Fijxu
/
etc-configs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Ok now it's ok I guess

This commit is contained in:
Fijxu 2023-12-22 16:35:40 -03:00
parent 6c3773d51b
commit 9a5c1317f7
17 changed files with 192 additions and 221 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
nginx/conf.d/count.ayaya.beauty.conf Normal file
View File

@ -0,0 +1,29 @@
server {
server_name count.ayaya.beauty;
include configs/general.conf;
include configs/security.conf;
include configs/robotsNone.conf;
location / {
proxy_pass http://127.0.0.1:41000/;
include configs/proxy.conf;
}
# QUIC
include configs/http3.conf;
listen 443 ssl;
http2 on;
ssl_certificate /etc/letsencrypt/live/count.ayaya.beauty/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/count.ayaya.beauty/privkey.pem; # managed by Certbot
include configs/sslConfig.conf;
}
server {
if ($host = count.ayaya.beauty) {
return 301 https://$host$request_uri;
}
server_name count.ayaya.beauty;
listen 80;
}

38
nginx/conf.d/ri.zzls.xyz.conf Normal file
View File

@ -0,0 +1,38 @@
server {
server_name ri.zzls.xyz;
include configs/general.conf;
location / {
proxy_pass http://127.0.0.1:40001/;
include configs/proxy.conf;
}
# QUIC
include configs/http3.conf;
listen 443 ssl;
http2 on;
ssl_certificate /etc/letsencrypt/live/ri.zzls.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/ri.zzls.xyz/privkey.pem; # managed by Certbot
include configs/sslConfig.conf;
}
server {
listen 80;
server_name rimgo.zzlsghu6mvvwyy75mvga6gaf4znbp3erk5xwfzedb4gg6qqh2j6rlvid.onion;
location / {
proxy_pass http://127.0.0.1:40001/;
include configs/proxy.conf;
}
}
server {
if ($host = ri.zzls.xyz) {
return 301 https://$host$request_uri;
}
listen 80;
server_name ri.zzls.xyz;
}

54
nginx/conf.d/search.zzls.xyz.conf Normal file
View File

@ -0,0 +1,54 @@
server {
server_name search.zzls.xyz;
include configs/general.conf;
location @socket {
uwsgi_pass unix:///usr/local/searxng/run/socket;
include uwsgi_params;
uwsgi_param HTTP_HOST $host;
uwsgi_param HTTP_CONNECTION $http_connection;
# see flaskfix.py
uwsgi_param HTTP_X_SCHEME $scheme;
#uwsgi_param HTTP_X_SCRIPT_NAME /searxng;
# see limiter.py
uwsgi_param HTTP_X_REAL_IP $remote_addr;
uwsgi_param HTTP_X_FORWARDED_FOR $proxy_add_x_forwarded_for;
}
location / {
try_files $uri @socket;
}
location /search {
try_files $uri @socket;
limit_req_status 444;
limit_req zone=mylimit;
if ($server_protocol ~* "HTTP/1.1") {
return 444;
}
}
# Onion Service Header
# add_header Onion-Location http://searxdr3pqz4nydgnqocsia2xbywptxbkympa2emn7zlgggrir4bkfad.onion$request_uri;
# QUIC
include configs/http3.conf;
# CSP + Security Headers
add_header Permissions-Policy "interest-cohort=()" always;
add_header Strict-Transport-Security "max-age=63072000; preload" always;
add_header Content-Security-Policy "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/tiekoetter/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src 'self' https://www.youtube-nocookie.com https://invidious.tiekoetter.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com https://open.spotify.com/" always;
listen 443 ssl;
http2 on;
include configs/ssl.conf;
}
server {
if ($host = search.zzls.xyz) {
return 301 https://$host$request_uri;
}
listen 80;
server_name search.zzls.xyz;
return 404;
}

13
nginx/configs/general.conf
View File

@ -5,14 +5,7 @@ gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
# brotli
#brotli on;
#brotli_comp_level 6;
#brotli_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
location /robots.txt { alias /var/www/html/robots.txt; }
# FUCK SEMRUSH
if ($http_user_agent ~ (SemrushBot)) {
return 403;
if ($poop) {
return 444;
}

4
nginx/configs/http3.conf Normal file
View File

@ -0,0 +1,4 @@
# Disable HTTP/3 for now.
#add_header Alt-Svc: h2=":443"; ma=2592000;
#listen 443 quic;

