name vernccxro6qjs2fmwp2as5eavlnz6uzsxqqnhk3skkhpszp73ubq.b32.i2p; + + include common/mastodon.conf; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name fedi.vern.cc mastodon.vern.cc; + + if ($https = '') { return 301 https://$host$request_uri; } # if not connected to HTTPS, perma-redirect to HTTPS + include snippets/lets-encrypt.conf; + include snippets/headers.conf; + + include common/mastodon.conf; +} +server { + listen 443 ssl http2; + server_name bloat.vern.cc; + if ($https = '') { return 301 https://$host$request_uri; } # if not connected to HTTPS, perma-redirect to HTTPS + include snippets/lets-encrypt.conf; + +location / { + client_max_body_size 100m; + proxy_pass http://localhost:5041/; # The / is important! + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_cookie_path / "/; Secure; HttpOnly; SameSite=lax"; +} +} diff --git a/sites-available/matrix.conf b/sites-available/matrix.conf new file mode 100644 index 0000000..b9f9e94 --- /dev/null +++ b/sites-available/matrix.conf @@ -0,0 +1,59 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + # For the federation port + listen 8448 ssl http2 default_server; + listen [::]:8448 ssl http2 default_server; + include snippets/lets-encrypt.conf; + + server_name mtrx.vern.cc; + + location ~ ^(/_matrix|/_synapse/client) { + # note: do not add a path (even a single /) after the port in `proxy_pass`, + # otherwise nginx will canonicalise the URI and cause signature verification + # errors. + proxy_pass http://localhost:8008; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + + # Nginx by default only allows file uploads up to 1M in size + # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml + client_max_body_size 1024M; + } + ## well-known + location /.well-known/matrix/support { + add_header Access-Control-Allow-Origin '*' always; + add_header Content-Type application/json; + return 200 '{"admins": [{"matrix_id": "@root:vern.cc", "email_address": "tildemaster@vern.cc", "role": "admin"}], "support_page": "https://matrix.to/#/#vern:vern.cc"}'; + } + + location /.well-known/matrix/server { + add_header Access-Control-Allow-Origin '*' always; + add_header Content-Type application/json; + return 200 '{"m.server": "mtrx.vern.cc:443"}'; + } + + location /.well-known/matrix/client { + add_header Access-Control-Allow-Origin '*' always; + add_header Content-Type application/json; + return 200 '{"m.homeserver": {"base_url": "https://mtrx.vern.cc"}}'; + } + +} +server { + server_name dim.vern.cc; + listen 443 ssl; + listen [::]:443 ssl; + + root /var/www/matrix; + index index.html; + + location / { + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_pass http://localhost:8184; + } + + include snippets/lets-encrypt.conf; +} diff --git a/sites-available/maubot.conf b/sites-available/maubot.conf new file mode 100644 index 0000000..f2492ef --- /dev/null +++ b/sites-available/maubot.conf @@ -0,0 +1,20 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + include snippets/lets-encrypt.conf; + + server_name mau.vern.cc; + + location /_matrix/maubot/v1/logs { + proxy_pass http://localhost:29316; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header X-Forwarded-For $remote_addr; + } + location /_matrix/maubot { + proxy_pass http://localhost:29316; + proxy_set_header X-Forwarded-For $remote_addr; + } +} diff --git a/sites-available/mirror.conf b/sites-available/mirror.conf new file mode 100644 index 0000000..df8b406 --- /dev/null +++ b/sites-available/mirror.conf @@ -0,0 +1,25 @@ +server { + listen 80; + listen [::]:80; + + server_name mirror.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion mirrors.