Fijxu
/
etc-configs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: Fijxu:main
Branches Tags
Fijxu:main
Fijxu:selfhost
Fijxu:oracle
Fijxu:vpsus
Fijxu:veil
Fijxu:vpscl
Fijxu:selfhost-old
...
pull from: Fijxu:veil
Branches Tags
Fijxu:main
Fijxu:selfhost
Fijxu:oracle
Fijxu:vpsus
Fijxu:veil
Fijxu:vpscl
Fijxu:selfhost-old

No commits in common. "main" and "veil" have entirely different histories.
main ... veil

16 changed files with 406 additions and 16 deletions
Show Stats Expand all files Collapse all files

16
README.md
View File

@ -1,16 +0,0 @@
You can find my server configs in this repo, they are split in different branches.
- [🌑 Selfhost Branch](https://git.zzls.xyz/Fijxu/etc-configs/src/branch/selfhost)
- [🇺🇸 VPS Branch](https://git.zzls.xyz/Fijxu/etc-configs/src/branch/vpsus)
- [🌌 Veil Branch](https://git.zzls.xyz/Fijxu/etc-configs/src/branch/veil) (**New**)
- [🇨🇱 Oracle VPS Branch](https://git.zzls.xyz/Fijxu/etc-configs/src/branch/oracle)
#### Suggestions or Issues?
If you got any suggestions to the nginx configs or something that is not to your liking within the privacy-focused services I provide; Open an issue or a pull request in any config. You can either create an account with your real E-mail or with a throw away one (But probably you will be considered as a bad actor for me if you don't provide any real identity like GitHub, GitLab, Codeberg or anything like that, so make sure to link any of those).
*Contact*: [https://nadeko.net/contact](https://nadeko.net/contact)

82
conf.d/ckg/ayaya.beauty.conf Normal file
View File

@ -0,0 +1,82 @@
server {
access_log /var/log/nginx/ayaya.beauty.access.log combined;
error_log /var/log/nginx/ayaya.beauty.error.log;
server_name ayaya.beauty;
include configs/general.conf;
include configs/security.conf;
include configs/robotsNone.conf;
include snippets/torblacklist.conf;
root /var/www/fijxu/uguu/dist/public;
autoindex off;
index index.html index.php;
client_max_body_size 512M;
location ~* \.(css|js|jpg|jpeg|gif|png|ico|xml|eot|woff|woff2|ttf|svg|otf|x-icon|avif|webp|apng)$ {
expires 7d;
}
location ~ \.php$ {
fastcgi_pass php-fpm;
fastcgi_intercept_errors on;
fastcgi_index index.php;
fastcgi_split_path_info ^(.+\.php)(.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
location /torisblocked {
alias errors/torisblocked.txt;
}
error_page 403 =302 /torisblocked;
# QUIC
#include configs/http3.conf;
listen 443 ssl;
http2 on;
}
server {
access_log /var/log/nginx/i.ayaya.beauty.access.log;
server_name i.ayaya.beauty;
include configs/general.conf;
include configs/security.conf;
include configs/robotsNone.conf;
root /var/www/fijxu/uguu/files;
autoindex off;
location / {
rewrite ^/(.*)/$ /\$1 break;
try_files $uri $uri/ =404;
error_page 401 402 403 404 =301 https://ayaya.beauty;
}
# QUIC
#include configs/http3.conf;
listen 443 ssl;
http2 on;
}
server {
if ($host = i.ayaya.beauty) {
return 301 https://$host$request_uri;
}
listen 80;
server_name i.ayaya.beauty;
return 404;
}
server {
if ($host = ayaya.beauty) {
return 301 https://$host$request_uri;
}
listen 80;
server_name ayaya.beauty;
return 404;
}

