Fijxu
/
etc-configs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

I haven't updated this in a long time, anyways, enjoy 

- Use own dfparam.pem file, 4096bits instead of the letsencrypt 2048
  default one
- Add logrotate config, logs are rotated and deleted after 2 days
- Better config? Idk xd
This commit is contained in:
Selfhost Root 2023-10-30 23:56:11 -03:00
parent 586456dfa5
commit eb117445a6
28 changed files with 583 additions and 363 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
logrotate.d/nginx Normal file
View File

@ -0,0 +1,12 @@
/var/log/nginx/*log {
daily
missingok
notifempty
maxage 2
create 640 http root
sharedscripts
compress
postrotate
test ! -r /run/nginx.pid || kill -USR1 `cat /run/nginx.pid`
endscript
}

12
nginx/configs/general.conf
View File

@ -6,13 +6,11 @@ gzip_comp_level 6;
gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
# BROTLI
#brotli on;
#brotli_comp_level 6;
#brotli_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
location /robots.txt { alias /var/www/html/robots.txt; }
brotli on;
brotli_comp_level 6;
brotli_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
# FUCK SEMRUSH
if ($http_user_agent ~ (SemrushBot)) {
return 403;
if ($http_user_agent ~ (SemrushBot|Bytespider)) {
return 401;
}

26
nginx/configs/robots.conf Normal file
View File

@ -0,0 +1,26 @@
location /robots.txt { return 200 "User-agent: AhrefsBot
Disallow: /
User-agent: dotbot
Disallow: /
User-agent: SiteAuditBot
Disallow: /
User-agent: SemrushBot-BA
Disallow: /
User-agent: SemrushBot-SI
Disallow: /
User-agent: SemrushBot-SWA
Disallow: /
User-agent: SemrushBot-CT
Disallow: /
User-agent: SplitSignalBot
Disallow: /
User-agent: SemrushBot-COUB
Disallow: /"; }

1
nginx/configs/robotsNone.conf Normal file
View File

@ -0,0 +1 @@
location /robots.txt { return 200 "User-agent: *\nDisallow: /";}

5
nginx/configs/security.conf
View File

@ -6,8 +6,3 @@ add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Permissions-Policy "interest-cohort=()" always;
add_header X-Frame-Options "sameorigin" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
# . files
#location ~ /\.(?!well-known) {
# deny all;
#}

11
nginx/configs/ssl.conf
View File

@ -1,4 +1,7 @@
ssl_certificate /etc/ssl/certs/zzlschain.pem;
ssl_certificate_key /etc/ssl/private/zzlskey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_certificate /etc/letsencrypt/live/zzls.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/zzls.xyz/privkey.pem;
include configs/sslConfig.conf;
# OLD LETSENCRYPT SHIT XD
#include /etc/letsencrypt/options-ssl-nginx.conf;
#ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

12
nginx/configs/sslConfig.conf Normal file
View File

@ -0,0 +1,12 @@
# SSL
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
ssl_prefer_server_ciphers off;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_early_data on;
# Custom 4096bits Diffie-Hellman parameter for DHE ciphersuites (Not the one bundled with letsencrypt
# Changed to a custom one for trust purposes
ssl_dhparam /etc/nginx/dhparam.pem;

