diff --git a/blog.conf b/blog.conf index 607ca43..ccebdee 100644 --- a/blog.conf +++ b/blog.conf @@ -1,14 +1,14 @@ server { - listen 443 ssl; - server_name blog.exozy.me; - - ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; - - root /srv/http/blog; - index index.html; + listen 443 ssl; + server_name blog.exozy.me; - location / { - try_files $uri $uri/ =404; - } + ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; + + root /srv/http/blog; + index index.html; + + location / { + try_files $uri $uri/ =404; + } } diff --git a/code.conf b/code.conf index 9b98033..20b7a9a 100644 --- a/code.conf +++ b/code.conf @@ -1,15 +1,15 @@ server { - listen 443 ssl; - server_name code.exozy.me; - - ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; - - location / { - proxy_pass http://localhost:6000; - proxy_set_header Host $host; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection upgrade; - proxy_set_header Accept-Encoding gzip; - } + listen 443 ssl; + server_name code.exozy.me; + + ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; + + location / { + proxy_pass http://localhost:6000; + proxy_set_header Host $host; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection upgrade; + proxy_set_header Accept-Encoding gzip; + } } diff --git a/exozyme.conf b/exozyme.conf index 3b38f96..a3f15dc 100644 --- a/exozyme.conf +++ b/exozyme.conf @@ -1,26 +1,28 @@ server { - listen 80 default_server; - server_name _; - return 301 https://$host$request_uri; + listen 80 default_server; + server_name _; + return 301 https://$host$request_uri; } server { - listen 443 ssl; - server_name exozy.me; - - ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; - - root /srv/http/exozy.me; - index index.html; + listen 443 ssl; + server_name exozy.me; - location /.well-known/matrix/server { return 200 '{"m.server": "chat.exozy.me"}'; } - - location /.well-known/webfinger { - return 301 https://social.exozy.me$request_uri; - } + ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; - location / { - try_files $uri $uri/ =404; - } + root /srv/http/exozy.me; + index index.html; + + location /.well-known/matrix/server { + return 200 '{"m.server": "chat.exozy.me"}'; + } + + location /.well-known/webfinger { + return 301 https://social.exozy.me$request_uri; + } + + location / { + try_files $uri $uri/ =404; + } } diff --git a/game.conf b/game.conf index d66bfaa..2e64f99 100644 --- a/game.conf +++ b/game.conf @@ -1,11 +1,11 @@ server { - listen 443 ssl; - server_name game.exozy.me; - - ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; - - location / { - proxy_pass http://localhost:5000; - } + listen 443 ssl; + server_name game.exozy.me; + + ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; + + location / { + proxy_pass http://localhost:5000; + } } diff --git a/gitea.conf b/gitea.conf index cf23092..a2a82b8 100644 --- a/gitea.conf +++ b/gitea.conf @@ -15,7 +15,8 @@ server { server { if ($host = git.exozy.me) { return 301 https://$host$request_uri; - } # managed by Certbot + } + # managed by Certbot listen 80; diff --git a/nextcloud.conf b/nextcloud.conf index 2c77c09..9120ef2 100644 --- a/nextcloud.conf +++ b/nextcloud.conf @@ -14,13 +14,13 @@ server { } server { - listen 443 ssl http2; + listen 443 ssl http2; listen [::]:443 ssl http2; server_name cloud.exozy.me; # Use Mozilla's guidelines for SSL/TLS settings # https://mozilla.github.io/server-side-tls/ssl-config-generator/ - ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; + ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; # HSTS settings @@ -48,13 +48,13 @@ server { #pagespeed off; # HTTP response headers borrowed from Nextcloud `.htaccess` - add_header Referrer-Policy "no-referrer" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-Download-Options "noopen" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Permitted-Cross-Domain-Policies "none" always; - add_header X-Robots-Tag "none" always; - add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; # Remove X-Powered-By, which is an information leak fastcgi_hide_header X-Powered-By; @@ -97,17 +97,27 @@ server { location ^~ /.well-known { # The following 6 rules are borrowed from `.htaccess` - location = /.well-known/carddav { return 301 /remote.php/dav/; } - location = /.well-known/caldav { return 301 /remote.php/dav/; } + location = /.well-known/carddav { + return 301 /remote.php/dav/; + } + location = /.well-known/caldav { + return 301 /remote.php/dav/; + } # Anything else is dynamically handled by Nextcloud - location ^~ /.well-known { return 301 /index.php$uri; } + location ^~ /.well-known { + return 301 /index.php$uri; + } try_files $uri $uri/ =404; } # Rules borrowed from `.htaccess` to hide certain paths from clients - location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; } - location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { + return 404; + } + location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { + return 404; + } # Ensure this block, which passes PHP files to the PHP process, is above the blocks # which handle static assets (as seen below). If this block is not declared first, @@ -124,8 +134,8 @@ server { fastcgi_param PATH_INFO $path_info; fastcgi_param HTTPS on; - fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice - fastcgi_param front_controller_active true; # Enable pretty urls + fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice + fastcgi_param front_controller_active true; # Enable pretty urls fastcgi_pass php-handler; fastcgi_intercept_errors on; @@ -134,14 +144,14 @@ server { location ~ \.(?:css|js|svg|gif)$ { try_files $uri /index.php$request_uri; - expires 6M; # Cache-Control policy borrowed from `.htaccess` - access_log off; # Optional: Don't log access to assets + expires 6M; # Cache-Control policy borrowed from `.htaccess` + access_log off; # Optional: Don't log access to assets } location ~ \.woff2?$ { try_files $uri /index.php$request_uri; - expires 7d; # Cache-Control policy borrowed from `.htaccess` - access_log off; # Optional: Don't log access to assets + expires 7d; # Cache-Control policy borrowed from `.htaccess` + access_log off; # Optional: Don't log access to assets } location / { diff --git a/office.conf b/office.conf index 43dd3ba..04f1d18 100644 --- a/office.conf +++ b/office.conf @@ -4,7 +4,7 @@ server { ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; - + client_max_body_size 20M; include snippets/loolwsd.conf; } diff --git a/server.conf b/server.conf index 5a5fef1..912bc36 100644 --- a/server.conf +++ b/server.conf @@ -1,11 +1,11 @@ server { - listen 443 ssl; - server_name server.exozy.me; - - ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; - - location / { - proxy_pass https://localhost:6000; - } + listen 443 ssl; + server_name server.exozy.me; + + ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; + + location / { + proxy_pass https://localhost:6000; + } } diff --git a/social.conf b/social.conf index 7c81eea..7ac6a60 100644 --- a/social.conf +++ b/social.conf @@ -1,6 +1,6 @@ map $http_upgrade $connection_upgrade { - default upgrade; - '' close; + default upgrade; + '' close; } upstream backend { @@ -14,102 +14,106 @@ upstream streaming { proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=1g; server { - listen 80; - listen [::]:80; - server_name social.exozy.me; - root /var/lib/mastodon/public; - location /.well-known/acme-challenge/ { allow all; } - location / { return 301 https://$host$request_uri; } + listen 80; + listen [::]:80; + server_name social.exozy.me; + root /var/lib/mastodon/public; + location /.well-known/acme-challenge/ { + allow all; + } + location / { + return 301 https://$host$request_uri; + } } server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name social.exozy.me; + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name social.exozy.me; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; - # Uncomment these lines once you acquire a certificate: - ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; + # Uncomment these lines once you acquire a certificate: + ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; - keepalive_timeout 70; - sendfile on; - client_max_body_size 80m; + keepalive_timeout 70; + sendfile on; + client_max_body_size 80m; - root /var/lib/mastodon/public; + root /var/lib/mastodon/public; - gzip on; - gzip_disable "msie6"; - gzip_vary on; - gzip_proxied any; - gzip_comp_level 6; - gzip_buffers 16 8k; - gzip_http_version 1.1; - gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + gzip on; + gzip_disable "msie6"; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_buffers 16 8k; + gzip_http_version 1.1; + gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; - add_header Strict-Transport-Security "max-age=31536000"; - - location / { - try_files $uri @proxy; - } - - location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) { - add_header Cache-Control "public, max-age=31536000, immutable"; - add_header Strict-Transport-Security "max-age=31536000"; - try_files $uri @proxy; - } - - location /sw.js { - add_header Cache-Control "public, max-age=0"; - add_header Strict-Transport-Security "max-age=31536000"; - try_files $uri @proxy; - } - - location @proxy { - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Proxy ""; - proxy_pass_header Server; - - proxy_pass http://backend; - proxy_buffering on; - proxy_redirect off; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_cache CACHE; - proxy_cache_valid 200 7d; - proxy_cache_valid 410 24h; - proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; - add_header X-Cached $upstream_cache_status; add_header Strict-Transport-Security "max-age=31536000"; - tcp_nodelay on; - } + location / { + try_files $uri @proxy; + } - location /api/v1/streaming { - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Proxy ""; + location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) { + add_header Cache-Control "public, max-age=31536000, immutable"; + add_header Strict-Transport-Security "max-age=31536000"; + try_files $uri @proxy; + } - proxy_pass http://streaming; - proxy_buffering off; - proxy_redirect off; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; + location /sw.js { + add_header Cache-Control "public, max-age=0"; + add_header Strict-Transport-Security "max-age=31536000"; + try_files $uri @proxy; + } - tcp_nodelay on; - } + location @proxy { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Proxy ""; + proxy_pass_header Server; - error_page 500 501 502 503 504 /500.html; + proxy_pass http://backend; + proxy_buffering on; + proxy_redirect off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_cache CACHE; + proxy_cache_valid 200 7d; + proxy_cache_valid 410 24h; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + add_header X-Cached $upstream_cache_status; + add_header Strict-Transport-Security "max-age=31536000"; + + tcp_nodelay on; + } + + location /api/v1/streaming { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Proxy ""; + + proxy_pass http://streaming; + proxy_buffering off; + proxy_redirect off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + tcp_nodelay on; + } + + error_page 500 501 502 503 504 /500.html; } diff --git a/ta180m.conf b/ta180m.conf index 7512539..9e09e5e 100644 --- a/ta180m.conf +++ b/ta180m.conf @@ -1,14 +1,14 @@ server { - listen 443 ssl; - server_name ta180m.exozy.me; - - ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; - - root /srv/http/ta180m; - index index.html; + listen 443 ssl; + server_name ta180m.exozy.me; - location / { - try_files $uri $uri/ =404; - } + ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; + + root /srv/http/ta180m; + index index.html; + + location / { + try_files $uri $uri/ =404; + } } diff --git a/tube.conf b/tube.conf index 016a3b5..73bc42c 100644 --- a/tube.conf +++ b/tube.conf @@ -4,255 +4,259 @@ # THIRD PARTY MODULES: None. server { - listen 80; - listen [::]:80; - server_name tube.exozy.me; + listen 80; + listen [::]:80; + server_name tube.exozy.me; - location /.well-known/acme-challenge/ { - default_type "text/plain"; - root /var/lib/certbot; - } - location / { return 301 https://$host$request_uri; } + location /.well-known/acme-challenge/ { + default_type "text/plain"; + root /var/lib/certbot; + } + location / { + return 301 https://$host$request_uri; + } } upstream tube_backend { - server 127.0.0.1:9000; + server 127.0.0.1:9000; } server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name tube.exozy.me; + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name tube.exozy.me; - access_log /var/log/nginx/peertube.access.log; # reduce I/0 with buffer=10m flush=5m - error_log /var/log/nginx/peertube.error.log; + access_log /var/log/nginx/peertube.access.log; # reduce I/0 with buffer=10m flush=5m + error_log /var/log/nginx/peertube.error.log; - ## - # Certificates - # you need a certificate to run in production. see https://letsencrypt.org/ - ## - ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; + ## + # Certificates + # you need a certificate to run in production. see https://letsencrypt.org/ + ## + ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; - location ^~ '/.well-known/acme-challenge' { - default_type "text/plain"; - root /var/lib/certbot; - } - - ## - # Security hardening (as of Nov 15, 2020) - # based on Mozilla Guideline v5.6 - ## - - ssl_protocols TLSv1.2 TLSv1.3; - ssl_prefer_server_ciphers on; - ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; # add ECDHE-RSA-AES256-SHA if you want compatibility with Android 4 - ssl_session_timeout 1d; # defaults to 5m - ssl_session_cache shared:SSL:10m; # estimated to 40k sessions - ssl_session_tickets off; - ssl_stapling on; - ssl_stapling_verify on; - # HSTS (https://hstspreload.org), requires to be copied in 'location' sections that have add_header directives - #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; - - ## - # Application - ## - - location @api { - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - - client_max_body_size 100k; # default is 1M - - proxy_connect_timeout 10m; - proxy_send_timeout 10m; - proxy_read_timeout 10m; - send_timeout 10m; - - proxy_pass http://tube_backend; - } - - location / { - try_files /dev/null @api; - } - - location = /api/v1/videos/upload { - limit_except POST HEAD { deny all; } - - # This is the maximum upload size, which roughly matches the maximum size of a video file. - # Note that temporary space is needed equal to the total size of all concurrent uploads. - # This data gets stored in /var/lib/nginx by default, so you may want to put this directory - # on a dedicated filesystem. - client_max_body_size 12G; # default is 1M - add_header X-File-Maximum-Size 8G always; # inform backend of the set value in bytes before mime-encoding (x * 1.4 >= client_max_body_size) - - try_files /dev/null @api; - } - - location ~ ^/api/v1/(videos|video-playlists|video-channels|users/me) { - client_max_body_size 3M; # default is 1M - add_header X-File-Maximum-Size 2M always; # inform backend of the set value in bytes before mime-encoding (x * 1.4 >= client_max_body_size) - - try_files /dev/null @api; - } - - ## - # Websocket - ## - - location @api_websocket { - proxy_http_version 1.1; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - - proxy_pass http://tube_backend; - } - - location /socket.io { - try_files /dev/null @api_websocket; - } - - location /tracker/socket { - # Peers send a message to the tracker every 15 minutes - # Don't close the websocket before then - proxy_read_timeout 15m; # default is 60s - - try_files /dev/null @api_websocket; - } - - ## - # Performance optimizations - # For extra performance please refer to https://github.com/denji/nginx-tuning - ## - - root /var/lib/peertube/storage; - - # Enable compression for JS/CSS/HTML, for improved client load times. - # It might be nice to compress JSON/XML as returned by the API, but - # leaving that out to protect against potential BREACH attack. - gzip on; - gzip_vary on; - gzip_types # text/html is always compressed by HttpGzipModule - text/css - application/javascript - font/truetype - font/opentype - application/vnd.ms-fontobject - image/svg+xml; - gzip_min_length 1000; # default is 20 bytes - gzip_buffers 16 8k; - gzip_comp_level 2; # default is 1 - - client_body_timeout 30s; # default is 60 - client_header_timeout 10s; # default is 60 - send_timeout 10s; # default is 60 - keepalive_timeout 10s; # default is 75 - resolver_timeout 10s; # default is 30 - reset_timedout_connection on; - proxy_ignore_client_abort on; - - tcp_nopush on; # send headers in one piece - tcp_nodelay on; # don't buffer data sent, good for small data bursts in real time - - # If you have a small /var/lib partition, it could be interesting to store temp nginx uploads in a different place - # See https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_temp_path - #client_body_temp_path /var/lib/peertube/storage/nginx/; - - # Bypass PeerTube for performance reasons. Optional. - # Should be consistent with client-overrides assets list in /server/controllers/client.ts - location ~ ^/client/(assets/images/(icons/icon-36x36\.png|icons/icon-48x48\.png|icons/icon-72x72\.png|icons/icon-96x96\.png|icons/icon-144x144\.png|icons/icon-192x192\.png|icons/icon-512x512\.png|logo\.svg|favicon\.png))$ { - add_header Cache-Control "public, max-age=31536000, immutable"; # Cache 1 year - - root /var/lib/peertube; - - try_files /storage/client-overrides/$1 /peertube-latest/client/dist/$1 @api; - } - - # Bypass PeerTube for performance reasons. Optional. - location ~ ^/client/(.*\.