please don't break

nginx/configs/security.conf

@@ -4,7 +4,7 @@ add_header X-Content-Type-Options    "nosniff" always;
 add_header Referrer-Policy           "no-referrer-when-downgrade" always;
 #add_header Content-Security-Policy   "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always;
 add_header Permissions-Policy        "interest-cohort=()" always;
-add_header X-Frame-Options	     "sameorigin" always;
+add_header X-Frame-Options           "sameorigin" always;
 add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
 
 # . files

nginx/nginx.conf

@@ -3,7 +3,6 @@ worker_rlimit_nofile 65535;
 
 # Include Modules
 include /etc/nginx/modules-enabled/*.conf;
-#load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so;
 load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so; # for compressing responses on-the-fly
 load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so; # for serving pre-compressed files
 
@@ -51,10 +50,6 @@ http {
 	# Diffie-Hellman parameter for DHE ciphersuites
     ssl_dhparam /etc/nginx/dhparam.pem;
 
-    # HTTP2 Settings
-    http2_max_field_size 64k;
-    http2_max_header_size 512k;
-
     # DDOS Protection
     limit_conn_zone $binary_remote_addr zone=perip:10m;
     limit_conn perip 100;
@@ -73,32 +68,7 @@ http {
     # maximum time between packets nginx is allowed to pause when sending the client data
     send_timeout 10s;
 
-	# Connection header for WebSocket reverse proxy
-    map $http_upgrade $connection_upgrade {
-        default upgrade;
-        ""      close;
-    }
-
-    map $remote_addr $proxy_forwarded_elem {
-
-        # IPv4 addresses can be sent as-is
-        ~^[0-9.]+$        "for=$remote_addr";
-
-        # IPv6 addresses need to be bracketed and quoted
-        ~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\"";
-
-        # Unix domain socket names cannot be represented in RFC 7239 syntax
-        default           "for=unknown";
-    }
-
-    map $http_forwarded $proxy_add_forwarded {
-
-        # If the incoming Forwarded header is syntactically valid, append to it
-        "~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
-
-        # Otherwise, replace it
-        default "$proxy_forwarded_elem";
-    }
+    include /etc/nginx/snippets/maps.conf;
 
 }
 

nginx/sites-available/7tv.gay.conf

@@ -6,7 +6,7 @@ server {
     server_name 7tv.gay;
 
     # Security headers and general settings
-    include configs/securityheaders.conf;
+    include configs/security.conf;
     include configs/general.conf;
 
     #alocation = / {

nginx/sites-available/api.spacebar.zzls.xyz.conf

@@ -22,7 +22,7 @@ server {
 
     }
 
-    include configs/securityheaders.conf;
+    include configs/security.conf;
     # QUIC
     add_header Alt-Svc 'h3=":443"; ma=86400';
 

nginx/sites-available/archive.zzls.xyz.conf

@@ -4,11 +4,11 @@ server {
 
     server_name archive.zzls.xyz;
     include configs/general.conf;
-    include configs/securityheaders.conf;
+    include configs/security.conf;
 
     location / {
         proxy_pass http://127.0.0.1:40004;
-        include configs/proxyheaders.conf;
+        include configs/proxy.conf;
     }
 
 

nginx/sites-available/ayaya.beauty.conf

@@ -4,7 +4,7 @@ server {
 
     server_name       ayaya.beauty;
     include configs/general.conf;
-    include configs/securityheaders.conf;
+    include configs/security.conf;
 
     root              /var/www/uguu/dist/public/;
     autoindex         off;

nginx/sites-available/cryptochat.zzls.xyz.conf

@@ -4,12 +4,12 @@ server {
     server_name cryptochat.zzls.xyz cc.zzls.xyz;
 
     # Security headers and general settings
-    include configs/securityheaders.conf;
+    include configs/security.conf;
     include configs/general.conf;
 
     location / {
         proxy_pass http://127.0.0.1:40005;
-        include configs/proxyheaders.conf;
+        include configs/proxy.conf;
     }
 