40
nginx/nginx.conf
View File

@ -3,20 +3,25 @@ worker_rlimit_nofile 65535;
# Include Modules
include /etc/nginx/modules-enabled/*.conf;
#load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so; # for compressing responses on-the-fly
#load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so; # for serving pre-compressed files
load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so; # for compressing responses on-the-fly
load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so; # for serving pre-compressed files
load_module /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so;
#Include external config
include /etc/nginx/conf.d/*.conf;
events {
multi_accept on;
worker_connections 16192;
worker_connections 65535;
multi_accept on;
}
http {
log_format limited '$remote_addr - $remote_user [$time_local] '
'"$request_method /bogus $server_protocol" $status $body_bytes_sent '
'"-" "Bogus/66.6"';
access_log off;
error_log /dev/null;
disable_symlinks off;
# Basic Settings
charset utf-8;
@ -24,32 +29,18 @@ http {
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
more_clear_headers Server;
log_not_found off;
types_hash_max_size 1024;
types_hash_bucket_size 128;
server_names_hash_bucket_size 128;
#proxy_cache off;
#proxy_max_temp_file_size 0;
#proxy_request_buffering off;
#proxy_buffering off;
# MIME
include mime.types;
default_type application/octet-stream;
# SSL
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
ssl_prefer_server_ciphers off;
#
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_early_data on;
# Diffie-Hellman parameter for DHE ciphersuites
ssl_dhparam /etc/nginx/dhparam.pem;
include configs/sslConfig.conf;
# reset timed out connections freeing ram
reset_timedout_connection on;
@ -58,7 +49,7 @@ http {
# maximum time the client has to send the entire header to nginx
client_header_timeout 10s;
# timeout which a single keep-alive client connection will stay open
keepalive_timeout 65s;
keepalive_timeout 60s;
# maximum time between packets nginx is allowed to pause when sending the client data
send_timeout 10s;
@ -72,9 +63,10 @@ http {
aio_write on;
directio 2m;
# Virtual Host Configs
include /etc/nginx/sites-enabled/*.conf;
# Maps
# Maps
include /etc/nginx/snippets/maps.conf;
# Virtual Host Configs
include /etc/nginx/sites-enabled/*.conf;
}

127
nginx/sites-available/4get.zzls.xyz.conf
View File

@ -1,70 +1,101 @@
# FUCK BOTS
limit_req_zone $binary_remote_addr zone=4get:10m rate=2r/s;
# CLEARNET
server {
server_name 4get.zzls.xyz;
include configs/general.conf;
root /var/www/4get;
#index index.php;
access_log /var/log/nginx/4get.access.log limited;
error_log /var/log/nginx/4get.error.log;
server_name 4get.zzls.xyz;
root /var/www/4get;
include configs/general.conf;
include configs/robotsNone.conf;
include configs/security.conf;
location @php {
try_files $uri.php $uri/index.php =404;
#fastcgi_param PHP_VALUE open_basedir=$document_root;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
include fastcgi.conf;
fastcgi_intercept_errors on;
}
location @upstream {
try_files $uri.php $uri/index.php =404;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
include fastcgi.conf;
fastcgi_intercept_errors on;
}
location / {
try_files $uri @php;
}
location / {
try_files $uri @upstream;
}
location ~* ^(.*)\.php$ {
return 301 $1;
}
location /web {
try_files $uri @upstream;
limit_req zone=4get;
limit_req_status 444;
if ($server_protocol ~* "HTTP/1.1") {
return 444;
}
if ($http_referer ~* farside\.link) {
return 444;
}
include snippets/torblacklist.conf;
include snippets/spys.me.proxies.blacklist.conf;
error_page 403 =302 /torisblocked;
}
location /torisblocked {
add_header Content-Type text/plain;
return 200 "
Tor and Proxies are not allowed in this service, sorry.
Check if this service offers a Tor version instead, if yes, use it, if not, well, there is no way to use this service.
# QUIC
add_header Alt-Svc 'h3=":443";ma=86400';
Tor y Proxies no estan permitidos en este servicio, lo siento.
Revisa si este servicio ofrece una version para Tor, si es asi, usalo, si no, pues no hay forma de usar este servicio.";
}
# CSP + Security Headers
include configs/security.conf;
location /data {
return 444;
}
listen 443 ssl;
listen 443 quic;
http2 on;
include configs/ssl.conf;
location ~* ^(.*)\.php$ {
return 301 $1;
}
# Tor Header
add_header Onion-Location http://4get.zzlsghu6mvvwyy75mvga6gaf4znbp3erk5xwfzedb4gg6qqh2j6rlvid.onion$request_uri;
# QUIC
add_header Alt-Svc 'h3=":443";ma=86400';
listen 443 ssl;
listen 443 quic;
http2 on;
include configs/ssl.conf;
}
# TOR
server {
listen 80;
server_name 4get.zzlsghu6mvvwyy75mvga6gaf4znbp3erk5xwfzedb4gg6qqh2j6rlvid.onion;
listen 80;
server_name 4get.zzlsghu6mvvwyy75mvga6gaf4znbp3erk5xwfzedb4gg6qqh2j6rlvid.onion;
root /var/www/4get;
root /var/www/4get;
location @php {
try_files $uri.php $uri/index.php =404;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
include fastcgi.conf;
fastcgi_intercept_errors on;
}
location @upstream {
try_files $uri.php $uri/index.php =404;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
include fastcgi.conf;
fastcgi_intercept_errors on;
}
location / {
try_files $uri @php;
}
location / {
try_files $uri @upstream;
}
location ~* ^(.*)\.php$ {
return 301 $1;
}
location ~* ^(.*)\.php$ {
return 301 $1;
}
}
server {
if ($host = 4get.zzls.xyz) {
return 301 https://$host$request_uri;
}
listen 80;
server_name 4get.zzls.xyz;
if ($host = 4get.zzls.xyz) {
return 301 https://$host$request_uri;
}
listen 80;
server_name 4get.zzls.xyz;
}