(js|css|png|svg|woff2|otf|ttf|woff|eot))$ { - add_header Cache-Control "public, max-age=31536000, immutable"; # Cache 1 year - - alias /usr/share/webapps/peertube/client/dist/$1; - } - - # Bypass PeerTube for performance reasons. Optional. - location ~ ^/static/(thumbnails|avatars)/ { - if ($request_method = 'OPTIONS') { - add_header Access-Control-Allow-Origin '*'; - add_header Access-Control-Allow-Methods 'GET, OPTIONS'; - add_header Access-Control-Allow-Headers 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; - add_header Access-Control-Max-Age 1728000; # Preflight request can be cached 20 days - add_header Content-Type 'text/plain charset=UTF-8'; - add_header Content-Length 0; - return 204; + location ^~ '/.well-known/acme-challenge' { + default_type "text/plain"; + root /var/lib/certbot; } - add_header Access-Control-Allow-Origin '*'; - add_header Access-Control-Allow-Methods 'GET, OPTIONS'; - add_header Access-Control-Allow-Headers 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; - add_header Cache-Control "public, max-age=7200"; # Cache response 2 hours + ## + # Security hardening (as of Nov 15, 2020) + # based on Mozilla Guideline v5.6 + ## - rewrite ^/static/(.*)$ /$1 break; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; # add ECDHE-RSA-AES256-SHA if you want compatibility with Android 4 + ssl_session_timeout 1d; # defaults to 5m + ssl_session_cache shared:SSL:10m; # estimated to 40k sessions + ssl_session_tickets off; + ssl_stapling on; + ssl_stapling_verify on; + # HSTS (https://hstspreload.org), requires to be copied in 'location' sections that have add_header directives + #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; - try_files $uri @api; - } + ## + # Application + ## - # Bypass PeerTube for performance reasons. Optional. - location ~ ^/static/(webseed|redundancy|streaming-playlists)/ { - limit_rate_after 5M; + location @api { + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; - # Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client - set $peertube_limit_rate 800k; + client_max_body_size 100k; # default is 1M - # Increase rate limit in HLS mode, because we don't have multiple simultaneous connections - if ($request_uri ~ -fragmented.mp4$) { - set $peertube_limit_rate 5M; + proxy_connect_timeout 10m; + proxy_send_timeout 10m; + proxy_read_timeout 10m; + send_timeout 10m; + + proxy_pass http://tube_backend; } - # Use this line with nginx >= 1.17.0 - limit_rate $peertube_limit_rate; - # Or this line if your nginx < 1.17.0 - #set $limit_rate $peertube_limit_rate; - - if ($request_method = 'OPTIONS') { - add_header Access-Control-Allow-Origin '*'; - add_header Access-Control-Allow-Methods 'GET, OPTIONS'; - add_header Access-Control-Allow-Headers 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; - add_header Access-Control-Max-Age 1728000; # Preflight request can be cached 20 days - add_header Content-Type 'text/plain charset=UTF-8'; - add_header Content-Length 0; - return 204; + location / { + try_files /dev/null @api; } - if ($request_method = 'GET') { - add_header Access-Control-Allow-Origin '*'; - add_header Access-Control-Allow-Methods 'GET, OPTIONS'; - add_header Access-Control-Allow-Headers 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; + location = /api/v1/videos/upload { + limit_except POST HEAD { + deny all; + } - # Don't spam access log file with byte range requests - access_log off; + # This is the maximum upload size, which roughly matches the maximum size of a video file. + # Note that temporary space is needed equal to the total size of all concurrent uploads. + # This data gets stored in /var/lib/nginx by default, so you may want to put this directory + # on a dedicated filesystem. + client_max_body_size 12G; # default is 1M + add_header X-File-Maximum-Size 8G always; # inform backend of the set value in bytes before mime-encoding (x * 1.4 >= client_max_body_size) + + try_files /dev/null @api; } - # Enabling the sendfile directive eliminates the step of copying the data into the buffer - # and enables direct copying data from one file descriptor to another. - sendfile on; - sendfile_max_chunk 1M; # prevent one fast connection from entirely occupying the worker process. should be > 800k. - aio threads; + location ~ ^/api/v1/(videos|video-playlists|video-channels|users/me) { + client_max_body_size 3M; # default is 1M + add_header X-File-Maximum-Size 2M always; # inform backend of the set value in bytes before mime-encoding (x * 1.4 >= client_max_body_size) - # Use this in tandem with fuse-mounting i.e. https://docs.joinpeertube.org/admin-remote-storage - # to serve files directly from a public bucket without proxying. - # Assumes you have buckets named after the storage subdirectories, i.e. 