     # QUIC

nginx/sites-available/files2.zzls.xyz.conf

@@ -6,7 +6,7 @@ server {
 
     server_name files2.zzls.xyz;
     include configs/general.conf;
-    include configs/securityheaders.conf;
+    include configs/security.conf;
     #root /var/www/files;
     #index index.php /_h5ai/public/index.php;
     if ($http_user_agent ~* (google) ) {

nginx/sites-available/gitea.zzls.xyz.conf

@@ -3,7 +3,7 @@ server {
 
     server_name git.zzls.xyz;
     # Security headers and general settings
-    #include configs/securityheaders.conf;
+    #include configs/security.conf;
     include configs/general.conf;
 
     location / {

nginx/sites-available/i.ayaya.beauty.conf

@@ -4,7 +4,7 @@ server {
 
     server_name i.ayaya.beauty;
     include configs/general.conf;
-    include configs/securityheaders.conf;
+    include configs/security.conf;
 
     root             /mnt/storage/uguufiles;
     autoindex        off;

nginx/sites-available/ii.zzls.xyz.conf

@@ -7,14 +7,14 @@ server {
 
     server_name ii.zzls.xyz;
     include configs/general.conf;
-    include configs/securityheaders.conf;
+    include configs/security.conf;
 
     location /upload {
         client_max_body_size 4096M;
         auth_basic "Restricted Content";
         auth_basic_user_file /etc/fileupload.htpasswd;
         proxy_pass http://localhost:40006;
-        include configs/proxyheaders.conf;
+        include configs/proxy.conf;
     }
 
     listen 443 http3;

nginx/sites-available/inv.zzls.xyz.conf

@@ -7,12 +7,12 @@ server {
 
         location / {
                 proxy_pass http://127.0.0.1:40015/;
-                include configs/proxyheaders.conf;
+                include configs/proxy.conf;
         }
 
         # Security headers
 	# Invidious uses their own security headers
-        # include configs/securityheaders.conf;
+        # include configs/security.conf;
 
         # QUIC
         add_header Alt-Svc 'h3=":443"; ma=86400';

nginx/sites-available/librex.zzls.xyz.conf

@@ -20,7 +20,7 @@ server {
     add_header Alt-Svc 'h3=":443"; ma=86400';
 
     # CSP + Security Headers
-    include configs/securityheaders.conf;
+    include configs/security.conf;
     #add_header Permissions-Policy        "interest-cohort=()" always;
     #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
     #add_header Content-Security-Policy "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/tiekoetter/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src 'self' https://www.youtube-nocookie.com https://invidious.tiekoetter.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com https://open.spotify.com/" always;

nginx/sites-available/matrix.zzls.xyz.conf

@@ -30,7 +30,7 @@ include configs/general.conf;
     }
 
     # SecHeaders
-    include configs/securityheaders.conf;
+    include configs/security.conf;
 
     # CSP (From tchncs.de because i am illiterate at CSP)
     add_header Content-Security-Policy "default-src 'self' zzls.xyz matrix.zzls.xyz" always;

nginx/sites-available/mpd.ayaya.beauty.conf

@@ -4,11 +4,11 @@ server {
 
     server_name mpd.ayaya.beauty;
     include configs/general.conf;
-    include configs/securityheaders.conf;
+    include configs/security.conf;
 
     location / {
         proxy_pass http://192.168.1.2:40420;
-        #include configs/proxyheaders.conf;
+        #include configs/proxy.conf;
         proxy_connect_timeout 1;
         proxy_send_timeout 1;
         proxy_read_timeout 1;

nginx/sites-available/paste.zzls.xyz.conf

@@ -3,11 +3,11 @@ server {
 
     server_name paste.zzls.xyz;
     include configs/general.conf;
-    include configs/securityheaders.conf;
+    include configs/security.conf;
 
     location / {
         proxy_pass http://127.0.0.1:40020/;
-        include configs/proxyheaders.conf;
+        include configs/proxy.conf;
     }
 
     listen 443 http3;

nginx/sites-available/pbin.zzls.xyz.conf

@@ -6,10 +6,10 @@ server {
 
     location / {
         proxy_pass http://localhost:40001;
-        include configs/proxyheaders.conf;
+        include configs/proxy.conf;
     }
 
-    #include configs/securityheaders.conf;
+    #include configs/security.conf;
     # QUIC
     add_header Alt-Svc 'h3=":443"; ma=86400';
 

nginx/sites-available/pt.zzls.xyz.conf

@@ -7,11 +7,11 @@ server {
 
         location / {
                 proxy_pass http://127.0.0.1:40022/;
-                include configs/proxyheaders.conf;
+                include configs/proxy.conf;
         }
 