3
nginx/sites-available/7tv.gay.conf
View File

@ -1,5 +1,5 @@
server {
access_log /var/log/nginx/7tv.gay.log combined;
access_log /var/log/nginx/7tv.gay.access.log combined;
root /var/www/7tv;
index index.html;
@ -8,6 +8,7 @@ server {
# Security headers and general settings
include configs/security.conf;
include configs/general.conf;
include configs/robots.conf;
add_header Alt-Svc 'h3=":443"; ma=86400';

49
nginx/sites-available/ayaya.beauty.conf
View File

@ -1,9 +1,13 @@
server {
access_log /var/log/nginx/ayaya.beauty.log combined;
access_log /var/log/nginx/ayaya.beauty.access.log combined;
error_log /var/log/nginx/ayaya.beauty.error.log;
server_name ayaya.beauty;
include configs/general.conf;
include configs/security.conf;
include configs/robotsNone.conf;
include snippets/torblacklist.conf;
include snippets/spys.me.proxies.blacklist.conf;
error_page 403 =302 /torisblocked;
root /var/www/uguu/dist/public/;
autoindex off;
@ -15,35 +19,42 @@ server {
expires 7d;
}
location ~* \.php$ {
location ~ \.php$ {
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_intercept_errors on;
fastcgi_index index.php;
fastcgi_split_path_info ^(.+\.php)(.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
}
listen 443 ssl;
listen 443 quic;
http2 on;
ssl_certificate /etc/letsencrypt/live/ayaya.beauty/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ayaya.beauty/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location /torisblocked {
add_header Content-Type text/plain;
return 200 "
Tor is not allowed in this service, sorry.
Check if this service offers a Tor version instead, if yes, use it, if not, well, there is no way to use this service.
Tor no esta permitido en este servicio, lo siento.
Revisa si este servicio ofrece una version para Tor, si es asi, usalo, si no, pues no hay forma de usar este servicio.";
}
listen 443 ssl;
listen 443 quic;
http2 on;
ssl_certificate /etc/letsencrypt/live/ayaya.beauty/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ayaya.beauty/privkey.pem;
include configs/sslConfig.conf;
}
server {
if ($host = ayaya.beauty) {
return 301 https://$host$request_uri;
}
if ($host = ayaya.beauty) {
return 301 https://$host$request_uri;
}
listen 80;
server_name ayaya.beauty;
return 404;
listen 80;
server_name ayaya.beauty;
return 404;
}