'videos', 'redundancy', etc. - #set $cdn ; - #rewrite ^/static/webseed/(.*)$ $cdn/videos/$1 redirect; - #rewrite ^/static/(.*)$ $cdn/$1 redirect; - rewrite ^/static/webseed/(.*)$ /videos/$1 break; - rewrite ^/static/(.*)$ /$1 break; + try_files /dev/null @api; + } - try_files $uri @api; - } + ## + # Websocket + ## + + location @api_websocket { + proxy_http_version 1.1; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + proxy_pass http://tube_backend; + } + + location /socket.io { + try_files /dev/null @api_websocket; + } + + location /tracker/socket { + # Peers send a message to the tracker every 15 minutes + # Don't close the websocket before then + proxy_read_timeout 15m; # default is 60s + + try_files /dev/null @api_websocket; + } + + ## + # Performance optimizations + # For extra performance please refer to https://github.com/denji/nginx-tuning + ## + + root /var/lib/peertube/storage; + + # Enable compression for JS/CSS/HTML, for improved client load times. + # It might be nice to compress JSON/XML as returned by the API, but + # leaving that out to protect against potential BREACH attack. + gzip on; + gzip_vary on; + gzip_types # text/html is always compressed by HttpGzipModule + text/css + application/javascript + font/truetype + font/opentype + application/vnd.ms-fontobject + image/svg+xml; + gzip_min_length 1000; # default is 20 bytes + gzip_buffers 16 8k; + gzip_comp_level 2; # default is 1 + + client_body_timeout 30s; # default is 60 + client_header_timeout 10s; # default is 60 + send_timeout 10s; # default is 60 + keepalive_timeout 10s; # default is 75 + resolver_timeout 10s; # default is 30 + reset_timedout_connection on; + proxy_ignore_client_abort on; + + tcp_nopush on; # send headers in one piece + tcp_nodelay on; # don't buffer data sent, good for small data bursts in real time + + # If you have a small /var/lib partition, it could be interesting to store temp nginx uploads in a different place + # See https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_temp_path + #client_body_temp_path /var/lib/peertube/storage/nginx/; + + # Bypass PeerTube for performance reasons. Optional. + # Should be consistent with client-overrides assets list in /server/controllers/client.ts + location ~ ^/client/(assets/images/(icons/icon-36x36\.png|icons/icon-48x48\.png|icons/icon-72x72\.png|icons/icon-96x96\.png|icons/icon-144x144\.png|icons/icon-192x192\.png|icons/icon-512x512\.png|logo\.svg|favicon\.png))$ { + add_header Cache-Control "public, max-age=31536000, immutable"; # Cache 1 year + + root /var/lib/peertube; + + try_files /storage/client-overrides/$1 /peertube-latest/client/dist/$1 @api; + } + + # Bypass PeerTube for performance reasons. Optional. + location ~ ^/client/(.*\.(js|css|png|svg|woff2|otf|ttf|woff|eot))$ { + add_header Cache-Control "public, max-age=31536000, immutable"; # Cache 1 year + + alias /usr/share/webapps/peertube/client/dist/$1; + } + + # Bypass PeerTube for performance reasons. Optional. + location ~ ^/static/(thumbnails|avatars)/ { + if ($request_method = 'OPTIONS') { + add_header Access-Control-Allow-Origin '*'; + add_header Access-Control-Allow-Methods 'GET, OPTIONS'; + add_header Access-Control-Allow-Headers 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; + add_header Access-Control-Max-Age 1728000; # Preflight request can be cached 20 days + add_header Content-Type 'text/plain charset=UTF-8'; + add_header Content-Length 0; + return 204; + } + + add_header Access-Control-Allow-Origin '*'; + add_header Access-Control-Allow-Methods 'GET, OPTIONS'; + add_header Access-Control-Allow-Headers 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; + add_header Cache-Control "public, max-age=7200"; # Cache response 2 hours + + rewrite ^/static/(.