Fijxu
/
etc-configs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

caca

This commit is contained in:
Fijxu 2022-12-03 00:51:27 -03:00
commit 2b0f176ce1
22 changed files with 2614 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
nginx/configs/general.conf Normal file
View File

@ -0,0 +1,11 @@
# gzip
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
# brotli
#brotli on;
#brotli_comp_level 6;
#brotli_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;

20
nginx/configs/proxyheaders.conf Normal file
View File

@ -0,0 +1,20 @@
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
# Proxy SSL
proxy_ssl_server_name on;
# Proxy headers
proxy_set_header Upgrade $http_upgrade;
#proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Forwarded $proxy_add_forwarded;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
# Proxy timeouts
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;

12
nginx/configs/securityheaders.conf Normal file
View File

@ -0,0 +1,12 @@
# security headers
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
#add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always;
add_header Permissions-Policy "interest-cohort=()" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# . files
#location ~ /\.(?!well-known) {
# deny all;
#}

101
nginx/nginx.conf Executable file
View File

@ -0,0 +1,101 @@
worker_processes auto;
worker_rlimit_nofile 65535;
# Include Modules
include /etc/nginx/modules-enabled/*.conf;
#load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so;
load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so; # for compressing responses on-the-fly
load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so; # for serving pre-compressed files
# This is where we load NJS modules
#load_module /usr/lib/nginx/modules/ngx_http_js_module.so;
#load_module /usr/lib/nginx/modules/ngx_stream_js_module.so;
# Include external config
#include /etc/nginx/conf.d/*.conf;
events {
multi_accept on;
worker_connections 65535;
}
stream {
include /etc/nginx/streams/*;
}
http {
charset utf-8;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
log_not_found off;
types_hash_max_size 4096;
types_hash_bucket_size 64;
client_max_body_size 16M;
# MIME
include mime.types;
default_type application/octet-stream;
# SSL
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
#
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites
ssl_dhparam /etc/nginx/dhparam.pem;
# OCSP Stapling
#ssl_stapling on;
#ssl_stapling_verify on;
# Logging
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log warn;
# General configs, include in every sites-enabled site
#include configs/general.conf;
# Connection header for WebSocket reverse proxy
map $http_upgrade $connection_upgrade {
default upgrade;
"" close;
}
map $remote_addr $proxy_forwarded_elem {
# IPv4 addresses can be sent as-is
~^[0-9.]+$ "for=$remote_addr";
# IPv6 addresses need to be bracketed and quoted
~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\"";
# Unix domain socket names cannot be represented in RFC 7239 syntax
default "for=unknown";
}
map $http_forwarded $proxy_add_forwarded {
# If the incoming Forwarded header is syntactically valid, append to it
"~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
# Otherwise, replace it
default "$proxy_forwarded_elem";
}
# Include sites-enabled
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

35
nginx/sites-available/archive.zzls.xyz.conf Executable file
View File

@ -0,0 +1,35 @@
server {
access_log /var/log/nginx/archive.zzls.xyz.log combined;
error_log /var/log/nginx/archive.zzls.xyz.error.log;
server_name archive.zzls.xyz;
include configs/general.conf;
include configs/securityheaders.conf;
location / {
proxy_pass http://127.0.0.1:40015;
include configs/proxyheaders.conf;
}
listen 443 http3;
listen 443 http2 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/archive.zzls.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/archive.zzls.xyz/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = archive.zzls.xyz) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name archive.zzls.xyz;
return 404; # managed by Certbot
}

39
nginx/sites-available/gitea.conf Executable file
View File

@ -0,0 +1,39 @@
server {
access_log /var/log/nginx/git.access.log combined;
server_name git.zzls.xyz;
# Security headers and general settings
include configs/securityheaders.conf;
include configs/general.conf;
location / {
proxy_pass http://unix:/run/gitea/gitea.socket;
include configs/proxyheaders.conf;
}
#add_header Content-Security-Policy "default-src 'self'; script-src 'report-sample' 'self'; style-src 'report-sample' 'self'; object-src 'none'; base-uri 'self'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self'; manifest-src 'self'; media-src 'self'; worker-src 'none';";
# QUIC
add_header Alt-Svc 'h3=":443"; ma=86400';
listen 443 http3;
listen 443 http2 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/git.zzls.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/git.zzls.xyz/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = git.zzls.xyz) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name git.zzls.xyz;
return 404; # managed by Certbot
}