51
nginx/sites-available/debug.inv.zzls.xyz.conf Normal file
View File

@ -0,0 +1,51 @@
limit_req_zone $binary_remote_addr zone=one:10m rate=2r/s;
upstream inv-debug {
server 127.0.0.1:40050;
}
server {
access_log /var/log/nginx/debuginv.access.log;
error_log /var/log/nginx/debuginv.error.log;
server_name debuginv.zzls.xyz;
include configs/general.conf;
include configs/robotsNone.conf;
location / {
proxy_pass http://inv-debug;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host; # so Invidious knows domain
proxy_http_version 1.1; # to keep alive
proxy_set_header Connection ""; # to keep alive
limit_rate 12000k;
# Disable buffering and cache so i don't kill my
# SSD and bandwidth usage
proxy_buffering off;
proxy_request_buffering off;
proxy_cache off;
}
location ~ ^/api/ {
proxy_pass http://inv-debug;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host; # so Invidious knows domain
proxy_http_version 1.1; # to keep alive
proxy_set_header Connection ""; # to keep alive
limit_rate 12000k;
# Disable buffering and cache so i don't kill my
# SSD and bandwidth usage
proxy_buffering off;
proxy_request_buffering off;
proxy_cache off;
limit_req zone=one;
}
# QUIC
add_header Alt-Svc 'h3=":443"; ma=86400';
listen 443 ssl;
listen 443 quic;
http2 on;
include configs/ssl.conf;
}

44
nginx/sites-available/git.zzls.xyz.conf
View File

@ -1,31 +1,29 @@
server {
access_log /var/log/nginx/git.zzls.xyz.log combined;
access_log /var/log/nginx/git.access.log combined;
server_name git.zzls.xyz;
include configs/general.conf;
include configs/security.conf;
include configs/robots.conf;
server_name git.zzls.xyz;
include configs/general.conf;
location / {
proxy_pass http://unix:/run/forgejo/forgejo.socket;
include configs/proxy.conf;
client_max_body_size 64M;
}
location / {
proxy_pass http://unix:/run/forgejo/forgejo.socket;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
client_max_body_size 64M;
}
# QUIC
add_header Alt-Svc 'h3=":443"; ma=86400';
# QUIC
add_header Alt-Svc 'h3=":443"; ma=86400';
listen 443 ssl;
listen 443 quic;
http2 on;
include configs/ssl.conf;
listen 443 ssl;
listen 443 quic;
http2 on;
include configs/ssl.conf;
}
server {
if ($host = git.zzls.xyz) {
return 301 https://$host$request_uri;
}
listen 80;
server_name git.zzls.xyz;
if ($host = git.zzls.xyz) {
return 301 https://$host$request_uri;
}
listen 80;
server_name git.zzls.xyz;
}

51
nginx/sites-available/i.ayaya.beauty.conf
View File

@ -1,38 +1,33 @@
server {
server_name i.ayaya.beauty;
root /var/www/files2;
autoindex off;
index index.html;
include configs/general.conf;
include configs/security.conf;
include configs/robotsNone.conf;
server_name i.ayaya.beauty;
include configs/general.conf;
include configs/security.conf;
location / {
error_page 403 =301 https://ayaya.beauty;
error_page 404 = /404.gif;
}
root /var/www/files2;
autoindex off;
index index.html;
location / {
error_page 403 =301 https://ayaya.beauty;
error_page 404 = /404.gif;
}
listen 443 ssl;
listen 443 quic;
http2 on;
ssl_certificate /etc/letsencrypt/live/i.ayaya.beauty/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/i.ayaya.beauty/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
listen 443 ssl;
listen 443 quic;
http2 on;
ssl_certificate /etc/letsencrypt/live/i.ayaya.beauty/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/i.ayaya.beauty/privkey.pem;
include configs/sslConfig.conf;
}
server {
if ($host = i.ayaya.beauty) {
return 301 https://$host$request_uri;
}
listen 80;
server_name i.ayaya.beauty;
return 404;
if ($host = i.ayaya.beauty) {
return 301 https://$host$request_uri;
}
listen 80;
server_name i.ayaya.beauty;
return 404;
}

