initial commit

2025-06-05 11:01:19 +03:00
commit 48f13f97a3
297 changed files with 7136 additions and 0 deletions
--- a/angie/snip/cache.j2mod
+++ b/angie/snip/cache.j2mod
@@ -0,0 +1,55 @@
+{%- macro proxy_cache_path(name, size='1m') %}
+{%- set path = '/run/ngx/cache'|join_prefix('proxy_' + name) -%}
+{%- set zone_file = '/run/ngx/lib'|join_prefix('proxy_' + name + '.keys') -%}
+proxy_cache_path  {{ path | ngx_esc }}
+  {{ "keys_zone={}:{}:file={}".format(name, size, zone_file) | ngx_esc }}
+{%- for v in varargs %}
+  {{ v | ngx_esc }}
+{%- endfor %}
+{%- for k, v in kwargs|dictsort %}
+  {{ "{}={}".format(k, v) | ngx_esc }}
+{%- endfor %}
+;
+{%- endmacro %}
+
+
+{%- macro fastcgi_cache_path(name, size='1m') %}
+{%- set path = '/run/ngx/cache'|join_prefix('fastcgi_' + name) -%}
+fastcgi_cache_path  {{ path | ngx_esc }}
+  {{ "keys_zone={}:{}".format(name, size) | ngx_esc }}
+{%- for v in varargs %}
+  {{ v | ngx_esc }}
+{%- endfor %}
+{%- for k, v in kwargs|dictsort %}
+  {{ "{}={}".format(k, v) | ngx_esc }}
+{%- endfor %}
+;
+{%- endmacro %}
+
+
+{%- macro scgi_cache(name, size='1m') %}
+{%- set path = '/run/ngx/cache'|join_prefix('scgi_' + name) -%}
+scgi_cache  {{ path | ngx_esc }}
+  {{ "keys_zone={}:{}".format(name, size) | ngx_esc }}
+{%- for v in varargs %}
+  {{ v | ngx_esc }}
+{%- endfor %}
+{%- for k, v in kwargs|dictsort %}
+  {{ "{}={}".format(k, v) | ngx_esc }}
+{%- endfor %}
+;
+{%- endmacro %}
+
+
+{%- macro uwsgi_cache(name, size='1m') %}
+{%- set path = '/run/ngx/cache'|join_prefix('uwsgi_' + name) -%}
+uwsgi_cache  {{ path | ngx_esc }}
+  {{ "keys_zone={}:{}".format(name, size) | ngx_esc }}
+{%- for v in varargs %}
+  {{ v | ngx_esc }}
+{%- endfor %}
+{%- for k, v in kwargs|dictsort %}
+  {{ "{}={}".format(k, v) | ngx_esc }}
+{%- endfor %}
+;
+{%- endmacro %}
--- a/angie/snip/deny-dotfiles
+++ b/angie/snip/deny-dotfiles
@@ -0,0 +1,3 @@
+location ~ /\. {
+    include snip/internal-area;
+}
--- a/angie/snip/disable-compression.j2
+++ b/angie/snip/disable-compression.j2
@@ -0,0 +1,8 @@
+# safe to specify all the time
+gzip off;
+{%- set extra_comp_modules = ['brotli', 'zstd'] -%}
+{%- set modules = ( env.NGX_HTTP_MODULES or '' ) | str_split_to_list -%}
+{%- set comp_modules = modules | list_intersect(extra_comp_modules) | sort -%}
+{%- for comp in comp_modules %}
+{{ comp }} off;
+{%- endfor %}
--- a/angie/snip/empty-favicon
+++ b/angie/snip/empty-favicon
@@ -0,0 +1,4 @@
+location = /favicon.ico {
+    empty_gif;
+    expires 1d;
+}
--- a/angie/snip/fastcgi-location
+++ b/angie/snip/fastcgi-location
@@ -0,0 +1,5 @@
+try_files $fastcgi_script_name =444;
+
+## bypass the fact that try_files resets $fastcgi_path_info
+## see: https://trac.nginx.org/nginx/ticket/321
+set $path_info $fastcgi_path_info;
--- a/angie/snip/fastcgi-request-headers.j2
+++ b/angie/snip/fastcgi-request-headers.j2