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion; + server_name verncc62kgfizkkwygmeouhmnu3wliz6bdrretmcpy6s5nsphmwa.b32.i2p; + + include common/mirror.conf; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + include snippets/lets-encrypt.conf; + include snippets/headers.conf; + server_name mirror.vern.cc mirrors.vern.cc; + + include common/mirror.conf; +} +server { + listen 80; + listen [::]:80; + return 301 https://$host$request_uri; + server_name mirror.vern.cc mirrors.vern.cc; +} diff --git a/sites-available/mumble.conf b/sites-available/mumble.conf new file mode 100644 index 0000000..658a1ed --- /dev/null +++ b/sites-available/mumble.conf @@ -0,0 +1,18 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name mumble.vern.cc; + + include snippets/lets-encrypt.conf; + + location / { + root /usr/lib/node_modules/mumble-web/dist; + } + location /vern { + proxy_pass http://localhost:64737; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + } +} diff --git a/sites-available/nextcloud.conf b/sites-available/nextcloud.conf new file mode 100644 index 0000000..7b51d43 --- /dev/null +++ b/sites-available/nextcloud.conf @@ -0,0 +1,31 @@ +upstream php-handler { + server unix:/var/run/php/php7.4-fpm.sock; +} + +# Set the `immutable` cache control options only for assets with a cache busting `v` argument +map $arg_v $asset_immutable { + "" ""; + default "immutable"; +} + +server { + listen 80; + server_name nc.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion nextcloud.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion; + + include common/nextcloud.conf; +} + +server { + listen 443 ssl http2; + server_name nc.vern.cc nextcloud.vern.cc; + include snippets/lets-encrypt.conf; + include snippets/headers.conf; + include common/nextcloud.conf; +} + +server { + listen 80; + listen [::]:80; + return 301 https://$host$request_uri; + server_name nc.vern.cc nextcloud.vern.cc; +} diff --git a/sites-available/nitter.conf b/sites-available/nitter.conf new file mode 100644 index 0000000..74fd036 --- /dev/null +++ b/sites-available/nitter.conf @@ -0,0 +1,24 @@ +server { + listen 80; + listen [::]:80; + + server_name nt.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion nitter.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion twitter.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion; + server_name vernccbxzdhyh2gqgmljbi4jgwuuqbd23gfi4ir2wwhkltf2yebq.b32.i2p; + + include common/nitter.conf; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + include snippets/lets-encrypt.conf; + include snippets/headers.conf; + server_name nt.vern.cc nitter.vern.cc twitter.vern.cc; + include common/nitter.conf; +} +server { + listen 80; + listen [::]:80; + return 301 https://$host$request_uri; + server_name nt.vern.cc nitter.vern.cc twitter.vern.cc; +} diff --git a/sites-available/owncast.conf b/sites-available/owncast.conf new file mode 100644 index 0000000..aeaaa03 --- /dev/null +++ b/sites-available/owncast.conf @@ -0,0 +1,28 @@ +server { + listen 80; + listen [::]:80; + + server_name live.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion owncast.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion oc.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion; + server_name verncckvmp4lz2yrprjt22dsnjpfo7z3zefzxiz5gi2jvm3fusqq.b32.i2p; + + include common/owncast.conf; +} + +server { + # listen 80 ; + # listen [::]:80 ; + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name live.vern.cc owncast.vern.cc oc.vern.cc; + include snippets/lets-encrypt.conf; + include snippets/headers.conf; + include common/owncast.conf; +} + +server { + listen 80; + listen [::]:80; + return 301 https://$host$request_uri; + server_name live.vern.cc owncast.vern.cc oc.vern.cc; +} + diff --git a/sites-available/peertube.conf b/sites-available/peertube.conf new file mode 100644 index 0000000..0bc1a6b --- /dev/null +++ b/sites-available/peertube.conf @@ -0,0 +1,62 @@ +# Minimum Nginx version required: 1.13.0 (released Apr 25, 2017) +# Please check your Nginx installation features the following modules via 'nginx -V': +# STANDARD HTTP MODULES: Core, Proxy, Rewrite, Access, Gzip, Headers, HTTP/2, Log, Real IP, SSL, Thread Pool, Upstream, AIO Multithreading. +# THIRD PARTY MODULES: None. + +server { + listen 80; + listen [::]:80; + server_name pt.vern.cc; + + location /.well-known/acme-challenge/ { + default_type "text/plain"; + root /var/www/certbot; + } + location / { return 301 https://$host$request_uri; } +} + +server { + listen 80; + listen [::]:80; + server_name pt.