40
nginx/sites-available/ii.zzls.xyz.conf Executable file
View File

@ -0,0 +1,40 @@
server {
access_log /var/log/nginx/ii.access.log combined;
error_log /var/log/nginx/ii.error.log;
root /opt/ImageUpload/ifiles/;
index index.html index.htm index.nginx-debian.html;
server_name ii.zzls.xyz;
include configs/general.conf;
include configs/securityheaders.conf;
location /upload {
client_max_body_size 4096M;
auth_basic "Restricted Content";
auth_basic_user_file /etc/fileupload.htpasswd;
proxy_pass http://localhost:40006;
include configs/proxyheaders.conf;
}
listen 443 http3;
listen 443 ssl http2; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/ii.zzls.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/ii.zzls.xyz/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = ii.zzls.xyz) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name ii.zzls.xyz;
return 404; # managed by Certbot
}

46
nginx/sites-available/mpd.ayaya.beauty.conf Executable file
View File

@ -0,0 +1,46 @@
server {
access_log /var/log/nginx/mpd.ayaya.beauty.log combined;
error_log /var/log/nginx/mpd.ayaya.beauty.error.log;
server_name mpd.ayaya.beauty;
include configs/general.conf;
include configs/securityheaders.conf;
location / {
proxy_pass http://192.168.1.2:40420;
#include configs/proxyheaders.conf;
proxy_connect_timeout 1;
proxy_send_timeout 1;
proxy_read_timeout 1;
}
location /status {
# Turn on stats
stub_status on;
access_log off;
# only allow access from 192.168.1.5 #
allow 192.168.1.2;
deny all;
}
listen 443 http3;
listen 443 http2 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/mpd.ayaya.beauty/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mpd.ayaya.beauty/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = mpd.ayaya.beauty) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name mpd.ayaya.beauty;
listen 80;
return 404; # managed by Certbot
}

37
nginx/sites-available/privatebin.conf Executable file
View File

@ -0,0 +1,37 @@
server {
access_log /var/log/nginx/pbin.access.log combined;
server_name pbin.zzls.xyz;
include configs/general.conf;
location / {
proxy_pass http://localhost:40001;
include configs/proxyheaders.conf;
}
#include configs/securityheaders.conf;
# QUIC
add_header Alt-Svc 'h3=":443"; ma=86400';
listen 443 ssl http2;
listen 443 http3; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/pbin.zzls.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/pbin.zzls.xyz/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = pbin.zzls.xyz) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name pbin.zzls.xyz;
return 404; # managed by Certbot
}

40
nginx/sites-available/rimgo.conf Executable file
View File

@ -0,0 +1,40 @@
server {
access_log /dev/null;
error_log /dev/null;
server_name ri.zzls.xyz;
include configs/general.conf;
location / {
proxy_pass http://127.0.0.1:40002/;
include configs/proxyheaders.conf;
}
# security headers
include configs/securityheaders.conf;
#add_header Content-Security-Policy "default-src 'self'; script-src 'report-sample' 'self'; style-src 'report-sample' 'self'; object-src 'none'; base-uri 'self'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self'; manifest-src 'self'; media-src 'self'; worker-src 'none';";
# QUIC
add_header Alt-Svc 'h3=":443"; ma=86400';
listen 443 http3;
listen 443 http2 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/ri.zzls.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/ri.zzls.xyz/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = ri.zzls.xyz) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name ri.zzls.xyz;
return 404; # managed by Certbot
}

68
nginx/sites-available/searxng.conf Executable file
View File

@ -0,0 +1,68 @@
server {
access_log /var/log/nginx/searx.log;
error_log /dev/null;
server_name search2.zzls.xyz;
if ($server_protocol ~* "HTTP/1.0") {
return 444;
}
if ($http_user_agent ~* (python) ) {
return 403;
}
location / {
proxy_pass http://127.0.0.1:8888/;
#
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
# Proxy headers for the Limiter
proxy_set_header Host $host;
proxy_set_header Connection $http_connection;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Scheme $scheme;
}
location /searx/static/ {
alias /usr/local/searxng/searxng-src/searx/static/;
}
# security headers
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self'; form-action 'self'; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com";
add_header Permissions-Policy "interest-cohort=()" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN";
# QUIC
add_header Alt-Svc 'h3=":443"; ma=86400';
quic_retry on;
quic_gso on;
ssl_early_data on;
listen 443 http3;
listen 443 http2 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/search2.zzls.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/search2.zzls.xyz/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = search2.zzls.xyz) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name search2.zzls.xyz;
return 404; # managed by Certbot
}