         # security headers
-        include configs/securityheaders.conf;
+        include configs/security.conf;
         #add_header Content-Security-Policy "default-src 'self'; script-src 'report-sample' 'self'; style-src 'report-sample' 'self'; object-src 'none'; base-uri 'self'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self'; manifest-src 'self'; media-src 'self'; worker-src 'none';";
 
         # QUIC

nginx/sites-available/ri.zzls.xyz.conf

@@ -7,11 +7,11 @@ server {
 
         location / {
                 proxy_pass http://127.0.0.1:40002/;
-                include configs/proxyheaders.conf;
+                include configs/proxy.conf;
         }
 
         # security headers
-        include configs/securityheaders.conf;
+        include configs/security.conf;
         #add_header Content-Security-Policy "default-src 'self'; script-src 'report-sample' 'self'; style-src 'report-sample' 'self'; object-src 'none'; base-uri 'self'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self'; manifest-src 'self'; media-src 'self'; worker-src 'none';";
 
         # QUIC
@@ -31,7 +31,7 @@ server {
 
         location / {
 		proxy_pass http://127.0.0.1:40002/;
-		include configs/proxyheaders.conf;
+		include configs/proxy.conf;
 	}
 }
 

nginx/sites-available/rustlog.zzls.xyz.conf

@@ -6,10 +6,10 @@ server {
 
     location / {
         proxy_pass http://localhost:40003;
-        include configs/proxyheaders.conf;
+        include configs/proxy.conf;
     }
 
-    include configs/securityheaders.conf;
+    include configs/security.conf;
     # QUIC
     add_header Alt-Svc 'h3=":443"; ma=86400';
 

nginx/sites-available/spacebar.zzls.xyz.conf

@@ -7,10 +7,10 @@ server {
 
     location / {
 	try_files $uri $uri/ /index.html;
-        #include configs/proxyheaders.conf;
+        #include configs/proxy.conf;
     }
 
-    include configs/securityheaders.conf;
+    include configs/security.conf;
     # QUIC
     add_header Alt-Svc 'h3=":443"; ma=86400';
 

nginx/sites-available/stream.ayaya.beauty.conf

@@ -7,11 +7,11 @@ server {
 
     server_name stream.ayaya.beauty;
     include configs/general.conf;
-    include configs/securityheaders.conf;
+    include configs/security.conf;
 
     location /stream {
 	    proxy_pass http://localhost:8080/live/livestream/stream.flv;
-	    include configs/proxyheaders.conf;
+	    include configs/proxy.conf;
     }
 
     listen 443 http3;

nginx/sites-available/wiki.zzls.xyz.conf

@@ -4,7 +4,7 @@ server {
     server_name wiki.zzls.xyz;
 
     # Security headers and general settings
-    include configs/securityheaders.conf;
+    include configs/security.conf;
     include configs/general.conf;
 
         root /opt/dokuwiki;

nginx/sites-available/wiki.zzls.xyz.conf.orig

@@ -4,7 +4,7 @@ server {
     server_name wiki.zzls.xyz;
 
     # Security headers and general settings
-    include configs/securityheaders.conf;
+    include configs/security.conf;
     include configs/general.conf;
 
         root /opt/dokuwiki;

nginx/sites-available/wiki2.zzls.xyz.conf

@@ -4,7 +4,7 @@ server {
     server_name wiki2.zzls.xyz;
 
     # Security headers and general settings
-    include configs/securityheaders.conf;
+    include configs/security.conf;
     include configs/general.conf;
 
 root /opt/mediawiki-1.39.1;

nginx/snippets/maps.conf

@@ -0,0 +1,27 @@
+# Connection header for WebSocket reverse proxy
+
+    map $http_upgrade $connection_upgrade {
+        default upgrade;
+        ""      close;
+    }
+
+    map $remote_addr $proxy_forwarded_elem {
+
+        # IPv4 addresses can be sent as-is
+        ~^[0-9.]+$        "for=$remote_addr";
+
+        # IPv6 addresses need to be bracketed and quoted
+        ~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\"";
+
+        # Unix domain socket names cannot be represented in RFC 7239 syntax
+        default           "for=unknown";
+    }
+
+    map $http_forwarded $proxy_add_forwarded {
+
+        # If the incoming Forwarded header is syntactically valid, append to it
+        "~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
+
+        # Otherwise, replace it
+        default "$proxy_forwarded_elem";
+    }