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion; + server_name vernccc7oiixqimnolwtlmnn2legfwgrgjoseg54lsywv6ruwawq.b32.i2p; + + include common/peertube.conf; +} + +upstream ptbackend { + server 127.0.0.1:9000; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name pt.vern.cc; + + ## + # Certificates + # you need a certificate to run in production. see https://letsencrypt.org/ + ## + include snippets/lets-encrypt.conf; + location ^~ '/.well-known/acme-challenge' { + default_type "text/plain"; + root /var/www/certbot; + } + + ## + # Security hardening (as of Nov 15, 2020) + # based on Mozilla Guideline v5.6 + ## + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; # add ECDHE-RSA-AES256-SHA if you want compatibility with Android 4 + ssl_session_timeout 1d; # defaults to 5m + ssl_session_tickets off; + ssl_stapling on; + ssl_stapling_verify on; + # HSTS (https://hstspreload.org), requires to be copied in 'location' sections that have add_header directives + #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; + + include common/peertube.conf; +} diff --git a/sites-available/privatebin.conf b/sites-available/privatebin.conf new file mode 100644 index 0000000..603bad0 --- /dev/null +++ b/sites-available/privatebin.conf @@ -0,0 +1,25 @@ +server { + listen 80; + listen [::]:80; + server_name pb.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion privatebin.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion; + server_name verncc4deius22jbrmjclinuoysckhwk2a5hrc7pwhsubzd5kkga.b32.i2p; + + include common/privatebin.conf; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name pb.vern.cc privatebin.vern.cc; + include snippets/lets-encrypt.conf; + include snippets/headers.conf; + include common/privatebin.conf; +} + +server { + listen 80; + listen [::]:80; + return 301 https://$host$request_uri; + server_name pb.vern.cc privatebin.vern.cc; +} + diff --git a/sites-available/quetre.conf b/sites-available/quetre.conf new file mode 100644 index 0000000..6214062 --- /dev/null +++ b/sites-available/quetre.conf @@ -0,0 +1,25 @@ +server { + listen 80; + listen [::]:80; + + server_name qr.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion quora.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion quetre.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion; + server_name vernccfaprbhma4f4bxc3wbiuvxgmcpp6l77cflbyx6sqahgjyza.b32.i2p; + + include common/quetre.conf; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name qr.vern.cc quora.vern.cc quetre.vern.cc; + include snippets/lets-encrypt.conf; + include snippets/headers.conf; + include common/quetre.conf; +} + +server { + listen 80; + listen [::]:80; + return 301 https://$host$request_uri; + server_name qr.vern.cc quora.vern.cc quetre.vern.cc; +} diff --git a/sites-available/rimgo.conf b/sites-available/rimgo.conf new file mode 100644 index 0000000..9e4f133 --- /dev/null +++ b/sites-available/rimgo.conf @@ -0,0 +1,25 @@ +server { + listen 80; + listen [::]:80; + + server_name rimgo.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion imgur.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion; + server_name vernccofxbclvqveqvy3bty6k4ronb7oj7efn6c7y2blmm3zcfpq.b32.i2p; + + include common/rimgo.conf; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name rimgo.vern.cc imgur.vern.cc; + include snippets/lets-encrypt.conf; + include snippets/headers.conf; + include common/rimgo.conf; +} + +server { + listen 80; + server_name rimgo.vern.cc imgur.vern.cc; + listen [::]:80; + return 301 https://$host$request_uri; +} diff --git a/sites-available/riot.conf b/sites-available/riot.conf new file mode 100644 index 0000000..827b6b2 --- /dev/null +++ b/sites-available/riot.conf @@ -0,0 +1,26 @@ +server { + listen 80; + listen [::]:80; + server_name riot.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion; + server_name vernccc5q77vdlpedz4sqzqgh2avkcb5lswmfs6ksndxrddz44sq.b32.i2p; + + include common/riot.conf; +} + + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name riot.vern.cc; + include snippets/lets-encrypt.conf; + include snippets/headers.conf; + include common/riot.conf; +} + +server { + listen 80; + listen [::]:80; + server_name riot.vern.cc; + return 301 https://$host$request_uri; +} + diff --git a/sites-available/scribe.conf b/sites-available/scribe.conf new file mode 100644 index 0000000..8f5e755 --- /dev/null +++ b/sites-available/scribe.conf @@ -0,0 +1,25 @@ +server { + listen 80; + listen [::]:80; + + server_name scribe.