150
nginx/sites-available/inv.zzls.xyz.conf
View File

@ -1,40 +1,122 @@
# Rate limit searches, just 5 per sec
limit_req_zone $binary_remote_addr zone=invidious:10m rate=5r/s;
# Rate limit api requests, just 60 per sec, wathcing a normal video does like
# 3 to 4 api requests so you don't need more than 30 in a second unless is a bot spamming shit lol
limit_req_zone $binary_remote_addr zone=invidiousapi:10m rate=30r/s;
upstream inv {
least_conn;
server 127.0.0.1:40015;
server 127.0.0.1:40016;
server 127.0.0.1:40015 max_fails=2 fail_timeout=2s;
server 127.0.0.1:40016 max_fails=2 fail_timeout=2s;
#server 127.0.0.1:40017 backup fail_timeout=3s;
}
# CLEARNET
server {
access_log /var/log/nginx/inv.access.log limited;
error_log /var/log/nginx/inv.error.log;
server_name inv.zzls.xyz;
include configs/general.conf;
include configs/robotsNone.conf;
include snippets/spys.me.proxies.blacklist.conf;
location @upstream {
proxy_pass http://inv;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host; # so Invidious knows domain
proxy_http_version 1.1; # to keep alive
proxy_set_header Connection ""; # to keep alive
limit_rate 8000k;
# Disable buffering and cache so i don't kill my
# SSD and bandwidth usage
proxy_buffering off;
proxy_request_buffering off;
proxy_cache off;
}
location / {
try_files $uri @upstream;
}
location /search {
try_files $uri @upstream;
limit_req zone=invidious;
}
location /api {
try_files $uri @upstream;
limit_req zone=invidiousapi;
}
# QUIC
add_header Alt-Svc 'h3=":443"; ma=86400';
# TOR
add_header Onion-Location http://inv.zzlsghu6mvvwyy75mvga6gaf4znbp3erk5xwfzedb4gg6qqh2j6rlvid.onion$request_uri;
listen 443 ssl;
listen 443 quic;
http2 on;
include configs/ssl.conf;
}
# TOR
server {
listen 80;
server_name inv.zzlsghu6mvvwyy75mvga6gaf4znbp3erk5xwfzedb4gg6qqh2j6rlvid.onion;
include configs/general.conf;
include configs/robotsNone.conf;
location @upstream {
proxy_pass http://inv;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host; # so Invidious knows domain
proxy_http_version 1.1; # to keep alive
proxy_set_header Connection ""; # to keep alive
limit_rate 8000k;
# Disable buffering and cache so i don't kill my
# SSD and bandwidth usage
proxy_buffering off;
proxy_request_buffering off;
proxy_cache off;
}
location / {
try_files $uri @upstream;
}
}
# I2P
server {
listen 30003;
server_name zzlsbhhfvwg3oh36tcvx4r7n6jrw7zibvyvfxqlodcwn3mfrvzuq.b32.i2p;
include configs/general.conf;
include configs/robotsNone.conf;
location @upstream {
proxy_pass http://inv;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host; # so Invidious knows domain
proxy_http_version 1.1; # to keep alive
proxy_set_header Connection ""; # to keep alive
limit_rate 8000k;
# Disable buffering and cache so i don't kill my
# SSD and bandwidth usage
proxy_buffering off;
proxy_request_buffering off;
proxy_cache off;
}
location / {
try_files $uri @upstream;
}
}
server {
server_name inv.zzls.xyz;
include configs/general.conf;
location / {
proxy_pass http://inv;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host; # so Invidious knows domain
proxy_http_version 1.1; # to keep alive
proxy_set_header Connection ""; # to keep alive
limit_rate 8000k;
# Disable buffering and cache so i don't kill my
# SSD and bandwidth usage
proxy_buffering off;
proxy_request_buffering off;
proxy_cache off;
}
# QUIC
add_header Alt-Svc 'h3=":443"; ma=86400';
listen 443 ssl;
listen 443 quic;
http2 on;
include configs/ssl.conf;
}
server {
if ($host = inv.zzls.xyz) {
return 301 https://$host$request_uri;
}
listen 80;
server_name inv.zzls.xyz;
if ($host = inv.zzls.xyz) {
return 301 https://$host$request_uri;
}
listen 80;
server_name inv.zzls.xyz;
}

