Fijxu
/
nginx-configs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: Fijxu:vpscl
Branches Tags
Fijxu:vpscl
Fijxu:main
Fijxu:selfhost
...
pull from: Fijxu:selfhost
Branches Tags
Fijxu:main
Fijxu:vpscl
Fijxu:selfhost

No commits in common. "vpscl" and "selfhost" have entirely different histories.
vpscl ... selfhost

18 changed files with 224 additions and 171 deletions
Show Stats Expand all files Collapse all files

0
README.md
View File

27
nginx.conf
View File

@ -1,4 +1,3 @@
worker_processes auto;
worker_rlimit_nofile 65535;
@ -8,8 +7,12 @@ include /etc/nginx/modules-enabled/*.conf;
load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so; # for compressing responses on-the-fly
load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so; # for serving pre-compressed files
# This is where we load NJS modules
#load_module /usr/lib/nginx/modules/ngx_http_js_module.so;
#load_module /usr/lib/nginx/modules/ngx_stream_js_module.so;
# Include external config
include /etc/nginx/conf.d/*.conf;
#include /etc/nginx/conf.d/*.conf;
events {
multi_accept on;
@ -17,7 +20,7 @@ events {
}
stream {
include /etc/nginx/streams/*.conf;
include /etc/nginx/streams/*;
}
http {
@ -30,6 +33,8 @@ http {
log_not_found off;
types_hash_max_size 4096;
types_hash_bucket_size 64;
client_max_body_size 16M;
# MIME
include mime.types;
@ -37,7 +42,7 @@ http {
# SSL
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
#
ssl_session_timeout 1d;
@ -51,6 +56,16 @@ http {
#ssl_stapling on;
#ssl_stapling_verify on;
# Logging
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log warn;
# General configs, include in every sites-enabled site
#include configs/general.conf;
# Connection header for WebSocket reverse proxy
map $http_upgrade $connection_upgrade {
default upgrade;
@ -78,8 +93,8 @@ http {
default "$proxy_forwarded_elem";
}
# Include sites-enabled and config
# include /etc/nginx/conf.d/*.conf;
# Include sites-enabled
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

38
sites-available/counter.conf
View File

@ -1,38 +0,0 @@
server {
access_log /var/log/nginx/count.ayaya.pics.access.log combined;
server_name count.ayaya.pics;
location / {
proxy_pass http://127.0.0.1:41000/;
}
# security headers
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Permissions-Policy "interest-cohort=()" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN";
# QUIC
add_header Alt-Svc 'h3=":443"; ma=86400';
listen 443 http3;
listen 443 http2 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/count.ayaya.pics/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/count.ayaya.pics/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = count.ayaya.pics) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name count.ayaya.pics;
return 404; # managed by Certbot
}

39
sites-available/gitea.conf Executable file
View File

@ -0,0 +1,39 @@
server {
access_log /var/log/nginx/git.access.log combined;
server_name git.zzls.xyz;
# Security headers and general settings
include configs/securityheaders.conf;
include configs/general.conf;
location / {
proxy_pass http://unix:/run/gitea/gitea.socket;
include configs/proxyheaders.conf;
}
#add_header Content-Security-Policy "default-src 'self'; script-src 'report-sample' 'self'; style-src 'report-sample' 'self'; object-src 'none'; base-uri 'self'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self'; manifest-src 'self'; media-src 'self'; worker-src 'none';";
# QUIC
add_header Alt-Svc 'h3=":443"; ma=86400';
listen 443 http3;
listen 443 http2 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/git.zzls.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/git.zzls.xyz/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = git.zzls.xyz) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name git.zzls.xyz;
return 404; # managed by Certbot
}

40
sites-available/ii.zzls.xyz.conf Executable file
View File

@ -0,0 +1,40 @@
server {
access_log /var/log/nginx/ii.access.log combined;
error_log /var/log/nginx/ii.error.log;
root /opt/ImageUpload/ifiles/;
index index.html index.htm index.nginx-debian.html;
server_name ii.zzls.xyz;
include configs/general.conf;
include configs/securityheaders.conf;
location /upload {
client_max_body_size 4096M;
auth_basic "Restricted Content";
auth_basic_user_file /etc/fileupload.htpasswd;
proxy_pass http://localhost:40006;
include configs/proxyheaders.conf;
}
listen 443 http3;
listen 443 ssl http2; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/ii.zzls.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/ii.zzls.xyz/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = ii.zzls.xyz) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name ii.zzls.xyz;
return 404; # managed by Certbot
}

37
sites-available/privatebin.conf Executable file
View File

@ -0,0 +1,37 @@
server {
access_log /var/log/nginx/pbin.access.log combined;
server_name pbin.zzls.xyz;
include configs/general.conf;
location / {
proxy_pass http://localhost:40001;
include configs/proxyheaders.conf;
}
#include configs/securityheaders.conf;
# QUIC
add_header Alt-Svc 'h3=":443"; ma=86400';
listen 443 ssl http2;
listen 443 http3; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/pbin.zzls.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/pbin.zzls.xyz/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = pbin.zzls.xyz) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name pbin.zzls.xyz;
return 404; # managed by Certbot
}