*)$ /$1 break; + + try_files $uri @api; + } + + # Bypass PeerTube for performance reasons. Optional. + location ~ ^/static/(webseed|redundancy|streaming-playlists)/ { + limit_rate_after 5M; + + # Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client + set $peertube_limit_rate 800k; + + # Increase rate limit in HLS mode, because we don't have multiple simultaneous connections + if ($request_uri ~ -fragmented.mp4$) { + set $peertube_limit_rate 5M; + } + + # Use this line with nginx >= 1.17.0 + limit_rate $peertube_limit_rate; + # Or this line if your nginx < 1.17.0 + #set $limit_rate $peertube_limit_rate; + + if ($request_method = 'OPTIONS') { + add_header Access-Control-Allow-Origin '*'; + add_header Access-Control-Allow-Methods 'GET, OPTIONS'; + add_header Access-Control-Allow-Headers 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; + add_header Access-Control-Max-Age 1728000; # Preflight request can be cached 20 days + add_header Content-Type 'text/plain charset=UTF-8'; + add_header Content-Length 0; + return 204; + } + + if ($request_method = 'GET') { + add_header Access-Control-Allow-Origin '*'; + add_header Access-Control-Allow-Methods 'GET, OPTIONS'; + add_header Access-Control-Allow-Headers 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; + + # Don't spam access log file with byte range requests + access_log off; + } + + # Enabling the sendfile directive eliminates the step of copying the data into the buffer + # and enables direct copying data from one file descriptor to another. + sendfile on; + sendfile_max_chunk 1M; # prevent one fast connection from entirely occupying the worker process. should be > 800k. + aio threads; + + # Use this in tandem with fuse-mounting i.e. https://docs.joinpeertube.org/admin-remote-storage + # to serve files directly from a public bucket without proxying. + # Assumes you have buckets named after the storage subdirectories, i.e. 'videos', 'redundancy', etc. + #set $cdn ; + #rewrite ^/static/webseed/(.*)$ $cdn/videos/$1 redirect; + #rewrite ^/static/(.*)$ $cdn/$1 redirect; + rewrite ^/static/webseed/(.*)$ /videos/$1 break; + rewrite ^/static/(.*)$ /$1 break; + + try_files $uri @api; + } } diff --git a/wiki.conf b/wiki.conf index d1c603d..95ab923 100644 --- a/wiki.conf +++ b/wiki.conf @@ -1,14 +1,14 @@ server { - listen 443; - server_name wiki.exozy.me; - ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; - root /usr/share/webapps/mediawiki; - index index.php; - charset utf-8; -# For correct file uploads - client_max_body_size 100m; # Equal or more than upload_max_filesize in /etc/php7/php.ini - client_body_timeout 60; - include mediawiki.conf; + listen 443; + server_name wiki.exozy.me; + ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem; + root /usr/share/webapps/mediawiki; + index index.php; + charset utf-8; + # For correct file uploads + client_max_body_size 100m; # Equal or more than upload_max_filesize in /etc/php7/php.ini + client_body_timeout 60; + include mediawiki.conf; } diff --git a/zabbix.conf b/zabbix.conf index 3341507..0f75b29 100644 --- a/zabbix.conf +++ b/zabbix.conf @@ -1,43 +1,43 @@ server { - listen 80; - server_name 192.168.1.13; - - root /srv/http; - index index.php; + listen 80; + server_name 192.168.1.13; - location /zabbix { - if ($scheme ~ ^http:){ - rewrite ^(.*)$ https://$host$1 permanent; - } - alias /srv/http/zabbix; - index index.php; - error_page 403 404 502 503 504 /zabbix/index.php; + root /srv/http; + index index.php; - location ~ \.php$ { - if (!-f $request_filename) { return 404; } - expires epoch; - include /etc/nginx/fastcgi_params; - fastcgi_param SCRIPT_FILENAME $request_filename; - fastcgi_intercept_errors on; - - fastcgi_read_timeout 120s; - fastcgi_send_timeout 120s; - - fastcgi_index index.php; - fastcgi_pass unix:/run/php-fpm/php-fpm.sock; - - # fastcgi_param PHP_VALUE " - # max_execution_time=300 - # max_input_time=300 - # post_max_size=16M - # "; - } - - location ~ \.(jpg|jpeg|gif|png|ico)$ { - access_log off; - expires 33d; - } + location /zabbix { + if ($scheme ~ ^http:) { + rewrite ^(.*)$ https://$host$1 permanent; } + alias /srv/http/zabbix; + index index.php; + error_page 403 404 502 503 504 /zabbix/index.php; + + location ~ \.php$ { + if (!-f $request_filename) { + return 404; + } + expires epoch; + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $request_filename; + fastcgi_intercept_errors on; + + fastcgi_read_timeout 120s; + fastcgi_send_timeout 120s; + + fastcgi_index index.php; + fastcgi_pass unix:/run/php-fpm/php-fpm.sock; + + # fastcgi_param PHP_VALUE " + # max_execution_time=300 + # max_input_time=300 + # post_max_size=16M + # "; + } + + location ~ \.(jpg|jpeg|gif|png|ico)$ { + access_log off; + expires 33d; + } + } } - -