Update a lot of things

nginx/configs/general.conf

@@ -11,3 +11,8 @@ gzip_types        text/plain text/css text/xml application/json application/java
 #brotli_types      text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
 
 location /robots.txt { alias /var/www/html/robots.txt; }
+
+# FUCK SEMRUSH
+if ($http_user_agent ~ (SemrushBot)) {
+	return 403;
+}

nginx/nginx.conf

@@ -11,11 +11,12 @@ include /etc/nginx/conf.d/*.conf;
 
 events {
     multi_accept on;
-    worker_connections 65535;
+    worker_connections 16192;
 }
 
 http {
     access_log off;
+    error_log /dev/null;
 
     # Basic Settings
     charset utf-8;
@@ -24,9 +25,14 @@ http {
     tcp_nodelay on;
     server_tokens off;
     log_not_found off;
-    types_hash_max_size 4096;
-    types_hash_bucket_size 64;
-    server_names_hash_bucket_size 256;
+    types_hash_max_size 1024;
+    types_hash_bucket_size 128;
+    server_names_hash_bucket_size 128;
+
+    #proxy_cache                 off;
+    #proxy_max_temp_file_size    0;
+    #proxy_request_buffering     off;
+    #proxy_buffering             off;
 
     # MIME
     include mime.types;
@@ -40,6 +46,7 @@ http {
     ssl_session_timeout 1d;
     ssl_session_cache shared:MozSSL:10m;
     ssl_session_tickets off;
+    ssl_early_data on;
 
     # Diffie-Hellman parameter for DHE ciphersuites
     ssl_dhparam /etc/nginx/dhparam.pem;
@@ -60,6 +67,11 @@ http {
     quic_retry on;
     quic_gso on;
 
+    # PERFORMANCE / ASYNC I/O
+    aio threads=default;
+    aio_write on;
+    directio 2m;
+
     # Virtual Host Configs
     include /etc/nginx/sites-enabled/*.conf;
     # Maps

nginx/sites-available/gatoculiao.ayaya.beauty.conf

@@ -1,4 +1,5 @@
 server {
+	access_log /var/log/nginx/gatoculiao.ayaya.beauty.log combined;
 
     server_name gatoculiao.ayaya.beauty;
     include configs/general.conf;
@@ -16,6 +17,7 @@ server {
 }
 
 server {
+	access_log /var/log/nginx/vids.gatoculiao.ayaya.beauty.log combined;
     server_name vids.gatoculiao.ayaya.beauty;
     include configs/general.conf;
     include configs/security.conf;

nginx/sites-available/git.zzls.xyz.conf

@@ -10,6 +10,7 @@ server {
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
+	client_max_body_size 64M;
     }
 
     # QUIC

nginx/sites-available/inv.zzls.xyz.conf

@@ -1,11 +1,19 @@
-server {
+upstream inv {
+		least_conn;
+	server 127.0.0.1:40015;
+	server 127.0.0.1:40016;
+}
 
+server {
     server_name inv.zzls.xyz;
     include configs/general.conf;
 
     location / {
-        proxy_pass http://127.0.0.1:40015/;
-        include configs/proxy.conf;
+        proxy_pass http://inv;
+	proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header Host $host;    # so Invidious knows domain
+        proxy_http_version 1.1;     # to keep alive
+        proxy_set_header Connection ""; # to keep alive
     }
 
     # QUIC
@@ -20,11 +28,6 @@ server {
     if ($host = inv.zzls.xyz) {
         return 301 https://$host$request_uri;
     }
-
-
     listen 80;
-
     server_name inv.zzls.xyz;
-
-
 }

nginx/sites-available/librex.zzls.xyz.conf

@@ -1,3 +1,4 @@
+# CLEARNET
 server {
 
     server_name librex.zzls.xyz;
@@ -24,6 +25,8 @@ server {
     include configs/ssl.conf;
 
 }
+
+# TOR
 server {
     listen 80;
     server_name librex.zzlsghu6mvvwyy75mvga6gaf4znbp3erk5xwfzedb4gg6qqh2j6rlvid.onion;
@@ -37,9 +40,11 @@ server {
     }
 
 }
+
+# I2P
 server {
-    listen 40021;
-    server_name 7huurwog32tny663wkglrhozfoyqyqmsuxjbd7dtudccx44awjda.b32.i2p;
+    listen 30002;
+    server_name zzlsaymhcfla7vibo3a223bybeecu3bd5z6rmw2u4y76maqeu76q.b32.i2p;
 
     root /var/www/librex;
     index index.php;

nginx/sites-available/matrix.zzls.xyz.conf

@@ -19,7 +19,7 @@ server {
         index index.html;
     }
 
-    location ~ ^(/_matrix|/_synapse/client) {
+    location ~ ^(/_matrix|/_synapse/client|/health) {
         proxy_pass http://localhost:8008;
         proxy_set_header X-Forwarded-For $remote_addr;
         proxy_set_header X-Forwarded-Proto $scheme;

nginx/sites-available/ri.zzls.xyz.conf

@@ -1,3 +1,4 @@
+# CLEARNET
 server {
 
     server_name ri.zzls.xyz;
@@ -20,6 +21,8 @@ server {
     include configs/ssl.conf;
 
