please don't break
This commit is contained in:
parent
be8c47230c
commit
be8b465a3e
|
@ -4,7 +4,7 @@ add_header X-Content-Type-Options "nosniff" always;
|
|||
add_header Referrer-Policy "no-referrer-when-downgrade" always;
|
||||
#add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always;
|
||||
add_header Permissions-Policy "interest-cohort=()" always;
|
||||
add_header X-Frame-Options "sameorigin" always;
|
||||
add_header X-Frame-Options "sameorigin" always;
|
||||
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
|
||||
|
||||
# . files
|
|
@ -3,7 +3,6 @@ worker_rlimit_nofile 65535;
|
|||
|
||||
# Include Modules
|
||||
include /etc/nginx/modules-enabled/*.conf;
|
||||
#load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so;
|
||||
load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so; # for compressing responses on-the-fly
|
||||
load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so; # for serving pre-compressed files
|
||||
|
||||
|
@ -51,10 +50,6 @@ http {
|
|||
# Diffie-Hellman parameter for DHE ciphersuites
|
||||
ssl_dhparam /etc/nginx/dhparam.pem;
|
||||
|
||||
# HTTP2 Settings
|
||||
http2_max_field_size 64k;
|
||||
http2_max_header_size 512k;
|
||||
|
||||
# DDOS Protection
|
||||
limit_conn_zone $binary_remote_addr zone=perip:10m;
|
||||
limit_conn perip 100;
|
||||
|
@ -73,32 +68,7 @@ http {
|
|||
# maximum time between packets nginx is allowed to pause when sending the client data
|
||||
send_timeout 10s;
|
||||
|
||||
# Connection header for WebSocket reverse proxy
|
||||
map $http_upgrade $connection_upgrade {
|
||||
default upgrade;
|
||||
"" close;
|
||||
}
|
||||
|
||||
map $remote_addr $proxy_forwarded_elem {
|
||||
|
||||
# IPv4 addresses can be sent as-is
|
||||
~^[0-9.]+$ "for=$remote_addr";
|
||||
|
||||
# IPv6 addresses need to be bracketed and quoted
|
||||
~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\"";
|
||||
|
||||
# Unix domain socket names cannot be represented in RFC 7239 syntax
|
||||
default "for=unknown";
|
||||
}
|
||||
|
||||
map $http_forwarded $proxy_add_forwarded {
|
||||
|
||||
# If the incoming Forwarded header is syntactically valid, append to it
|
||||
"~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
|
||||
|
||||
# Otherwise, replace it
|
||||
default "$proxy_forwarded_elem";
|
||||
}
|
||||
include /etc/nginx/snippets/maps.conf;
|
||||
|
||||
}
|
||||
|
||||
|
|
|
@ -6,7 +6,7 @@ server {
|
|||
server_name 7tv.gay;
|
||||
|
||||
# Security headers and general settings
|
||||
include configs/securityheaders.conf;
|
||||
include configs/security.conf;
|
||||
include configs/general.conf;
|
||||
|
||||
#alocation = / {
|
||||
|
|
|
@ -22,7 +22,7 @@ server {
|
|||
|
||||
}
|
||||
|
||||
include configs/securityheaders.conf;
|
||||
include configs/security.conf;
|
||||
# QUIC
|
||||
add_header Alt-Svc 'h3=":443"; ma=86400';
|
||||
|
||||
|
|
|
@ -4,11 +4,11 @@ server {
|
|||
|
||||
server_name archive.zzls.xyz;
|
||||
include configs/general.conf;
|
||||
include configs/securityheaders.conf;
|
||||
include configs/security.conf;
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:40004;
|
||||
include configs/proxyheaders.conf;
|
||||
include configs/proxy.conf;
|
||||
}
|
||||
|
||||
|
||||
|
|
|
@ -4,7 +4,7 @@ server {
|
|||
|
||||
server_name ayaya.beauty;
|
||||
include configs/general.conf;
|
||||
include configs/securityheaders.conf;
|
||||
include configs/security.conf;
|
||||
|
||||
root /var/www/uguu/dist/public/;
|
||||
autoindex off;
|
||||
|
|
|
@ -4,12 +4,12 @@ server {
|
|||
server_name cryptochat.zzls.xyz cc.zzls.xyz;
|
||||
|
||||
# Security headers and general settings
|
||||
include configs/securityheaders.conf;
|
||||
include configs/security.conf;
|
||||
include configs/general.conf;
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:40005;
|
||||
include configs/proxyheaders.conf;
|
||||
include configs/proxy.conf;
|
||||
}
|
||||
|
||||
# QUIC
|
||||
|
|
|
@ -6,7 +6,7 @@ server {
|
|||
|
||||
server_name files2.zzls.xyz;
|
||||
include configs/general.conf;
|
||||
include configs/securityheaders.conf;