@@ -0,0 +1,6 @@
+## sourced by conf/fastcgi/headers.conf
+## set/remove request headers
+{%- set req_hdr_dict = j2cfg.request_headers or {} -%}
+{%- for h, v in req_hdr_dict|dictsort %}
+fastcgi_param  {{ h | as_cgi_hdr }}  {{ v | ngx_esc }};
+{%- endfor %}
--- a/angie/snip/fastcgi-response-headers.j2
+++ b/angie/snip/fastcgi-response-headers.j2
@@ -0,0 +1,7 @@
+## sourced by conf/fastcgi/headers.conf
+## hide response headers
+{%- set resp_hdr_dict = j2cfg.response_headers or {} -%}
+{%- set resp_hdr_list = resp_hdr_dict | dict_keys -%}
+{%- for h in resp_hdr_list %}
+fastcgi_hide_header  {{ h }};
+{%- endfor %}
--- a/angie/snip/grpc-request-headers.j2
+++ b/angie/snip/grpc-request-headers.j2
@@ -0,0 +1,6 @@
+## sourced by conf/grpc/headers.conf
+## set/remove request headers
+{%- set req_hdr_dict = j2cfg.request_headers or {} -%}
+{%- for h, v in req_hdr_dict|dictsort %}
+grpc_set_header  {{ h }}  {{ v | ngx_esc }};
+{%- endfor %}
--- a/angie/snip/grpc-response-headers.j2
+++ b/angie/snip/grpc-response-headers.j2
@@ -0,0 +1,7 @@
+## sourced by conf/grpc/headers.conf
+## hide response headers
+{%- set resp_hdr_dict = j2cfg.response_headers or {} -%}
+{%- set resp_hdr_list = resp_hdr_dict | dict_keys -%}
+{%- for h in resp_hdr_list %}
+grpc_hide_header  {{ h }};
+{%- endfor %}
--- a/angie/snip/http-alt-svc.j2
+++ b/angie/snip/http-alt-svc.j2
@@ -0,0 +1,13 @@
+## sourced by autoconf/http-alt-svc.conf
+{#- prologue -#}
+{%- set extra_proto = ['v3', 'v2'] -%}
+{%- set confload = ( env.NGX_HTTP_CONFLOAD or '' ) | str_split_to_list -%}
+{%- set proto = confload | list_intersect(extra_proto) -%}
+{#- ALPN mapping -#}
+## TODO: make this configurable
+{%- set proto = proto | re_sub('^v2$', 'h2=":443"; ma=3600') -%}
+{%- set proto = proto | re_sub('^v3$', 'h3=":443"; ma=3600') -%}
+{#- main part -#}
+{%- if proto %}
+add_header  Alt-Svc  {{ (proto | join(', ')) | ngx_esc }};
+{%- endif %}
--- a/angie/snip/http-response-headers.j2
+++ b/angie/snip/http-response-headers.j2
@@ -0,0 +1,6 @@
+## sourced by autoconf/http-response-headers.conf
+## add response headers
+{%- set resp_hdr_dict = j2cfg.response_headers or {} -%}
+{%- for h, v in resp_hdr_dict|dictsort %}
+add_header  {{ h }}  {{ v | ngx_esc }};
+{%- endfor %}
--- a/angie/snip/internal-area
+++ b/angie/snip/internal-area
@@ -0,0 +1,5 @@
+## always sourced by snip/deny-dotfiles
+
+access_log     off;
+log_not_found  off;
+internal;
--- a/angie/snip/log.j2mod
+++ b/angie/snip/log.j2mod
@@ -0,0 +1,12 @@
+{%- macro error_log(dest='error.log', level='warn') %}
+error_log  {{ '/run/ngx/log'|join_prefix(dest) | ngx_esc }}  {{ level | ngx_esc }};
+{%- endmacro %}
+
+
+{%- macro access_log(dest='access.log', format='main') %}
+access_log  {{ '/run/ngx/log'|join_prefix(dest) | ngx_esc }}  {{ format | ngx_esc }}
+{%- for k, v in kwargs|dictsort %}