120
nginx/sites-available/librex.zzls.xyz.conf
View File

@ -1,71 +1,101 @@
# FUCK BOTS
limit_req_zone $binary_remote_addr zone=librex:10m rate=2r/s;
# CLEARNET
server {
access_log /var/log/nginx/librex.access.log limited;
error_log /var/log/nginx/librex.error.log;
server_name librex.zzls.xyz;
root /var/www/librex;
index index.php
include configs/general.conf;
include configs/security.conf;
include configs/robotsNone.conf;
server_name librex.zzls.xyz;
include configs/general.conf;
root /var/www/librex;
index index.php;
location ~ \/search\.php {
include fastcgi.conf;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
include snippets/torblacklist.conf;
include snippets/spys.me.proxies.blacklist.conf;
error_page 403 =302 /torisblocked;
}
location /torisblocked {
add_header Content-Type text/plain;
return 200 "
Tor and Proxies are not allowed in this service, sorry.
Check if this service offers a Tor version instead, if yes, use it, if not, well, there is no way to use this service.
location ~ \.php$ {
include fastcgi.conf;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
}
Tor y Proxies no estan permitidos en este servicio, lo siento.
Revisa si este servicio ofrece una version para Tor, si es asi, usalo, si no, pues no hay forma de usar este servicio.";
}
location ~ \.php$ {
include fastcgi.conf;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
}
# Onion Service Header
add_header Onion-Location http://librex.zzlsghu6mvvwyy75mvga6gaf4znbp3erk5xwfzedb4gg6qqh2j6rlvid.onion$request_uri;
# Onion Service Header
add_header Onion-Location http://librex.zzlsghu6mvvwyy75mvga6gaf4znbp3erk5xwfzedb4gg6qqh2j6rlvid.onion$request_uri;
# QUIC
add_header Alt-Svc 'h3=":443"; ma=86400';
# QUIC
add_header Alt-Svc 'h3=":443"; ma=86400';
# CSP + Security Headers
include configs/security.conf;
listen 443 ssl;
listen 443 quic;
http2 on;
include configs/ssl.conf;
listen 443 ssl;
listen 443 quic;
http2 on;
include configs/ssl.conf;
}
# TOR
server {
listen 80;
server_name librex.zzlsghu6mvvwyy75mvga6gaf4znbp3erk5xwfzedb4gg6qqh2j6rlvid.onion;
listen 80;
server_name librex.zzlsghu6mvvwyy75mvga6gaf4znbp3erk5xwfzedb4gg6qqh2j6rlvid.onion;
root /var/www/librex;
index index.php;
root /var/www/librex;
index index.php;
location @upstream {
include fastcgi.conf;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
}
location ~ \.php$ {
include fastcgi.conf;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
}
location ~ \.php$ {
try_files $uri.php @upstream;
}
location /search.php {
try_files $uri.php @upstream;
limit_req zone=librex;
limit_req_status 444;
}
}
# I2P
server {
listen 30002;
server_name zzlsaymhcfla7vibo3a223bybeecu3bd5z6rmw2u4y76maqeu76q.b32.i2p;
listen 30002;
server_name zzlsaymhcfla7vibo3a223bybeecu3bd5z6rmw2u4y76maqeu76q.b32.i2p;
root /var/www/librex;
index index.php;
root /var/www/librex;
index index.php;
location @upstream {
include fastcgi.conf;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
}
location ~ \.php$ {
include fastcgi.conf;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
}
location ~ \.php$ {
try_files $uri.php @upstream;
}
location /search.php {
try_files $uri.php @upstream;
limit_req zone=librex;
limit_req_status 444;
}
}
server {
if ($host = librex.zzls.xyz) {
return 301 https://$host$request_uri;
}
listen 80;
server_name librex.zzls.xyz;
if ($host = librex.zzls.xyz) {
return 301 https://$host$request_uri;
}
listen 80;
server_name librex.zzls.xyz;
}