 }
+
+# TOR
 server {
     listen 80;
     server_name rimgo.zzlsghu6mvvwyy75mvga6gaf4znbp3erk5xwfzedb4gg6qqh2j6rlvid.onion;
@@ -30,6 +33,18 @@ server {
     }
 }
 
+# I2P
+server {
+    listen 30001;
+    server_name zzls3ubaix5wjfar4hskwqnh3vvwvrzoxsvcx64on2aogcxrvhoq.b32.i2p;
+
+    location / {
+        proxy_pass http://127.0.0.1:40002/;
+        include configs/proxy.conf;
+    }
+
+}
+
 server {
     if ($host = ri.zzls.xyz) {
         return 301 https://$host$request_uri;

nginx/sites-available/turn.matrix.zzls.xyz.conf

@@ -0,0 +1,31 @@
+server {
+
+    # Common shit
+    include configs/general.conf;
+    server_name turn.matrix.zzls.xyz;
+
+    # SecHeaders
+    include configs/security.conf;
+
+    # QUIC
+    add_header Alt-Svc 'h3=":443", h3=":8448"; ma=86400';
+
+    listen 443 http2 ssl;
+
+    ssl_certificate /etc/ssl/certs/turn.matrix.zzls.xyz.crt;
+    ssl_certificate_key /etc/ssl/private/turn.matrix.zzls.xyz.key;
+    include /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+}
+server {
+    if ($host = matrix.zzls.xyz) {
+        return 301 https://$host$request_uri;
+    }
+
+
+    listen 80;
+    server_name matrix.zzls.xyz;
+
+
+}

nginx/sites-enabled/api.spacebar.zzls.xyz.conf

@@ -1 +0,0 @@
-../sites-available/api.spacebar.zzls.xyz.conf

nginx/sites-enabled/ii.zzls.xyz.conf

@@ -1 +0,0 @@
-../sites-available/ii.zzls.xyz.conf

nginx/sites-enabled/paste.zzls.xyz.conf

@@ -1 +0,0 @@
-../sites-available/paste.zzls.xyz.conf

nginx/sites-enabled/ri.zzls.xyz.conf

@@ -0,0 +1 @@
+../sites-available/ri.zzls.xyz.conf

nginx/sites-enabled/spacebar.zzls.xyz.conf

@@ -1 +0,0 @@
-../sites-available/spacebar.zzls.xyz.conf

sysctl.d/internet.conf

@@ -1,62 +0,0 @@
-#TCP Tweaks
-net.ipv4.tcp_tw_reuse = 1
-net.ipv4.tcp_fastopn = 3
-net.ipv4.tcp_fin_timeout = 10
-
-net.core.netdev_max_backlog = 16384
-net.core.somaxconn = 8192
-net.ipv4.tcp_mtu_probing = 1
-
-net.ipv4.tcp_rfc1337 = 1
-
-net.ipv4.conf.default.rp_filter = 1
-net.ipv4.conf.all.rp_filter = 1
-
-# disable tcp timestamps to avoid leaking some system information
-# https://www.whonix.org/wiki/Disable_TCP_and_ICMP_Timestamps
-net.ipv4.tcp_timestamps=0
-
-#TCP BBR Congestion Control Algoritm
-net.core.default_qdisc = cake
-net.ipv4.tcp_congestion_control = bbr
-net.ipv4.tcp_notsent_lowat = 16384
-
-#Ignore ICMP Ping requests
-net.ipv4.icmp_echo_ignore_all = 1
-net.ipv6.icmp.echo_ignore_all = 1
-
-#Increase the memory dedicated to the network interfaces
-net.core.rmem_default = 1048576
-net.core.rmem_max = 16777216
-net.core.wmem_default = 1048576
-net.core.wmem_max = 16777216
-net.core.optmem_max = 65536
-net.ipv4.tcp_rmem = 4096 1048576 2097152
-net.ipv4.tcp_wmem = 4096 65536 16777216
-
-net.ipv4.udp_rmem_min = 8192
-net.ipv4.udp_wmem_min = 8192
-
-# increase aslr effectiveness for mmap
-# https://lwn.net/Articles/667790
-vm.mmap_rnd_bits=32
-vm.mmap_rnd_compat_bits=16
-
-#SYN Flood Protection
-
-net.ipv4.tcp_max_syn_backlog = 8192
-net.ipv4.tcp_syn_retries = 6
-net.ipv4.tcp_synack_retries = 3
-net.ipv4.tcp_syncookies = 1a
-
-#DDOS Protection and shit
-net.ipv4.tcp_max_tw_buckets = 2000000
-
-#Dead Conections
-net.ipv4.tcp_keepalive_time = 60
-net.ipv4.tcp_keepalive_intvl = 10
-net.ipv4.tcp_keepalive_probes = 6
-
-# This will enusre that immediatly subsequent connections use the new values
-net.ipv4.route.flush = 1
-net.ipv6.route.flush = 1