40
sites-available/rimgo.conf Executable file
View File

@ -0,0 +1,40 @@
server {
access_log /dev/null;
error_log /dev/null;
server_name ri.zzls.xyz;
include configs/general.conf;
location / {
proxy_pass http://127.0.0.1:40002/;
include configs/proxyheaders.conf;
}
# security headers
include configs/securityheaders.conf;
#add_header Content-Security-Policy "default-src 'self'; script-src 'report-sample' 'self'; style-src 'report-sample' 'self'; object-src 'none'; base-uri 'self'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self'; manifest-src 'self'; media-src 'self'; worker-src 'none';";
# QUIC
add_header Alt-Svc 'h3=":443"; ma=86400';
listen 443 http3;
listen 443 http2 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/ri.zzls.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/ri.zzls.xyz/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = ri.zzls.xyz) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name ri.zzls.xyz;
return 404; # managed by Certbot
}

68
sites-available/searxng.conf
View File

@ -1,68 +0,0 @@
server {
access_log /dev/null;
error_log /dev/null;
server_name search.zzls.xyz;
include configs/general.conf;
include configs/securityheaders.conf;
if ($server_protocol ~* "HTTP/1.0") {
return 444;
}
if ($http_user_agent ~* (python) ) {
return 403;
}
location / {
proxy_pass http://127.0.0.1:8888/;
#
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
# Proxy headers for the Limiter
proxy_set_header Host $host;
proxy_set_header Connection $http_connection;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Scheme $scheme;
}
location /searx/static/ {
alias /usr/local/searx/searx-src/searx/static/;
}
# Onion Service Header
add_header Onion-Location http://searxdr3pqz4nydgnqocsia2xbywptxbkympa2emn7zlgggrir4bkfad.onion$request_uri;
# QUIC
add_header Alt-Svc 'h3=":443"; ma=86400';
quic_retry on;
quic_gso on;
ssl_early_data on;
ssl_session_ticket_key /etc/nginx/http3key.key;
listen 443 http3;
listen 443 ssl http2; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/search.zzls.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/search.zzls.xyz/privkey.pem; # managed by Certbot
#include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = search.zzls.xyz) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name search.zzls.xyz;
return 404; # managed by Certbot
}

42
sites-available/selfhost.conf Executable file
View File

@ -0,0 +1,42 @@
server {
access_log /var/log/nginx/selfhost.log combined;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name selfhost.zzls.xyz;
location / {
try_files $uri $uri/ =404;
}
# security headers
add_header Referrer-Policy "no-referrer-when-downgrade" always;
#add_header Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';base-uri 'self';form-action 'self'";
add_header Permissions-Policy "interest-cohort=()" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN";
# QUIC
add_header Alt-Svc 'h3=":443"; ma=86400';
listen 443 ssl http2;
listen 443 http3; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/selfhost.zzls.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/selfhost.zzls.xyz/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = selfhost.zzls.xyz) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name selfhost.zzls.xyz;
return 404; # managed by Certbot
}

1
sites-enabled/counter.conf
View File

@ -1 +0,0 @@
/etc/nginx/sites-available/counter.conf

1
sites-enabled/gitea.conf Symbolic link
View File

@ -0,0 +1 @@
/etc/nginx/sites-available/gitea.conf

1
sites-enabled/ii.zzls.xyz.conf Symbolic link
View File

@ -0,0 +1 @@
/etc/nginx/sites-available/ii.zzls.xyz.conf

1
sites-enabled/privatebin.conf Symbolic link
View File

@ -0,0 +1 @@
/etc/nginx/sites-available/privatebin.conf

1
sites-enabled/rimgo.conf Symbolic link
View File

@ -0,0 +1 @@
/etc/nginx/sites-available/rimgo.conf

1
sites-enabled/searxng.conf
View File

@ -1 +0,0 @@
/etc/nginx/sites-available/searxng.conf

1
sites-enabled/selfhost.conf Symbolic link
View File

@ -0,0 +1 @@
/etc/nginx/sites-available/selfhost.conf

29
streams/dns.conf
View File

@ -1,29 +0,0 @@
# DNS logging. This log file will show the DNS requests geting forwarded to UNBOUND
#log_format dns '$remote_addr [$time_local] $protocol "$dns_qname"';
#access_log /var/log/nginx/dns-access.log dns;
# Include the NJS module. Get the file from https://github.com/TuxInvader/nginx-dns/tree/master/njs.d
#js_include /etc/nginx/njs.d/nginx_stream.js;
# The $dns_qname variable can be populated by preread calls, and can be used for DNS routing
#js_set $dns_qname dns_get_qname;
upstream dns {
zone dns 64k;
server 127.0.0.1:5445;
#server 127.0.0.1:53;
}
server {
#listen 853 http3;
listen 853 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/dns.zzls.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/dns.zzls.xyz/privkey.pem; # managed by Certbot
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_handshake_timeout 10s;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 4h;
proxy_pass dns;
}

28
streams/dns.conf.bak
View File

@ -1,28 +0,0 @@
# DNS logging. This log file will show the DNS requests geting forwarded to UNBOUND
log_format dns '$remote_addr [$time_local] $protocol';
access_log /var/log/nginx/dns-access.log dns;
# Include the NJS module. Get the file from https://github.com/TuxInvader/nginx-dns/tree/master/njs.d
#js_include /etc/nginx/njs.d/nginx_stream.js;
# The $dns_qname variable can be populated by preread calls, and can be used for DNS routing
#js_set $dns_qname dns_get_qname;
upstream dns-servers {
#zone dns 64k;
server 127.0.0.1:53;
}
server {
#listen 853 http3;
listen 853; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/dns.zzls.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/dns.zzls.xyz/privkey.pem; # managed by Certbot
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_handshake_timeout 10s;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 4h;
proxy_pass dns-servers;
}