80
nginx/sites-available/matrix.zzls.xyz.conf
View File

@ -1,55 +1,45 @@
server {
server_name matrix.zzls.xyz;
include configs/general.conf;
include configs/security.conf;
include configs/robotsNone.conf;
# Common shit
include configs/general.conf;
server_name matrix.zzls.xyz;
location /.well-known/matrix/server {
return 200 '{ "m.server": "matrix.zzls.xyz:8448" }';
}
location /.well-known/matrix/server {
return 200 '{ "m.server": "matrix.zzls.xyz:8448" }';
}
location /.well-known/matrix/client {
default_type application/json;
add_header Access-Control-Allow-Origin '*';
return 200 '{ "m.homeserver": { "base_url": "https://matrix.zzls.xyz" } }';
}
location /.well-known/matrix/client {
default_type application/json;
add_header Access-Control-Allow-Origin '*';
return 200 '{ "m.homeserver": { "base_url": "https://matrix.zzls.xyz" } }';
}
location / {
alias /var/www/cinnyclient/;
index index.html;
}
location / {
alias /var/www/cinnyclient/;
index index.html;
}
location ~ ^(/_matrix|/_synapse/client|/health) {
proxy_pass http://localhost:40020;
include configs/proxy.conf;
client_max_body_size 64M;
}
location ~ ^(/_matrix|/_synapse/client|/health) {
proxy_pass http://localhost:8008;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
client_max_body_size 64M;
proxy_http_version 1.1;
}
# SecHeaders
include configs/security.conf;
# QUIC
add_header Alt-Svc 'h3=":443", h3=":8448"; ma=86400';
listen 443 quic reuseport;
listen 443 ssl reuseport;
listen 8448 ssl default_server reuseport;
listen 8448 quic default_server reuseport;
http2 on;
include configs/ssl.conf;
# QUIC
add_header Alt-Svc 'h3=":443", h3=":8448"; ma=86400';
listen 443 quic reuseport;
listen 443 ssl reuseport;
listen 8448 ssl default_server reuseport;
listen 8448 quic default_server reuseport;
include configs/ssl.conf;
http2 on;
}
server {
if ($host = matrix.zzls.xyz) {
return 301 https://$host$request_uri;
}
listen 80;
server_name matrix.zzls.xyz;
if ($host = matrix.zzls.xyz) {
return 301 https://$host$request_uri;
}
listen 80;
server_name matrix.zzls.xyz;
}

37
nginx/sites-available/pbin.zzls.xyz.conf
View File

@ -1,26 +1,27 @@
server {
server_name pbin.zzls.xyz;
include configs/general.conf;
include configs/security.conf;
include configs/robotsNone.conf;
include configs/ssl.conf;
server_name pbin.zzls.xyz;
include configs/general.conf;
location / {
proxy_pass http://localhost:40001;
include configs/proxy.conf;
}
location / {
proxy_pass http://localhost:40001;
include configs/proxy.conf;
}
# QUIC
add_header Alt-Svc 'h3=":443"; ma=86400';
# QUIC
add_header Alt-Svc 'h3=":443"; ma=86400';
listen 443 ssl;
listen 443 quic;
http2 on;
include configs/ssl.conf;
listen 443 ssl;
listen 443 quic;
http2 on;
}
server {
if ($host = pbin.zzls.xyz) {
return 301 https://$host$request_uri;
}
listen 80;
server_name pbin.zzls.xyz;
if ($host = pbin.zzls.xyz) {
return 301 https://$host$request_uri;
}
listen 80;
server_name pbin.zzls.xyz;
}