42
conf.d/ckg/breezewiki.nadeko.net.conf Normal file
View File

@ -0,0 +1,42 @@
server {
server_name breezewiki.nadeko.net;
include configs/general.conf;
include configs/security.conf;
include configs/robotsNone.conf;
location / {
proxy_pass http://breezewiki;
#include configs/proxy.conf;
}
# Onion Service Header
add_header Onion-Location http://breezewiki.nadekonfkhwlxwwk4ycbvq42zvcjmvo5iakl4tajojjwxd4a5dcetuyd.onion$request_uri;
# QUIC
include configs/http3.conf;
listen 443 ssl;
http2 on;
}
server {
listen 127.0.0.1:10040;
server_name breezewiki.nadekonfkhwlxwwk4ycbvq42zvcjmvo5iakl4tajojjwxd4a5dcetuyd.onion;
include configs/general.conf;
include configs/security.conf;
include configs/robotsNone.conf;
}
server {
set $x "";
if ($host = breezewiki.nadeko.net) {
set $x 1;
}
if ($x = 1) {
return 301 https://$host$request_uri;
}
listen 80;
server_name breezewiki.nadeko.net;
return 404;
}

87
conf.d/ckg/search.nadeko.net.conf Normal file
View File

@ -0,0 +1,87 @@
server {
server_name search.zzls.xyz search.nadeko.net;
include configs/general.conf;
location @socket {
uwsgi_pass searxng;
include uwsgi_params;
uwsgi_param HTTP_HOST $host;
uwsgi_param HTTP_CONNECTION $http_connection;
# see flaskfix.py
uwsgi_param HTTP_X_SCHEME $scheme;
#uwsgi_param HTTP_X_SCRIPT_NAME /searxng;
# see limiter.py
uwsgi_param HTTP_X_REAL_IP $remote_addr;
uwsgi_param HTTP_X_FORWARDED_FOR $proxy_add_x_forwarded_for;
}
location / {
try_files $uri @socket;
}
location /search {
try_files $uri @socket;
if ($server_protocol ~* "HTTP/1.1") {
return 444;
}
}
# Onion Service Header
add_header Onion-Location http://search.nadekonfkhwlxwwk4ycbvq42zvcjmvo5iakl4tajojjwxd4a5dcetuyd.onion$request_uri;
# QUIC
include configs/http3.conf;
# CSP + Security Headers
add_header Permissions-Policy "interest-cohort=()" always;
add_header Strict-Transport-Security "max-age=63072000; preload" always;
add_header Content-Security-Policy "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/tiekoetter/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src 'self' https://www.youtube-nocookie.com https://invidious.tiekoetter.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com https://open.spotify.com/" always;
listen 443 ssl;
http2 on;
}
server {
listen 127.0.0.1:10040;
server_name search.nadekonfkhwlxwwk4ycbvq42zvcjmvo5iakl4tajojjwxd4a5dcetuyd.onion;
include configs/general.conf;
location @socket {
uwsgi_pass searxng;
include uwsgi_params;
uwsgi_param HTTP_HOST $host;
uwsgi_param HTTP_CONNECTION $http_connection;
# see flaskfix.py
uwsgi_param HTTP_X_SCHEME $scheme;
#uwsgi_param HTTP_X_SCRIPT_NAME /searxng;
# see limiter.py
uwsgi_param HTTP_X_REAL_IP $remote_addr;
uwsgi_param HTTP_X_FORWARDED_FOR $proxy_add_x_forwarded_for;
}
location / {
try_files $uri @socket;
}
# CSP + Security Headers
add_header Permissions-Policy "interest-cohort=()" always;
add_header Strict-Transport-Security "max-age=63072000; preload" always;
add_header Content-Security-Policy "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/tiekoetter/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src 'self' https://www.youtube-nocookie.com https://invidious.tiekoetter.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com https://open.spotify.com/" always;
}
server {
set $x "";
if ($host = search.zzls.xyz) {
set $x 1;
}
if ($host = search.nadeko.net) {
set $x 1;
}
if ($x = 1) {
return 301 https://$host$request_uri;
}
listen 80;
server_name search.zzls.xyz search.nadeko.net;
return 404;
}

10
configs/general.conf Normal file
View File

@ -0,0 +1,10 @@
# gzip
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
if ($poop) {
return 444;
}

2
configs/http3.conf Normal file
View File

@ -0,0 +1,2 @@
add_header Alt-Svc 'h3=":443"; ma=86400';
listen 443 quic;

20
configs/proxy.conf Normal file
View File

@ -0,0 +1,20 @@
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
# Proxy SSL
proxy_ssl_server_name on;
# Proxy headers
proxy_set_header Upgrade $http_upgrade;
#proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Forwarded $proxy_add_forwarded;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
# Proxy timeouts
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;