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion medium.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion; + server_name vernccnnzgihftirfcjvmeviodlpt6flmc3q2naarfq7gjewppia.b32.i2p; + + include common/scribe.conf; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + include snippets/lets-encrypt.conf; + include snippets/headers.conf; + server_name scribe.vern.cc medium.vern.cc; + include common/scribe.conf; +} + +server { + listen 80; + listen [::]:80; + return 301 https://$host$request_uri; + server_name scribe.vern.cc medium.vern.cc; +} diff --git a/sites-available/searxng.conf b/sites-available/searxng.conf new file mode 100644 index 0000000..cb9bdbf --- /dev/null +++ b/sites-available/searxng.conf @@ -0,0 +1,24 @@ +server { + listen 80; + listen [::]:80; + + server_name searx.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion searxng.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion search.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion sx.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion; + + include common/searxng.conf; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + include snippets/lets-encrypt.conf; + include snippets/headers.conf; + server_name searx.vern.cc searxng.vern.cc search.vern.cc sx.vern.cc; + include common/searxng.conf; +} + +server { + listen 80; + listen [::]:80; + return 301 https://$host$request_uri; + server_name searx.vern.cc searxng.vern.cc search.vern.cc sx.vern.cc; +} diff --git a/sites-available/simplytranslate.conf b/sites-available/simplytranslate.conf new file mode 100644 index 0000000..ef5d512 --- /dev/null +++ b/sites-available/simplytranslate.conf @@ -0,0 +1,25 @@ +server { + listen 80; + listen [::]:80; + + server_name translate.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion tl.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion simplytranslate.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion; + server_name vernccxplwvg6luzppkd7xbt45q4lnmcdjhdqkpwa2b5hu2mz5ya.b32.i2p; + + include common/simplytranslate.conf; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + include snippets/lets-encrypt.conf; + include snippets/headers.conf; + server_name translate.vern.cc tl.vern.cc simplytranslate.vern.cc; + include common/simplytranslate.conf; +} + +server { + listen 80; + listen [::]:80; + return 301 https://$host$request_uri; + server_name translate.vern.cc tl.vern.cc simplytranslate.vern.cc; +} diff --git a/sites-available/user.vern.cc.conf b/sites-available/user.vern.cc.conf new file mode 100644 index 0000000..3eab32e --- /dev/null +++ b/sites-available/user.vern.cc.conf @@ -0,0 +1,27 @@ +server { + listen 80; + listen [::]:80; + + server_name ~^(?[^.]+)\.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad\.onion; + + error_log /var/log/nginx/vern.cc-error.log crit; + + include snippets/user.vern.conf; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name ~^(?[^.]+)\.vern\.cc; + include snippets/lets-encrypt.conf; + error_log /var/log/nginx/vern.cc-error.log crit; + include snippets/user.vern.conf; +} + +server { + listen 80; + listen [::]:80; + return 301 https://$host$request_uri; + server_name ~^(?[^.]+)\.vern\.cc; +} + diff --git a/sites-available/website.conf b/sites-available/website.conf new file mode 100644 index 0000000..9111d57 --- /dev/null +++ b/sites-available/website.conf @@ -0,0 +1,70 @@ +server { + listen 80; + listen [::]:80; + + server_name vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion www.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion; + + # replace vern.cc with onion + subs_filter vern.cc vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion; + + # these dont have onions + subs_filter muc.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion muc.vern.cc; + subs_filter :vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion :vern.cc; + subs_filter minetest.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion minetest.vern.cc: + subs_filter pad.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion pad.vern.cc: + subs_filter status.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion status.vern.cc; + subs_filter jitsi.