From d0db1451ad5ed2b14ba0697253054fb8a9ec8616 Mon Sep 17 00:00:00 2001
From: Fijxu <fijxu@zzls.xyz>
Date: Tue, 22 Nov 2022 03:30:45 -0300
Subject: [PATCH] caca

---
 nginx.conf                   | 85 ++++++++++++++++++++++++++++++++++++
 sites-available/counter.conf | 38 ++++++++++++++++
 sites-available/searxng.conf | 68 +++++++++++++++++++++++++++++
 sites-enabled/counter.conf   |  1 +
 sites-enabled/searxng.conf   |  1 +
 5 files changed, 193 insertions(+)
 create mode 100755 nginx.conf
 create mode 100755 sites-available/counter.conf
 create mode 100755 sites-available/searxng.conf
 create mode 120000 sites-enabled/counter.conf
 create mode 120000 sites-enabled/searxng.conf

diff --git a/nginx.conf b/nginx.conf
new file mode 100755
index 0000000..5bce696
--- /dev/null
+++ b/nginx.conf
@@ -0,0 +1,85 @@
+
+worker_processes auto;
+worker_rlimit_nofile 65535;
+
+# Include Modules
+include /etc/nginx/modules-enabled/*.conf;
+#load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so;
+load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so; # for compressing responses on-the-fly
+load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so; # for serving pre-compressed files
+
+# Include external config
+include /etc/nginx/conf.d/*.conf;
+
+events {
+    multi_accept on;
+    worker_connections 65535;
+}
+
+stream {
+    include /etc/nginx/streams/*.conf;
+}
+
+http {
+
+    charset utf-8;
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    server_tokens off;
+    log_not_found off;
+    types_hash_max_size 4096;
+    types_hash_bucket_size 64;
+
+    # MIME
+    include mime.types;
+    default_type application/octet-stream;
+
+    # SSL
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
+    ssl_prefer_server_ciphers off;
+    #
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:MozSSL:10m;
+    ssl_session_tickets off;
+
+    # Diffie-Hellman parameter for DHE ciphersuites
+    ssl_dhparam /etc/nginx/dhparam.pem;
+
+    # OCSP Stapling
+    #ssl_stapling on;
+    #ssl_stapling_verify on;
+
+        # Connection header for WebSocket reverse proxy
+    map $http_upgrade $connection_upgrade {
+        default upgrade;
+        ""      close;
+    }
+
+    map $remote_addr $proxy_forwarded_elem {
+
+        # IPv4 addresses can be sent as-is
+        ~^[0-9.]+$        "for=$remote_addr";
+
+        # IPv6 addresses need to be bracketed and quoted
+        ~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\"";
+
+        # Unix domain socket names cannot be represented in RFC 7239 syntax
+        default           "for=unknown";
+    }
+
+    map $http_forwarded $proxy_add_forwarded {
+
+        # If the incoming Forwarded header is syntactically valid, append to it
+        "~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
+
+        # Otherwise, replace it
+        default "$proxy_forwarded_elem";
+    }
+
+    # Include sites-enabled and config
+   # include /etc/nginx/conf.d/*.conf;
+    include /etc/nginx/sites-enabled/*;
+
+}
diff --git a/sites-available/counter.conf b/sites-available/counter.conf
new file mode 100755
index 0000000..6ad61ba
--- /dev/null
+++ b/sites-available/counter.conf
@@ -0,0 +1,38 @@
+server {
+    access_log /var/log/nginx/count.ayaya.pics.access.log combined;
+
+    server_name count.ayaya.pics;
+
+    location / {
+        proxy_pass http://127.0.0.1:41000/;
+    }
+
+    # security headers
+    add_header Referrer-Policy "no-referrer-when-downgrade" always;
+    add_header Permissions-Policy "interest-cohort=()" always;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header X-Frame-Options "SAMEORIGIN";
+
+    # QUIC
+    add_header Alt-Svc 'h3=":443"; ma=86400';
+
+    listen 443 http3;
+    listen 443 http2 ssl; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/count.ayaya.pics/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/count.ayaya.pics/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+}
+server {
+    if ($host = count.ayaya.pics) {
+        return 301 https://$host$request_uri;
+        } # managed by Certbot
+
+
+        listen 80;
+
+        server_name count.ayaya.pics;
+        return 404; # managed by Certbot
+    }
+
diff --git a/sites-available/searxng.conf b/sites-available/searxng.conf
new file mode 100755
index 0000000..7ed7fbb
--- /dev/null
+++ b/sites-available/searxng.conf
@@ -0,0 +1,68 @@
+server {
+    access_log /dev/null;
+    error_log /dev/null;
+
+    server_name search.zzls.xyz;
+    include configs/general.conf;
+    include configs/securityheaders.conf;
+
+
+    if ($server_protocol ~* "HTTP/1.0") {
+        return 444;
+    }
+    if ($http_user_agent ~* (python) ) {
+        return 403;
+    }
+
+    location / {
+        proxy_pass http://127.0.0.1:8888/;
+        #
+        proxy_http_version 1.1;
+        proxy_cache_bypass $http_upgrade;
+
+        # Proxy headers for the Limiter
+        proxy_set_header Host $host;
+        proxy_set_header Connection $http_connection;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Scheme $scheme;
+    }
+
+    location /searx/static/ {
+        alias /usr/local/searx/searx-src/searx/static/;
+    }
+
+    # Onion Service Header
+    add_header Onion-Location http://searxdr3pqz4nydgnqocsia2xbywptxbkympa2emn7zlgggrir4bkfad.onion$request_uri;
+
+    # QUIC
+    add_header Alt-Svc 'h3=":443"; ma=86400';
+
+    quic_retry on;
+    quic_gso on;
+    ssl_early_data on;
+    ssl_session_ticket_key /etc/nginx/http3key.key;
+
+    listen 443 http3;
+    listen 443 ssl http2; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/search.zzls.xyz/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/search.zzls.xyz/privkey.pem; # managed by Certbot
+    #include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+
+
+}
+
+server {
+    if ($host = search.zzls.xyz) {
+        return 301 https://$host$request_uri;
+        } # managed by Certbot
+
+
+        listen 80;
+
+        server_name search.zzls.xyz;
+        return 404; # managed by Certbot
+
+
+    }
diff --git a/sites-enabled/counter.conf b/sites-enabled/counter.conf
new file mode 120000
index 0000000..6999b67
--- /dev/null
+++ b/sites-enabled/counter.conf
@@ -0,0 +1 @@
+/etc/nginx/sites-available/counter.conf
\ No newline at end of file
diff --git a/sites-enabled/searxng.conf b/sites-enabled/searxng.conf
new file mode 120000
index 0000000..dfc6d1c
--- /dev/null
+++ b/sites-enabled/searxng.conf
@@ -0,0 +1 @@
+/etc/nginx/sites-available/searxng.conf
\ No newline at end of file