|
||||
include configs/security.conf;
|
||||
#root /var/www/files;
|
||||
#index index.php /_h5ai/public/index.php;
|
||||
if ($http_user_agent ~* (google) ) {
|
||||
|
|
|
@ -3,7 +3,7 @@ server {
|
|||
|
||||
server_name git.zzls.xyz;
|
||||
# Security headers and general settings
|
||||
#include configs/securityheaders.conf;
|
||||
#include configs/security.conf;
|
||||
include configs/general.conf;
|
||||
|
||||
location / {
|
||||
|
|
|
@ -4,7 +4,7 @@ server {
|
|||
|
||||
server_name i.ayaya.beauty;
|
||||
include configs/general.conf;
|
||||
include configs/securityheaders.conf;
|
||||
include configs/security.conf;
|
||||
|
||||
root /mnt/storage/uguufiles;
|
||||
autoindex off;
|
||||
|
|
|
@ -7,14 +7,14 @@ server {
|
|||
|
||||
server_name ii.zzls.xyz;
|
||||
include configs/general.conf;
|
||||
include configs/securityheaders.conf;
|
||||
include configs/security.conf;
|
||||
|
||||
location /upload {
|
||||
client_max_body_size 4096M;
|
||||
auth_basic "Restricted Content";
|
||||
auth_basic_user_file /etc/fileupload.htpasswd;
|
||||
proxy_pass http://localhost:40006;
|
||||
include configs/proxyheaders.conf;
|
||||
include configs/proxy.conf;
|
||||
}
|
||||
|
||||
listen 443 http3;
|
||||
|
|
|
@ -7,12 +7,12 @@ server {
|
|||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:40015/;
|
||||
include configs/proxyheaders.conf;
|
||||
include configs/proxy.conf;
|
||||
}
|
||||
|
||||
# Security headers
|
||||
# Invidious uses their own security headers
|
||||
# include configs/securityheaders.conf;
|
||||
# include configs/security.conf;
|
||||
|
||||
# QUIC
|
||||
add_header Alt-Svc 'h3=":443"; ma=86400';
|
||||
|
|
|
@ -20,7 +20,7 @@ server {
|
|||
add_header Alt-Svc 'h3=":443"; ma=86400';
|
||||
|
||||
# CSP + Security Headers
|
||||
include configs/securityheaders.conf;
|
||||
include configs/security.conf;
|
||||
#add_header Permissions-Policy "interest-cohort=()" always;
|
||||
#add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||
#add_header Content-Security-Policy "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/tiekoetter/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src 'self' https://www.youtube-nocookie.com https://invidious.tiekoetter.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com https://open.spotify.com/" always;
|
||||
|
|
|
@ -30,7 +30,7 @@ include configs/general.conf;
|
|||
}
|
||||
|
||||
# SecHeaders
|
||||
include configs/securityheaders.conf;
|
||||
include configs/security.conf;
|
||||
|
||||
# CSP (From tchncs.de because i am illiterate at CSP)
|
||||
add_header Content-Security-Policy "default-src 'self' zzls.xyz matrix.zzls.xyz" always;
|
||||
|
|
|
@ -4,11 +4,11 @@ server {
|
|||
|
||||
server_name mpd.ayaya.beauty;
|
||||
include configs/general.conf;
|
||||
include configs/securityheaders.conf;
|
||||
include configs/security.conf;
|
||||
|
||||
location / {
|
||||
proxy_pass http://192.168.1.2:40420;
|
||||
#include configs/proxyheaders.conf;
|
||||
#include configs/proxy.conf;
|
||||
proxy_connect_timeout 1;
|
||||
proxy_send_timeout 1;
|
||||
proxy_read_timeout 1;
|
||||
|
|
|
@ -3,11 +3,11 @@ server {
|
|||
|
||||
server_name paste.zzls.xyz;
|
||||
include configs/general.conf;
|
||||
include configs/securityheaders.conf;
|
||||
include configs/security.conf;
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:40020/;
|
||||
include configs/proxyheaders.conf;
|
||||
include configs/proxy.conf;
|
||||
}
|
||||
|
||||
listen 443 http3;
|
||||
|
|
|
@ -6,10 +6,10 @@ server {
|
|||
|
||||
location / {
|
||||
proxy_pass http://localhost:40001;
|
||||
include configs/proxyheaders.conf;
|
||||
include configs/proxy.conf;
|
||||
}
|
||||
|
||||
#include configs/securityheaders.conf;
|
||||
#include configs/security.conf;
|
||||
# QUIC
|
||||
add_header Alt-Svc 'h3=":443"; ma=86400';
|
||||
|
||||
|
|
|
@ -7,11 +7,11 @@ server {
|
|||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:40022/;
|
||||
include configs/proxyheaders.conf;
|
||||
include configs/proxy.conf;
|
||||
}
|
||||
|
||||
# security headers
|
||||