70
nginx/sites-available/ri.zzls.xyz.conf
View File

@ -1,55 +1,55 @@
# CLEARNET
server {
access_log off;
server_name ri.zzls.xyz;
include configs/general.conf;
include configs/robotsNone.conf;
server_name ri.zzls.xyz;
include configs/general.conf;
location / {
proxy_pass http://127.0.0.1:40002/;
include configs/proxy.conf;
}
location / {
proxy_pass http://127.0.0.1:40002/;
include configs/proxy.conf;
}
# QUIC
add_header Alt-Svc 'h3=":443"; ma=86400';
# security headers
include configs/security.conf;
#add_header Content-Security-Policy "default-src 'self'; script-src 'report-sample' 'self'; style-src 'report-sample' 'self'; object-src 'none'; base-uri 'self'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self'; manifest-src 'self'; media-src 'self'; worker-src 'none';";
# QUIC
add_header Alt-Svc 'h3=":443"; ma=86400';
listen 443 ssl;
listen 443 quic;
http2 on;
include configs/ssl.conf;
listen 443 ssl;
listen 443 quic;
http2 on;
include configs/ssl.conf;
}
# TOR
server {
listen 80;
server_name rimgo.zzlsghu6mvvwyy75mvga6gaf4znbp3erk5xwfzedb4gg6qqh2j6rlvid.onion;
listen 80;
server_name rimgo.zzlsghu6mvvwyy75mvga6gaf4znbp3erk5xwfzedb4gg6qqh2j6rlvid.onion;
include configs/general.conf;
include configs/robotsNone.conf;
location / {
proxy_pass http://127.0.0.1:40002/;
include configs/proxy.conf;
}
location / {
proxy_pass http://127.0.0.1:40002/;
include configs/proxy.conf;
}
}
# I2P
server {
listen 30001;
server_name zzls3ubaix5wjfar4hskwqnh3vvwvrzoxsvcx64on2aogcxrvhoq.b32.i2p;
location / {
proxy_pass http://127.0.0.1:40002/;
include configs/proxy.conf;
}
listen 30001;
server_name zzls3ubaix5wjfar4hskwqnh3vvwvrzoxsvcx64on2aogcxrvhoq.b32.i2p;
include configs/general.conf;
include configs/robotsNone.conf;
location / {
proxy_pass http://127.0.0.1:40002/;
include configs/proxy.conf;
}
}
server {
if ($host = ri.zzls.xyz) {
return 301 https://$host$request_uri;
}
listen 80;
server_name ri.zzls.xyz;
if ($host = ri.zzls.xyz) {
return 301 https://$host$request_uri;
}
listen 80;
server_name ri.zzls.xyz;
}

2
nginx/sites-available/selfhost.zzls.xyz.conf
View File

@ -1,5 +1,4 @@
server {
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
include configs/general.conf;
@ -18,7 +17,6 @@ server {
listen 443 quic;
http2 on;
include configs/ssl.conf;
}
server {
if ($host = selfhost.zzls.xyz) {

1
nginx/sites-enabled/archive.zzls.xyz.conf
View File

@ -1 +0,0 @@
../sites-available/archive.zzls.xyz.conf

1
nginx/sites-enabled/files2.zzls.xyz.conf
View File

@ -1 +0,0 @@
../sites-available/files2.zzls.xyz.conf

1
nginx/sites-enabled/gatoculiao.ayaya.beauty.conf
View File

@ -1 +0,0 @@
../sites-available/gatoculiao.ayaya.beauty.conf

1
nginx/sites-enabled/mpd.ayaya.beauty.conf
View File

@ -1 +0,0 @@
../sites-available/mpd.ayaya.beauty.conf

1
nginx/sites-enabled/rustlog.zzls.xyz.conf
View File

@ -1 +0,0 @@
../sites-available/rustlog.zzls.xyz.conf

1
nginx/sites-enabled/stream.ayaya.beauty.conf
View File

@ -1 +0,0 @@
/etc/nginx/sites-available/stream.ayaya.beauty.conf

1
nginx/sites-enabled/wiki.zzls.xyz.conf
View File

@ -1 +0,0 @@
../sites-available/wiki.zzls.xyz.conf

36
nginx/snippets/maps.conf
View File

@ -1,27 +1,27 @@
# Connection header for WebSocket reverse proxy
map $http_upgrade $connection_upgrade {
default upgrade;
"" close;
}
map $http_upgrade $connection_upgrade {
default upgrade;
"" close;
}
map $remote_addr $proxy_forwarded_elem {
map $remote_addr $proxy_forwarded_elem {
# IPv4 addresses can be sent as-is
~^[0-9.]+$ "for=$remote_addr";
# IPv4 addresses can be sent as-is
~^[0-9.]+$ "for=$remote_addr";
# IPv6 addresses need to be bracketed and quoted
~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\"";
# IPv6 addresses need to be bracketed and quoted
~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\"";
# Unix domain socket names cannot be represented in RFC 7239 syntax
default "for=unknown";
}
# Unix domain socket names cannot be represented in RFC 7239 syntax
default "for=unknown";
}
map $http_forwarded $proxy_add_forwarded {
map $http_forwarded $proxy_add_forwarded {
# If the incoming Forwarded header is syntactically valid, append to it
"~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
# If the incoming Forwarded header is syntactically valid, append to it
"~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
# Otherwise, replace it
default "$proxy_forwarded_elem";
}
# Otherwise, replace it
default "$proxy_forwarded_elem";
}