42
nginx/sites-available/selfhost.conf Executable file
View File

@ -0,0 +1,42 @@
server {
access_log /var/log/nginx/selfhost.log combined;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name selfhost.zzls.xyz;
location / {
try_files $uri $uri/ =404;
}
# security headers
add_header Referrer-Policy "no-referrer-when-downgrade" always;
#add_header Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';base-uri 'self';form-action 'self'";
add_header Permissions-Policy "interest-cohort=()" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN";
# QUIC
add_header Alt-Svc 'h3=":443"; ma=86400';
listen 443 ssl http2;
listen 443 http3; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/selfhost.zzls.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/selfhost.zzls.xyz/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = selfhost.zzls.xyz) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name selfhost.zzls.xyz;
return 404; # managed by Certbot
}

45
nginx/sites-available/yt.conf Executable file
View File

@ -0,0 +1,45 @@
server {
access_log /var/log/nginx/yt.access.log combined;
server_name yt.zzls.xyz;
location / {
proxy_pass http://localhost:40003;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host; # so Invidious knows domain
proxy_http_version 1.1; # to keep alive
proxy_set_header Connection ""; # to keep alive
}
# security headers
add_header Referrer-Policy "no-referrer-when-downgrade" always;
#add_header Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';base-uri 'self';form-action 'self'";
add_header Permissions-Policy "interest-cohort=()" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN";
# QUIC
add_header Alt-Svc 'h3=":443"; ma=86400';
listen 443 http3;
listen 443 http2 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/yt.zzls.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/yt.zzls.xyz/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = yt.zzls.xyz) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name yt.zzls.xyz;
return 404; # managed by Certbot
}

1
nginx/sites-enabled/archive.zzls.xyz.conf Symbolic link
View File

@ -0,0 +1 @@
/etc/nginx/sites-available/archive.zzls.xyz.conf

1
nginx/sites-enabled/gitea.conf Symbolic link
View File

@ -0,0 +1 @@
/etc/nginx/sites-available/gitea.conf

1
nginx/sites-enabled/ii.zzls.xyz.conf Symbolic link
View File

@ -0,0 +1 @@
/etc/nginx/sites-available/ii.zzls.xyz.conf

1
nginx/sites-enabled/mpd.ayaya.beauty.conf Symbolic link
View File

@ -0,0 +1 @@
/etc/nginx/sites-available/mpd.ayaya.beauty.conf

1
nginx/sites-enabled/privatebin.conf Symbolic link
View File

@ -0,0 +1 @@
/etc/nginx/sites-available/privatebin.conf

1
nginx/sites-enabled/rimgo.conf Symbolic link
View File

@ -0,0 +1 @@
/etc/nginx/sites-available/rimgo.conf

1
nginx/sites-enabled/selfhost.conf Symbolic link
View File

@ -0,0 +1 @@
/etc/nginx/sites-available/selfhost.conf

28
nginx/streams/dns.conf Normal file
View File

@ -0,0 +1,28 @@
# DNS logging. This log file will show the DNS requests geting forwarded to UNBOUND
#log_format dns '$remote_addr [$time_local] $protocol "$dns_qname"';
#access_log /var/log/nginx/dns-access.log dns;
# Include the NJS module. Get the file from https://github.com/TuxInvader/nginx-dns/tree/master/njs.d
# js_import /etc/nginx/njs.d/nginx_stream.js;
# The $dns_qname variable can be populated by preread calls, and can be used for DNS routing
# js_set $dns_qname dns_get_qname;
upstream dns {
zone dns 64k;
server 127.0.0.1:53;
}
server {
#listen 853 http3;
listen 853 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/dns.zzls.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/dns.zzls.xyz/privkey.pem; # managed by Certbot
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_handshake_timeout 10s;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 4h;
proxy_pass dns;
}

2043
searxng/settings.yml Normal file
View File

File diff suppressed because it is too large Load Diff