include configs/securityheaders.conf;
|
||||
include configs/security.conf;
|
||||
#add_header Content-Security-Policy "default-src 'self'; script-src 'report-sample' 'self'; style-src 'report-sample' 'self'; object-src 'none'; base-uri 'self'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self'; manifest-src 'self'; media-src 'self'; worker-src 'none';";
|
||||
|
||||
# QUIC
|
||||
|
|
|
@ -7,11 +7,11 @@ server {
|
|||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:40002/;
|
||||
include configs/proxyheaders.conf;
|
||||
include configs/proxy.conf;
|
||||
}
|
||||
|
||||
# security headers
|
||||
include configs/securityheaders.conf;
|
||||
include configs/security.conf;
|
||||
#add_header Content-Security-Policy "default-src 'self'; script-src 'report-sample' 'self'; style-src 'report-sample' 'self'; object-src 'none'; base-uri 'self'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self'; manifest-src 'self'; media-src 'self'; worker-src 'none';";
|
||||
|
||||
# QUIC
|
||||
|
@ -31,7 +31,7 @@ server {
|
|||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:40002/;
|
||||
include configs/proxyheaders.conf;
|
||||
include configs/proxy.conf;
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -6,10 +6,10 @@ server {
|
|||
|
||||
location / {
|
||||
proxy_pass http://localhost:40003;
|
||||
include configs/proxyheaders.conf;
|
||||
include configs/proxy.conf;
|
||||
}
|
||||
|
||||
include configs/securityheaders.conf;
|
||||
include configs/security.conf;
|
||||
# QUIC
|
||||
add_header Alt-Svc 'h3=":443"; ma=86400';
|
||||
|
||||
|
|
|
@ -7,10 +7,10 @@ server {
|
|||
|
||||
location / {
|
||||
try_files $uri $uri/ /index.html;
|
||||
#include configs/proxyheaders.conf;
|
||||
#include configs/proxy.conf;
|
||||
}
|
||||
|
||||
include configs/securityheaders.conf;
|
||||
include configs/security.conf;
|
||||
# QUIC
|
||||
add_header Alt-Svc 'h3=":443"; ma=86400';
|
||||
|
||||
|
|
|
@ -7,11 +7,11 @@ server {
|
|||
|
||||
server_name stream.ayaya.beauty;
|
||||
include configs/general.conf;
|
||||
include configs/securityheaders.conf;
|
||||
include configs/security.conf;
|
||||
|
||||
location /stream {
|
||||
proxy_pass http://localhost:8080/live/livestream/stream.flv;
|
||||
include configs/proxyheaders.conf;
|
||||
include configs/proxy.conf;
|
||||
}
|
||||
|
||||
listen 443 http3;
|
||||
|
|
|
@ -4,7 +4,7 @@ server {
|
|||
server_name wiki.zzls.xyz;
|
||||
|
||||
# Security headers and general settings
|
||||
include configs/securityheaders.conf;
|
||||
include configs/security.conf;
|
||||
include configs/general.conf;
|
||||
|
||||
root /opt/dokuwiki;
|
||||
|
|
|
@ -4,7 +4,7 @@ server {
|
|||
server_name wiki.zzls.xyz;
|
||||
|
||||
# Security headers and general settings
|
||||
include configs/securityheaders.conf;
|
||||
include configs/security.conf;
|
||||
include configs/general.conf;
|
||||
|
||||
root /opt/dokuwiki;
|
||||
|
|
|
@ -4,7 +4,7 @@ server {
|
|||
server_name wiki2.zzls.xyz;
|
||||
|
||||
# Security headers and general settings
|
||||
include configs/securityheaders.conf;
|
||||
include configs/security.conf;
|
||||
include configs/general.conf;
|
||||
|
||||
root /opt/mediawiki-1.39.1;
|
||||
|
|
|
@ -0,0 +1,27 @@
|
|||
# Connection header for WebSocket reverse proxy
|
||||
|
||||
map $http_upgrade $connection_upgrade {
|
||||
default upgrade;
|
||||
"" close;
|
||||
}
|
||||
|
||||
map $remote_addr $proxy_forwarded_elem {
|
||||
|
||||
# IPv4 addresses can be sent as-is
|
||||
~^[0-9.]+$ "for=$remote_addr";
|
||||
|
||||
# IPv6 addresses need to be bracketed and quoted
|
||||
~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\"";
|
||||
|
||||
# Unix domain socket names cannot be represented in RFC 7239 syntax
|
||||
default "for=unknown";
|
||||
}
|
||||
|
||||
map $http_forwarded $proxy_add_forwarded {
|
||||
|
||||
# If the incoming Forwarded header is syntactically valid, append to it
|
||||
"~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
|
||||
|
||||
# Otherwise, replace it
|
||||
default "$proxy_forwarded_elem";
|
||||
}
|
Loading…
Reference in New Issue