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion jitsi.vern.cc; + subs_filter mumble.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion mumble.vern.cc; + subs_filter mtrx.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion mtrx.vern.cc; + subs_filter ssh://vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion ssh://vern.cc; + subs_filter vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion:6697 vern.cc:6697; + subs_filter @vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion @vern.cc; + + include common/website.conf; +} + +server { + listen 80; + listen [::]:80; + + server_name verncceu2kgz54wi7r5jatgmx2mqtsh3knxhiy4m5shescuqtqfa.b32.i2p; + + # replace vern.cc with i2p +# subs_filter git.vern.cc vernccz7eh2z3adn74wbnyv62xsjqnifc62kdmfnqhbsg4i2gy4q.b32.i2p; +# subs_filter inv.vern.cc vernccdzixves4eekynqgfhb7fjbldgtocepf7cq3c3327ttb7zq.b32.i2p; +# subs_filter lbry.vern.cc verncca2sx2o6g6cxxfjjvllak454aaanqjs42ofa6m4bil6hbva.b32.i2p; +# subs_filter lr.vern.cc vernccglp4wuobxu7ndh2dbpnczjhjnggh3hmuf2t32qd3lac5oa.b32.i2p; +# subs_filter lt.vern.cc vernccoqc6q5wa6p3h55arp3gllizhuwa5d3nomudbkpzn46pgda.b32.i2p; +# subs_filter mail.vern.cc vernccapspxuupmhjbsizhynlvqbs76ci447ez5uz27bazy3q5wq.b32.i2p; +# subs_filter fedi.vern.cc vernccxro6qjs2fmwp2as5eavlnz6uzsxqqnhk3skkhpszp73ubq.b32.i2p; +# subs_filter mirror.vern.cc verncc62kgfizkkwygmeouhmnu3wliz6bdrretmcpy6s5nsphmwa.b32.i2p; +# subs_filter nt.vern.cc vernccbxzdhyh2gqgmljbi4jgwuuqbd23gfi4ir2wwhkltf2yebq.b32.i2p; +# subs_filter live.vern.cc verncckvmp4lz2yrprjt22dsnjpfo7z3zefzxiz5gi2jvm3fusqq.b32.i2p; +# subs_filter pt.vern.cc vernccc7oiixqimnolwtlmnn2legfwgrgjoseg54lsywv6ruwawq.b32.i2p; +# subs_filter pb.vern.cc verncc4deius22jbrmjclinuoysckhwk2a5hrc7pwhsubzd5kkga.b32.i2p; +# subs_filter quora.vern.cc vernccfaprbhma4f4bxc3wbiuvxgmcpp6l77cflbyx6sqahgjyza.b32.i2p; +# subs_filter rimgo.vern.cc vernccofxbclvqveqvy3bty6k4ronb7oj7efn6c7y2blmm3zcfpq.b32.i2p; +# subs_filter riot.vern.cc vernccc5q77vdlpedz4sqzqgh2avkcb5lswmfs6ksndxrddz44sq.b32.i2p; +# subs_filter scribe.vern.cc vernccnnzgihftirfcjvmeviodlpt6flmc3q2naarfq7gjewppia.b32.i2p; +# subs_filter tl.vern.cc vernccxplwvg6luzppkd7xbt45q4lnmcdjhdqkpwa2b5hu2mz5ya.b32.i2p; +# subs_filter whoogle.vern.cc vernccaja5okin5qjhttko3jmmerosckpnafk3t7hazojd4dbkza.b32.i2p; + + include common/website.conf; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name www.vern.cc vern.cc; + include snippets/lets-encrypt.conf; + include snippets/headers.conf; + include common/website.conf; +} + +server { + listen 80; + listen [::]:80; + return 301 https://$host$request_uri; + server_name www.vern.cc vern.cc; +} diff --git a/sites-available/whoogle.conf b/sites-available/whoogle.conf new file mode 100644 index 0000000..f9cb966 --- /dev/null +++ b/sites-available/whoogle.conf @@ -0,0 +1,23 @@ +server { + listen 80; + listen [::]:80; + + server_name whoogle.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion; + + include common/whoogle.conf; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name whoogle.vern.cc; + include common/whoogle.conf; + include snippets/lets-encrypt.conf; +} + +server { + listen 80; + listen [::]:80; + return 301 https://$host$request_uri; + server_name whoogle.vern.cc; +} diff --git a/sites-enabled/autoconfig.vern.cc.conf b/sites-enabled/autoconfig.vern.cc.conf new file mode 120000 index 0000000..23da172 --- /dev/null +++ b/sites-enabled/autoconfig.vern.cc.conf @@ -0,0 +1 @@ +/etc/nginx/sites-available/autoconfig.vern.cc.conf \ No newline at end of file diff --git a/sites-enabled/cryptpad.conf b/sites-enabled/cryptpad.conf new file mode 120000 index 0000000..125a30d --- /dev/null +++ b/sites-enabled/cryptpad.conf @@ -0,0 +1 @@ +/etc/nginx/sites-available/cryptpad.conf \ No newline at end of file diff --git a/sites-enabled/gitea.conf b/sites-enabled/gitea.conf new file mode 120000 index 0000000..d9c8a67 --- /dev/null +++ b/sites-enabled/gitea.conf @@ -0,0 +1 @@ +/etc/nginx/sites-available/gitea.conf \ No newline at end of file diff --git a/sites-enabled/invidious.conf b/sites-enabled/invidious.conf new file mode 120000 index 0000000..17e32c5 --- /dev/null +++ b/sites-enabled/invidious.conf @@ -0,0 +1 @@ +/etc/nginx/sites-available/invidious.conf \ No newline at end of file diff --git a/sites-enabled/jitsi.conf b/sites-enabled/jitsi.conf new file mode 120000 index 0000000..79b3f18 --- /dev/null +++ b/sites-enabled/jitsi.conf @@ -0,0 +1 @@ +/etc/nginx/sites-available/jitsi.conf \ No newline at end of file diff --git a/sites-enabled/librarian.conf b/sites-enabled/librarian.conf new file mode 120000 index 0000000..bd6e978 --- /dev/null +++ b/sites-enabled/librarian.conf @@ -0,0 +1 @@ +/etc/nginx/sites-available/librarian.conf \ No newline at end of file diff --git a/sites-enabled/libreddit.conf b/sites-enabled/libreddit.conf new file mode 120000 index 0000000..e2a080d --- /dev/null +++ b/sites-enabled/libreddit.conf @@ -0,0 +1 @@ +/etc/nginx/sites-available/libreddit.conf \ No newline at end of file diff --git a/sites-enabled/libretranslate.conf b/sites-enabled/libretranslate.conf new file mode 120000 index 0000000..567380e --- /dev/null +++ b/sites-enabled/libretranslate.conf @@ -0,0 +1 @@ +/etc/nginx/sites-available/libretranslate.conf \ No newline at end of file diff --git a/sites-enabled/mail.vern.cc.conf b/sites-enabled/mail.vern.cc.conf new file mode 120000 index 0000000..c10e7a4 --- /dev/null +++ b/sites-enabled/mail.vern.cc.conf @@ -0,0 +1 @@ +/etc/nginx/sites-available/mail.vern.cc.conf \ No newline at end of file diff --git a/sites-enabled/mastodon.conf b/sites-enabled/mastodon.conf new file mode 120000 index 0000000..cf88126 --- /dev/null +++ b/sites-enabled/mastodon.conf @@ -0,0 +1 @@ +/etc/nginx/sites-available/mastodon.conf \ No newline at end of file diff --git a/sites-enabled/matrix.conf b/sites-enabled/matrix.conf new file mode 120000 index 0000000..8a50a90 --- /dev/null +++ b/sites-enabled/matrix.conf @@ -0,0 +1 @@ +/etc/nginx/sites-available/matrix.conf \ No newline at end of file diff --git a/sites-enabled/maubot.conf b/sites-enabled/maubot.conf new file mode 120000 index 0000000..a2e76f2 --- /dev/null +++ b/sites-enabled/maubot.conf @@ -0,0 +1 @@ +/etc/nginx/sites-available/maubot.conf \ No newline at end of file diff --git a/sites-enabled/mirror.conf b/sites-enabled/mirror.conf new file mode 120000 index 0000000..9afe75e --- /dev/null +++ b/sites-enabled/mirror.conf @@ -0,0 +1 @@ +/etc/nginx/sites-available/mirror.conf \ No newline at end of file diff --git a/sites-enabled/mumble.conf b/sites-enabled/mumble.conf new file mode 120000 index 0000000..15ad7a8 --- /dev/null +++ b/sites-enabled/mumble.conf @@ -0,0 +1 @@ +/etc/nginx/sites-available/mumble.conf \ No newline at end of file diff --git a/sites-enabled/nitter.conf b/sites-enabled/nitter.conf new file mode 120000 index 0000000..567157e --- /dev/null +++ b/sites-enabled/nitter.conf @@ -0,0 +1 @@ +/etc/nginx/sites-available/nitter.conf \ No newline at end of file diff --git a/sites-enabled/owncast.conf b/sites-enabled/owncast.conf new file mode 120000 index 0000000..bb05a8f --- /dev/null +++ b/sites-enabled/owncast.conf @@ -0,0 +1 @@ +/etc/nginx/sites-available/owncast.conf \ No newline at end of file diff --git a/sites-enabled/peertube.conf b/sites-enabled/peertube.conf new file mode 120000 index 0000000..351c1c2 --- /dev/null +++ b/sites-enabled/peertube.conf @@ -0,0 +1 @@ +/etc/nginx/sites-available/peertube.conf \ No newline at end of file diff --git a/sites-enabled/privatebin.conf b/sites-enabled/privatebin.conf new file mode 120000 index 0000000..a148c47 --- /dev/null +++ b/sites-enabled/privatebin.conf @@ -0,0 +1 @@ +/etc/nginx/sites-available/privatebin.conf \ No newline at end of file diff --git a/sites-enabled/quetre.conf b/sites-enabled/quetre.conf new file mode 120000 index 0000000..c31a222 --- /dev/null +++ b/sites-enabled/quetre.conf @@ -0,0 +1 @@ +/etc/nginx/sites-available/quetre.conf \ No newline at end of file diff --git a/sites-enabled/rimgo.conf b/sites-enabled/rimgo.conf new file mode 120000 index 0000000..b8713bb --- /dev/null +++ b/sites-enabled/rimgo.conf @@ -0,0 +1 @@ +/etc/nginx/sites-available/rimgo.conf \ No newline at end of file diff --git a/sites-enabled/riot.conf b/sites-enabled/riot.conf new file mode 120000 index 0000000..18251f5 --- /dev/null +++ b/sites-enabled/riot.conf @@ -0,0 +1 @@ +/etc/nginx/sites-available/riot.conf \ No newline at end of file diff --git a/sites-enabled/scribe.conf b/sites-enabled/scribe.conf new file mode 120000 index 0000000..79eb941 --- /dev/null +++ b/sites-enabled/scribe.conf @@ -0,0 +1 @@ +/etc/nginx/sites-available/scribe.conf \ No newline at end of file diff --git a/sites-enabled/simplytranslate.conf b/sites-enabled/simplytranslate.conf new file mode 120000 index 0000000..a5d9c55 --- /dev/null +++ b/sites-enabled/simplytranslate.conf @@ -0,0 +1 @@ +/etc/nginx/sites-available/simplytranslate.conf \ No newline at end of file diff --git a/sites-enabled/user.vern.cc.conf b/sites-enabled/user.vern.cc.conf new file mode 120000 index 0000000..f13a0df --- /dev/null +++ b/sites-enabled/user.vern.cc.conf @@ -0,0 +1 @@ +/etc/nginx/sites-available/user.vern.cc.conf \ No newline at end of file diff --git a/sites-enabled/website.conf b/sites-enabled/website.conf new file mode 120000 index 0000000..6d86642 --- /dev/null +++ b/sites-enabled/website.conf @@ -0,0 +1 @@ +/etc/nginx/sites-available/website.conf \ No newline at end of file diff --git a/sites-enabled/whoogle.conf b/sites-enabled/whoogle.conf new file mode 120000 index 0000000..c739944 --- /dev/null +++ b/sites-enabled/whoogle.conf @@ -0,0 +1 @@ +/etc/nginx/sites-available/whoogle.conf \ No newline at end of file diff --git a/snippets/fastcgi-php.conf b/snippets/fastcgi-php.conf new file mode 100644 index 0000000..467a9e7 --- /dev/null +++ b/snippets/fastcgi-php.conf @@ -0,0 +1,13 @@ +# regex to split $uri to $fastcgi_script_name and $fastcgi_path +fastcgi_split_path_info ^(.+?\.php)(/.*)$; + +# Check that the PHP script exists before passing it +try_files $fastcgi_script_name =404; + +# Bypass the fact that try_files resets $fastcgi_path_info +# see: http://trac.nginx.org/nginx/ticket/321 +set $path_info $fastcgi_path_info; +fastcgi_param PATH_INFO $path_info; + +fastcgi_index index.php; +include fastcgi.conf; diff --git a/snippets/headers.conf b/snippets/headers.conf new file mode 100644 index 0000000..0fe51b2 --- /dev/null +++ b/snippets/headers.conf @@ -0,0 +1,5 @@ +add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; +add_header X-Content-Type-Options "nosniff" always; +add_header X-XSS-Protection "1; mode=block" always; +#add_header Content-Security-Policy "default-src 'self'; font-src 'self'; img-src 'self' https://i.creativecommons.org/ https://licensebuttons.net/; style-src 'self' 'unsafe-inline'" always; +add_header X-Frame-Options "SAMEORIGIN" always; diff --git a/snippets/lets-encrypt.conf b/snippets/lets-encrypt.conf new file mode 100644 index 0000000..8280be4 --- /dev/null +++ b/snippets/lets-encrypt.conf @@ -0,0 +1,11 @@ +ssl_certificate_key /etc/letsencrypt/live/vern.cc/privkey.pem; +ssl_certificate /etc/letsencrypt/live/vern.cc/fullchain.pem; + +# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam +ssl_dhparam /etc/letsencrypt/live/vern.cc/dhparam; + +# verify chain of trust of OCSP response using Root CA and Intermediate certs +# ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates; + +# replace with the IP address of your resolver +resolver 9.9.9.9; diff --git a/snippets/snakeoil.conf b/snippets/snakeoil.conf new file mode 100644 index 0000000..ad26c3e --- /dev/null +++ b/snippets/snakeoil.conf @@ -0,0 +1,5 @@ +# Self signed certificates generated by the ssl-cert package +# Don't use them in a production server! + +ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; +ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; diff --git a/snippets/user.vern.conf b/snippets/user.vern.conf new file mode 100644 index 0000000..a5e65c6 --- /dev/null +++ b/snippets/user.vern.conf @@ -0,0 +1,35 @@ +add_header Onion-Location http://$user.vernccvbvyi5qhfzyqengccj7lkove6bjot2xhh5kajhwvidqafczrad.onion$request_uri; + +root /sshfs/home/$user/public_html; +index index.html index.php index.cgi index.py index.sh index.pl index.lua; + +location ~ \.php$ { + fastcgi_pass 192.168.122.30:9000; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; +} +location ~ (\.cgi|\.py|\.sh|\.pl|\.lua|\/cgi-bin)$ { + gzip off; + fastcgi_pass 192.168.122.30:9001; + fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; +} +ssi on; + +#error_page 404 /404.html; + +autoindex on; +autoindex_exact_size off; + +location / { + rewrite ^(/.