1
configs/robotsNone.conf Normal file
View File

@ -0,0 +1 @@
location /robots.txt { return 200 "User-agent: *\nDisallow: /";}

6
configs/security.conf Normal file
View File

@ -0,0 +1,6 @@
# security headers
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "same-origin" always;
add_header X-Frame-Options "sameorigin" always;
add_header Permissions-Policy "interest-cohort=()" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

5
configs/ssl.conf Normal file
View File

@ -0,0 +1,5 @@
# ECDSA
ssl_certificate /etc/ssl/nadeko.net/fullchain.ec.crt;
ssl_certificate_key /etc/ssl/nadeko.net/nadeko.net.ec.key;
include configs/sslConfig.conf;

12
configs/sslConfig.conf Normal file
View File

@ -0,0 +1,12 @@
# SSL
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
ssl_prefer_server_ciphers off;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_early_data on;
# Custom 4096bits Diffie-Hellman parameter for DHE ciphersuites (Not the one bundled with letsencrypt
# Changed to a custom one for trust purposes
ssl_dhparam /etc/nginx/dhparam.pem;

11
configs/upstreams.conf Normal file
View File

@ -0,0 +1,11 @@
upstream php-fpm {
server unix:/run/php/php-fpm.sock;
}
upstream searxng {
server unix:/usr/local/searxng/run/socket;
}
upstream breezewiki {
server 127.0.0.1:10001;
}

27
fastcgi.conf Normal file
View File

@ -0,0 +1,27 @@
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param REMOTE_USER $remote_user;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;

65
nginx.conf Normal file
View File

@ -0,0 +1,65 @@
user www-data;
worker_processes auto;
worker_rlimit_nofile 65535;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 4096;
multi_accept off;
}
http {
log_format limited '$remote_addr - $remote_user [$time_local] '
'"$request_method /bogus $server_protocol" $status $body_bytes_sent '
'"-" "Bogus/66.6"';
access_log off;
error_log /dev/null;
# Basic Settings
charset utf-8;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
log_not_found off;
types_hash_max_size 1024;
types_hash_bucket_size 64;
server_names_hash_bucket_size 128;
# MIME
include mime.types;
# SSL
include configs/ssl.conf;
# reset timed out connections freeing ram
reset_timedout_connection on;
# maximum time between packets the client can pause when sending nginx any data
client_body_timeout 10s;
# maximum time the client has to send the entire header to nginx
client_header_timeout 10s;
# timeout which a single keep-alive client connection will stay open
keepalive_timeout 65s;
# maximum time between packets nginx is allowed to pause when sending the client data
send_timeout 10s;
# PERFORMANCE / ASYNC I/O
aio threads=default;
aio_write on;
directio 2m;
# Maps
include /etc/nginx/snippets/maps.conf;
include /etc/nginx/snippets/poop.conf;
# Upstreams
include /etc/nginx/configs/upstreams.conf;
# Aqui esta wisp.conf
include /etc/nginx/conf.d/root/*.conf;
# Aqui deje mi carpeta para mis configuraciones, para evitar confusiones.
include /etc/nginx/conf.d/ckg/*.conf;
}

27
snippets/maps.conf Normal file
View File

@ -0,0 +1,27 @@
# Connection header for WebSocket reverse proxy
map $http_upgrade $connection_upgrade {
default upgrade;
"" close;
}
map $remote_addr $proxy_forwarded_elem {
# IPv4 addresses can be sent as-is
~^[0-9.]+$ "for=$remote_addr";
# IPv6 addresses need to be bracketed and quoted
~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\"";
# Unix domain socket names cannot be represented in RFC 7239 syntax
default "for=unknown";
}
map $http_forwarded $proxy_add_forwarded {
# If the incoming Forwarded header is syntactically valid, append to it
"~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
# Otherwise, replace it
default "$proxy_forwarded_elem";
}

9
snippets/poop.conf Normal file
View File

@ -0,0 +1,9 @@
map $http_user_agent $poop {
default 0;
~*my-tiny-bot 1;
~*thesis-research-bot 1;
~*SemrushBot 1;
~*Bytespider 1;
~*PetalBot 1;
~*Amazonbot 1;
}