1
nginx/configs/robotsNone.conf Normal file
View File

@ -0,0 +1 @@
location /robots.txt { return 200 "User-agent: *\nDisallow: /";}

4
nginx/configs/security.conf
View File

@ -7,7 +7,3 @@ add_header Permissions-Policy "interest-cohort=()" always;
add_header X-Frame-Options "sameorigin" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
# . files
#location ~ /\.(?!well-known) {
# deny all;
#}

4
nginx/configs/ssl.conf
View File

@ -1,4 +1,4 @@
ssl_certificate /etc/ssl/certs/zzlschain.pem;
ssl_certificate_key /etc/ssl/private/zzlskey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
include configs/sslConfig.conf;

12
nginx/configs/sslConfig.conf Normal file
View File

@ -0,0 +1,12 @@
# SSL
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
ssl_prefer_server_ciphers off;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_early_data on;
# Custom 4096bits Diffie-Hellman parameter for DHE ciphersuites (Not the one bundled with letsencrypt
# Changed to a custom one for trust purposes
ssl_dhparam /etc/nginx/dhparam.pem;

89
nginx/nginx.conf
View File

@ -2,66 +2,57 @@ user www-data;
worker_processes auto;
worker_rlimit_nofile 65535;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
include /etc/nginx/conf.d/*.conf;
events {
worker_connections 65535;
multi_accept on;
worker_connections 2048;
multi_accept off;
}
http {
access_log off;
error_log /dev/null;
http {
log_format limited '$remote_addr - $remote_user [$time_local] '
'"$request_method /bogus $server_protocol" $status $body_bytes_sent '
'"-" "Bogus/66.6"';
access_log off;
error_log /dev/null;
# Basic Settings
charset utf-8;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
log_not_found off;
types_hash_max_size 4096;
types_hash_bucket_size 64;
# Basic Settings
charset utf-8;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
log_not_found off;
types_hash_max_size 1024;
types_hash_bucket_size 64;
server_names_hash_bucket_size 128;
# MIME
include mime.types;
default_type application/octet-stream;
# MIME
include mime.types;
# SSL
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
ssl_prefer_server_ciphers off;
#
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
# SSL
include configs/ssl.conf;
# Diffie-Hellman parameter for DHE ciphersuites
ssl_dhparam /etc/nginx/dhparam.pem;
# reset timed out connections freeing ram
reset_timedout_connection on;
# maximum time between packets the client can pause when sending nginx any data
client_body_timeout 10s;
# maximum time the client has to send the entire header to nginx
client_header_timeout 10s;
# timeout which a single keep-alive client connection will stay open
keepalive_timeout 65s;
# maximum time between packets nginx is allowed to pause when sending the client data
send_timeout 10s;
server_names_hash_bucket_size 128;
# Virtual Host Configs
include /etc/nginx/sites-enabled/*.conf;
# DDOS Protection
limit_conn_zone $binary_remote_addr zone=perip:10m;
limit_conn perip 100;
limit_req_zone $binary_remote_addr zone=engine:10m rate=2r/s;
# reset timed out connections freeing ram
reset_timedout_connection on;
# maximum time between packets the client can pause when sending nginx any data
client_body_timeout 10s;
# maximum time the client has to send the entire header to nginx
client_header_timeout 10s;
# timeout which a single keep-alive client connection will stay open
keepalive_timeout 65s;
# maximum time between packets nginx is allowed to pause when sending the client data
send_timeout 10s;
# PERFORMANCE / ASYNC I/O
aio threads=default;
aio_write on;
directio 2m;
# Maps
include /etc/nginx/snippets/maps.conf;
include /etc/nginx/snippets/poop.conf;
include /etc/nginx/conf.d/*.conf;
}

32
nginx/sites-available/count.ayaya.beauty.conf
View File

@ -1,32 +0,0 @@
server {
server_name count.ayaya.beauty;
include configs/general.conf;
include configs/security.conf;
location / {
proxy_pass http://127.0.0.1:41000/;
include configs/proxy.conf;
}
# QUIC
add_header Alt-Svc 'h3=":443"; ma=86400';
listen 443 quic;
listen 443 http2 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/count.ayaya.beauty/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/count.ayaya.beauty/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = count.ayaya.beauty) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name count.ayaya.beauty;
listen 80;
return 404; # managed by Certbot
}

