Fijxu
/
nginx-configs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

caca

This commit is contained in:
Fijxu 2022-11-22 03:30:45 -03:00
parent 11fffaa619
commit d0db1451ad
5 changed files with 193 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

85
nginx.conf Executable file
View File

@ -0,0 +1,85 @@
worker_processes auto;
worker_rlimit_nofile 65535;
# Include Modules
include /etc/nginx/modules-enabled/*.conf;
#load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so;
load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so; # for compressing responses on-the-fly
load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so; # for serving pre-compressed files
# Include external config
include /etc/nginx/conf.d/*.conf;
events {
multi_accept on;
worker_connections 65535;
}
stream {
include /etc/nginx/streams/*.conf;
}
http {
charset utf-8;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
log_not_found off;
types_hash_max_size 4096;
types_hash_bucket_size 64;
# MIME
include mime.types;
default_type application/octet-stream;
# SSL
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
ssl_prefer_server_ciphers off;
#
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites
ssl_dhparam /etc/nginx/dhparam.pem;
# OCSP Stapling
#ssl_stapling on;
#ssl_stapling_verify on;
# Connection header for WebSocket reverse proxy
map $http_upgrade $connection_upgrade {
default upgrade;
"" close;
}
map $remote_addr $proxy_forwarded_elem {
# IPv4 addresses can be sent as-is
~^[0-9.]+$ "for=$remote_addr";
# IPv6 addresses need to be bracketed and quoted
~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\"";
# Unix domain socket names cannot be represented in RFC 7239 syntax
default "for=unknown";
}
map $http_forwarded $proxy_add_forwarded {
# If the incoming Forwarded header is syntactically valid, append to it
"~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
# Otherwise, replace it
default "$proxy_forwarded_elem";
}
# Include sites-enabled and config
# include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

38
sites-available/counter.conf Executable file
View File

@ -0,0 +1,38 @@
server {
access_log /var/log/nginx/count.ayaya.pics.access.log combined;
server_name count.ayaya.pics;
location / {
proxy_pass http://127.0.0.1:41000/;
}
# security headers
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Permissions-Policy "interest-cohort=()" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN";
# QUIC
add_header Alt-Svc 'h3=":443"; ma=86400';
listen 443 http3;
listen 443 http2 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/count.ayaya.pics/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/count.ayaya.pics/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = count.ayaya.pics) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name count.ayaya.pics;
return 404; # managed by Certbot
}

68
sites-available/searxng.conf Executable file
View File

@ -0,0 +1,68 @@
server {
access_log /dev/null;
error_log /dev/null;
server_name search.zzls.xyz;
include configs/general.conf;
include configs/securityheaders.conf;
if ($server_protocol ~* "HTTP/1.0") {
return 444;
}
if ($http_user_agent ~* (python) ) {
return 403;
}
location / {
proxy_pass http://127.0.0.1:8888/;
#
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
# Proxy headers for the Limiter
proxy_set_header Host $host;
proxy_set_header Connection $http_connection;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Scheme $scheme;
}
location /searx/static/ {
alias /usr/local/searx/searx-src/searx/static/;
}
# Onion Service Header
add_header Onion-Location http://searxdr3pqz4nydgnqocsia2xbywptxbkympa2emn7zlgggrir4bkfad.onion$request_uri;
# QUIC
add_header Alt-Svc 'h3=":443"; ma=86400';
quic_retry on;
quic_gso on;
ssl_early_data on;
ssl_session_ticket_key /etc/nginx/http3key.key;
listen 443 http3;
listen 443 ssl http2; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/search.zzls.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/search.zzls.xyz/privkey.pem; # managed by Certbot
#include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = search.zzls.xyz) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name search.zzls.xyz;
return 404; # managed by Certbot
}

1
sites-enabled/counter.conf Symbolic link
View File

@ -0,0 +1 @@
/etc/nginx/sites-available/counter.conf

1
sites-enabled/searxng.conf Symbolic link
View File

@ -0,0 +1 @@
/etc/nginx/sites-available/searxng.conf