*)\.html(\?.*)?$ $1$2 permanent; + rewrite ^/(.*)/$ /$1 permanent; + try_files $uri $uri/index.html $uri.html $uri/ @extensionless-php; + autoindex on ; +} +location /media { + autoindex on; + +} +if (!-d /sshfs/home/$user/public_html) { + return 307 https://vern.cc/; +} diff --git a/uwsgi_params b/uwsgi_params new file mode 100644 index 0000000..09c732c --- /dev/null +++ b/uwsgi_params @@ -0,0 +1,17 @@ + +uwsgi_param QUERY_STRING $query_string; +uwsgi_param REQUEST_METHOD $request_method; +uwsgi_param CONTENT_TYPE $content_type; +uwsgi_param CONTENT_LENGTH $content_length; + +uwsgi_param REQUEST_URI $request_uri; +uwsgi_param PATH_INFO $document_uri; +uwsgi_param DOCUMENT_ROOT $document_root; +uwsgi_param SERVER_PROTOCOL $server_protocol; +uwsgi_param REQUEST_SCHEME $scheme; +uwsgi_param HTTPS $https if_not_empty; + +uwsgi_param REMOTE_ADDR $remote_addr; +uwsgi_param REMOTE_PORT $remote_port; +uwsgi_param SERVER_PORT $server_port; +uwsgi_param SERVER_NAME $server_name; diff --git a/win-utf b/win-utf new file mode 100644 index 0000000..774fd9f --- /dev/null +++ b/win-utf @@ -0,0 +1,125 @@ +# This map is not a full windows-1251 <> utf8 map: it does not +# contain Serbian and Macedonian letters. If you need a full map, +# use contrib/unicode2nginx/win-utf map instead. + +charset_map windows-1251 utf-8 { + + 82 E2809A; # single low-9 quotation mark + + 84 E2809E; # double low-9 quotation mark + 85 E280A6; # ellipsis + 86 E280A0; # dagger + 87 E280A1; # double dagger + 88 E282AC; # euro + 89 E280B0; # per mille + + 91 E28098; # left single quotation mark + 92 E28099; # right single quotation mark + 93 E2809C; # left double quotation mark + 94 E2809D; # right double quotation mark + 95 E280A2; # bullet + 96 E28093; # en dash + 97 E28094; # em dash + + 99 E284A2; # trade mark sign + + A0 C2A0; #   + A1 D18E; # capital Byelorussian short U + A2 D19E; # small Byelorussian short u + + A4 C2A4; # currency sign + A5 D290; # capital Ukrainian soft G + A6 C2A6; # borken bar + A7 C2A7; # section sign + A8 D081; # capital YO + A9 C2A9; # (C) + AA D084; # capital Ukrainian YE + AB C2AB; # left-pointing double angle quotation mark + AC C2AC; # not sign + AD C2AD; # soft hypen + AE C2AE; # (R) + AF D087; # capital Ukrainian YI + + B0 C2B0; # ° + B1 C2B1; # plus-minus sign + B2 D086; # capital Ukrainian I + B3 D196; # small Ukrainian i + B4 D291; # small Ukrainian soft g + B5 C2B5; # micro sign + B6 C2B6; # pilcrow sign + B7 C2B7; # · + B8 D191; # small yo + B9 E28496; # numero sign + BA D194; # small Ukrainian ye + BB C2BB; # right-pointing double angle quotation mark + + BF D197; # small Ukrainian yi + + C0 D090; # capital A + C1 D091; # capital B + C2 D092; # capital V + C3 D093; # capital G + C4 D094; # capital D + C5 D095; # capital YE + C6 D096; # capital ZH + C7 D097; # capital Z + C8 D098; # capital I + C9 D099; # capital J + CA D09A; # capital K + CB D09B; # capital L + CC D09C; # capital M + CD D09D; # capital N + CE D09E; # capital O + CF D09F; # capital P + + D0 D0A0; # capital R + D1 D0A1; # capital S + D2 D0A2; # capital T + D3 D0A3; # capital U + D4 D0A4; # capital F + D5 D0A5; # capital KH + D6 D0A6; # capital TS + D7 D0A7; # capital CH + D8 D0A8; # capital SH + D9 D0A9; # capital SHCH + DA D0AA; # capital hard sign + DB D0AB; # capital Y + DC D0AC; # capital soft sign + DD D0AD; # capital E + DE D0AE; # capital YU + DF D0AF; # capital YA + + E0 D0B0; # small a + E1 D0B1; # small b + E2 D0B2; # small v + E3 D0B3; # small g + E4 D0B4; # small d + E5 D0B5; # small ye + E6 D0B6; # small zh + E7 D0B7; # small z + E8 D0B8; # small i + E9 D0B9; # small j + EA D0BA; # small k + EB D0BB; # small l + EC D0BC; # small m + ED D0BD; # small n + EE D0BE; # small o + EF D0BF; # small p + + F0 D180; # small r + F1 D181; # small s + F2 D182; # small t + F3 D183; # small u + F4 D184; # small f + F5 D185; # small kh + F6 D186; # small ts + F7 D187; # small ch + F8 D188; # small sh + F9 D189; # small shch + FA D18A; # small hard sign + FB D18B; # small y + FC D18C; # small soft sign + FD D18D; # small e + FE D18E; # small yu + FF D18F; # small ya +}