diff --git a/README.md b/README.md index b7b7360..df781f5 100644 --- a/README.md +++ b/README.md @@ -63,10 +63,7 @@ increase POST size limits in `php.ini` and webserver configuration. For PHP, modify `upload_max_filesize` and `post_max_size` values. The configuration option for nginx webserver is `client_max_body_size`. -Example nginx configs can be found: -[nginx.conf](https://u.pantsu.cat/ymixjx.conf) -[u.pantsu.cat](https://u.pantsu.cat/fqurgp.conf) -[pantsu.cat](https://u.pantsu.cat/pnuyls.conf) +Example nginx configs can be found in confs/. ### Apache diff --git a/confs/nginx.conf b/confs/nginx.conf new file mode 100644 index 0000000..fd01c51 --- /dev/null +++ b/confs/nginx.conf @@ -0,0 +1,151 @@ +user nginx; + +worker_processes 2; + +# Maximum open file descriptors per process; +# should be > worker_connections. +worker_rlimit_nofile 8192; + +events { + # When you need > 8000 * cpu_cores connections, you start optimizing your OS, + # and this is probably the point at which you hire people who are smarter than + # you, as this is *a lot* of requests. + worker_connections 16000; + use epoll; + multi_accept on; + +} + +# Default error log file +# (this is only used when you don't override error_log on a server{} level) +pid /var/run/nginx.pid; + + + + +http { + + # Hide nginx version information. + server_tokens off; + client_max_body_size 128m; + client_body_buffer_size 32k; + #fastcgi_buffers 8 16k; + #fastcgi_buffer_size 32k; + fastcgi_buffer_size 16k; + fastcgi_buffers 4 16k; + + open_file_cache max=200000 inactive=20s; + open_file_cache_valid 30s; + open_file_cache_min_uses 2; + open_file_cache_errors on; +error_log error.log debug; + + + # Define the MIME types for files. + include mime.types; + default_type application/octet-stream; + + # Update charset_types due to updated mime.types + charset_types text/xml text/plain text/vnd.wap.wml application/x-javascript application/rss+xml text/css application/javascript application/json; + + # Format to use in log files + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + # Default log file + # (this is only used when you don't override access_log on a server{} level) + #access_log logs/access.log main; + access_log off; + + + # How long to allow each connection to stay idle; longer values are better + # for each individual client, particularly for SSL, but means that worker + # connections are tied up longer. (Default: 65) + keepalive_timeout 20; + + # Speed up file transfers by using sendfile() to copy directly + # between descriptors rather than using read()/write(). + sendfile on; + + # Tell Nginx not to send out partial frames; this increases throughput + # since TCP frames are filled up before being sent out. (adds TCP_CORK) + tcp_nopush on; + + + # Compression + + # Enable Gzip compressed. + gzip on; + + # Compression level (1-9). + # 5 is a perfect compromise between size and cpu usage, offering about + # 75% reduction for most ascii files (almost identical to level 9). + gzip_comp_level 5; + + # Don't compress anything that's already small and unlikely to shrink much + # if at all (the default is 20 bytes, which is bad as that usually leads to + # larger files after gzipping). + gzip_min_length 256; + + # Compress data even for clients that are connecting to us via proxies, + # identified by the "Via" header (required for CloudFront). + gzip_proxied any; + + # Tell proxies to cache both the gzipped and regular version of a resource + # whenever the client's Accept-Encoding capabilities header varies; + # Avoids the issue where a non-gzip capable client (which is extremely rare + # today) would display gibberish if their proxy gave them the gzipped version. + gzip_vary on; + + # Compress all output labeled with one of the following MIME-types. + gzip_types + application/atom+xml + application/javascript + application/json + application/ld+json + application/manifest+json + application/rdf+xml + application/rss+xml + application/schema+json + application/vnd.geo+json + application/vnd.ms-fontobject + application/x-font-ttf + application/x-javascript + application/x-web-app-manifest+json + application/xhtml+xml + application/xml + font/eot + font/opentype + image/bmp + image/svg+xml + image/vnd.microsoft.icon + image/x-icon + text/cache-manifest + text/css + text/javascript + text/plain + text/vcard + text/vnd.rim.location.xloc + text/vtt + text/x-component + text/x-cross-domain-policy + text/xml; + # text/html is always compressed by HttpGzipModule + + # This should be turned on if you are going to have pre-compressed copies (.gz) of + # static files available. If not it should be left off as it will cause extra I/O + # for the check. It is best if you enable this in a location{} block for + # a specific directory, or on an individual server{} level. + # gzip_static on; + + # Include files in the sites-enabled folder. server{} configuration files should be + # placed in the sites-available folder, and then the configuration should be enabled + # by creating a symlink to it in the sites-available folder. + # See doc/sites-enabled.md for more info. + index index.html index.htm index.php _h5ai/public/index.php; + + include /etc/nginx/conf.d/*.conf; +} + + diff --git a/confs/pantsu.cat.conf b/confs/pantsu.cat.conf new file mode 100644 index 0000000..362ac45 --- /dev/null +++ b/confs/pantsu.cat.conf @@ -0,0 +1,51 @@ +server { + listen 443 ssl deferred http2; + listen [::]:443 ssl deferred http2; + + server_name pantsu.cat www.pantsu.cat; + root /mnt/pantsu/http/pantsu.cat/upload; + include /etc/nginx/includes/lets.conf; + + ssl_certificate /etc/nginx/ssl/pantsu.cat/pantsu.cat_chain.pem; + ssl_certificate_key /etc/nginx/ssl/pantsu.cat/pantsu.cat.key; + add_header Public-Key-Pins 'pin-sha256="iLplfPiBVaaSmbk1Q0A+cY+nkeT0CyWXsjYNWAsI5UI="; pin-sha256="uynduGXAGjJl+B8om1uAZuG+2a9Guk58fjfztwMJGJc=";max-age=5184000;'; + + include /etc/nginx/includes/ssllax.conf; + location /upload.php { + auth_basic "Restricted"; + auth_basic_user_file /etc/nginx/htpasswd; + include /etc/nginx/includes/php.conf; + } + include /etc/nginx/includes/php.conf; + + + location ^~ /includes/ { + deny all; + } + location ^~ /pub/ { + autoindex on; + include /etc/nginx/includes/php.conf; +} + location ^~ /firefox/ { + add_header Content-Security-Policy "default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self' https://addons.cdn.mozilla.net https://static.addons.mozilla.net; style-src 'self' 'unsafe-inline';font-src 'self';"; + } + + error_page 404 /404.html; + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + include /etc/nginx/includes/cache.conf; + +} + +# redirect all http traffic to https +#lel doesn't work +server { + listen 80; + listen [::]:80; + server_name pantsu.cat www.pantsu.cat; + include /etc/nginx/includes/lets.conf; + return 301 https://$host$request_uri; + +} diff --git a/confs/u.pantsu.cat.conf b/confs/u.pantsu.cat.conf new file mode 100644 index 0000000..1a7505a --- /dev/null +++ b/confs/u.pantsu.cat.conf @@ -0,0 +1,48 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name u.pantsu.cat; + root /mnt/pantsu/http/files; + + ssl_certificate /etc/letsencrypt/live/u.pantsu.cat/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/u.pantsu.cat/privkey.pem; + + include /etc/nginx/includes/ssleff.conf; + ssl_trusted_certificate /etc/letsencrypt/live/u.pantsu.cat/chain.pem; + + # ... the rest of your configuration + location / { + #location ^~ /.php$ {return 403;} + include mime.types; + types { + text/plain txt sh; + text/plain pl go py cs c java fish; + text/plain rb rs lua ls hy asm S conf; + text/plain php sql patch diff; + text/plain moon log tcl tk md coffee; + text/plain scss ts less d hs; + application/octet-stream svg; + text/plain cfg text ascii; + } + + + } + + error_page 404 /404.html; + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + include /etc/nginx/includes/cache.conf; + +} + +# redirect all http traffic to https +server { + listen 80; + listen [::]:80; + server_name u.pantsu.cat; + return 301 https://$host$request_uri; + include /etc/nginx/includes/lets.conf; +}