44
nginx/sites-available/ri.zzls.xyz.conf
View File

@ -1,44 +0,0 @@
server {
access_log /var/log/nginx/ri.zzls.xyz.log;
server_name ri.zzls.xyz;
include configs/general.conf;
location / {
proxy_pass http://127.0.0.1:40001/;
include configs/proxy.conf;
}
# security headers
#include configs/security.conf;
#add_header Content-Security-Policy "default-src 'self'; script-src 'report-sample' 'self'; style-src 'report-sample' 'self'; object-src 'none'; base-uri 'self'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self'; manifest-src 'self'; media-src 'self'; worker-src 'none';";
# QUIC
add_header Alt-Svc 'h3=":443"; ma=86400';
listen 443 quic;
listen 443 http2 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/ri.zzls.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/ri.zzls.xyz/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
listen 80;
server_name rimgo.zzlsghu6mvvwyy75mvga6gaf4znbp3erk5xwfzedb4gg6qqh2j6rlvid.onion;
location / {
proxy_pass http://127.0.0.1:40001/;
include configs/proxy.conf;
}
}
server {
if ($host = ri.zzls.xyz) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name ri.zzls.xyz;
return 404; # managed by Certbot
}

77
nginx/sites-available/search.zzls.xyz.conf
View File

@ -1,77 +0,0 @@
# FUCK BOTS
limit_req_zone $binary_remote_addr zone=mylimit:10m rate=2r/s;
server {
server_name search.zzls.xyz;
include configs/general.conf;
location @socket {
uwsgi_pass unix:///usr/local/searxng/run/socket;
include uwsgi_params;
uwsgi_param HTTP_HOST $host;
uwsgi_param HTTP_CONNECTION $http_connection;
# see flaskfix.py
uwsgi_param HTTP_X_SCHEME $scheme;
#uwsgi_param HTTP_X_SCRIPT_NAME /searxng;
# see limiter.py
uwsgi_param HTTP_X_REAL_IP $remote_addr;
uwsgi_param HTTP_X_FORWARDED_FOR $proxy_add_x_forwarded_for;
}
location / {
try_files $uri @socket;
}
location /search {
try_files $uri @socket;
limit_req_status 444;
limit_req zone=mylimit;
if ($server_protocol ~* "HTTP/1.1") {
return 444;
}
}
# location /searx/static/ {
# alias /usr/local/searxng/searxng-src/searx/static/;
# }
# Onion Service Header
# add_header Onion-Location http://searxdr3pqz4nydgnqocsia2xbywptxbkympa2emn7zlgggrir4bkfad.onion$request_uri;
# QUIC
add_header Alt-Svc 'h3=":443"; ma=86400';
# CSP + Security Headers
# include configs/securityheaders.conf;
add_header Permissions-Policy "interest-cohort=()" always;
add_header Strict-Transport-Security "max-age=63072000; preload" always;
add_header Content-Security-Policy "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/tiekoetter/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src 'self' https://www.youtube-nocookie.com https://invidious.tiekoetter.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com https://open.spotify.com/" always;
#quic_retry on;
#quic_gso on;
#ssl_early_data on;
#ssl_session_ticket_key /etc/nginx/http3key.key;
ssl_stapling on;
ssl_stapling_verify on;
listen 443 quic;
listen 443 http2 ssl;
include configs/ssl.conf;
}
server {
if ($host = search.zzls.xyz) {
return 301 https://$host$request_uri;
}
listen 80;
server_name search.zzls.xyz;
return 404; # managed by Certbot
}

1
nginx/sites-enabled/count.ayaya.beauty.conf
View File

@ -1 +0,0 @@
../sites-available/count.ayaya.beauty.conf

1
nginx/sites-enabled/ri.zzls.xyz.conf
View File

@ -1 +0,0 @@
../sites-available/ri.zzls.xyz.conf

1
nginx/sites-enabled/search.zzls.xyz.conf
View File

@ -1 +0,0 @@
/etc/nginx/sites-available/search.zzls.xyz.conf

9
nginx/snippets/poop.conf Normal file
View File

@ -0,0 +1,9 @@
map $http_user_agent $poop {
default 0;
~*my-tiny-bot 1;
~*thesis-research-bot 1;
~*SemrushBot 1;
~*Bytespider 1;
~*PetalBot 1;
~*Amazonbot 1;
}