+  {{ "{}={}".format(k, v) | ngx_esc }}
+{%- endfor %}
+;
+{%- endmacro %}
--- a/angie/snip/proxy-request-headers.j2
+++ b/angie/snip/proxy-request-headers.j2
@@ -0,0 +1,6 @@
+## sourced by conf/proxy-http/headers.conf
+## set/remove request headers
+{%- set req_hdr_dict = j2cfg.request_headers or {} -%}
+{%- for h, v in req_hdr_dict|dictsort %}
+proxy_set_header  {{ h }}  {{ v | ngx_esc }};
+{%- endfor %}
--- a/angie/snip/proxy-response-headers.j2
+++ b/angie/snip/proxy-response-headers.j2
@@ -0,0 +1,7 @@
+## sourced by conf/proxy-http/headers.conf
+## hide response headers
+{%- set resp_hdr_dict = j2cfg.response_headers or {} -%}
+{%- set resp_hdr_list = resp_hdr_dict | dict_keys -%}
+{%- for h in resp_hdr_list %}
+proxy_hide_header  {{ h }};
+{%- endfor %}
--- a/angie/snip/resolver.j2inc
+++ b/angie/snip/resolver.j2inc
@@ -0,0 +1,13 @@
+{%- if env.NGX_RESOLVERS %}
+  {%- if env.NGX_RESOLVER_STACK == 'any' %}
+resolver {{ env.NGX_RESOLVERS }} status_zone={{ resolver_status_zone }};
+  {%- elif env.NGX_RESOLVER_STACK == 'ipv4' %}
+resolver {{ env.NGX_RESOLVERS }} status_zone={{ resolver_status_zone }} ipv4=on ipv6=off;
+  {%- elif env.NGX_RESOLVER_STACK == 'ipv6' %}
+resolver {{ env.NGX_RESOLVERS }} status_zone={{ resolver_status_zone }} ipv4=off ipv6=on;
+  {%- endif %}
+{%- endif %}
+
+{%- if env.NGX_RESOLVER_TIMEOUT %}
+resolver_timeout {{ env.NGX_RESOLVER_TIMEOUT }};
+{%- endif %}
--- a/angie/snip/scgi-request-headers.j2
+++ b/angie/snip/scgi-request-headers.j2
@@ -0,0 +1,6 @@
+## sourced by conf/scgi/headers.conf
+## set/remove request headers
+{%- set req_hdr_dict = j2cfg.request_headers or {} -%}
+{%- for h, v in req_hdr_dict|dictsort %}
+scgi_param  {{ h | as_cgi_hdr }}  {{ v | ngx_esc }};
+{%- endfor %}
--- a/angie/snip/scgi-response-headers.j2
+++ b/angie/snip/scgi-response-headers.j2
@@ -0,0 +1,7 @@
+## sourced by conf/scgi/headers.conf
+## hide response headers
+{%- set resp_hdr_dict = j2cfg.response_headers or {} -%}
+{%- set resp_hdr_list = resp_hdr_dict | dict_keys -%}
+{%- for h in resp_hdr_list %}
+scgi_hide_header  {{ h }};
+{%- endfor %}
--- a/angie/snip/ssl-intermediate.j2
+++ b/angie/snip/ssl-intermediate.j2
@@ -0,0 +1,2 @@
+{%- set ssl_profile = j2cfg.tls.profiles.intermediate -%}
+{% include 'ssl-profile.j2inc' %}
--- a/angie/snip/ssl-modern.j2
+++ b/angie/snip/ssl-modern.j2
@@ -0,0 +1,2 @@
+{%- set ssl_profile = j2cfg.tls.profiles.modern -%}
+{% include 'ssl-profile.j2inc' %}
--- a/angie/snip/ssl-old.j2
+++ b/angie/snip/ssl-old.j2
@@ -0,0 +1,2 @@
+{%- set ssl_profile = j2cfg.tls.profiles.old -%}
+{% include 'ssl-profile.j2inc' %}
--- a/angie/snip/ssl-profile.j2inc
+++ b/angie/snip/ssl-profile.j2inc
@@ -0,0 +1,28 @@
+{%- if ssl_profile.protocols %}
+ssl_protocols {{ ssl_profile.protocols }};
+{%- endif %}
+{%- if ssl_profile.prefer_server_ciphers %}
+ssl_prefer_server_ciphers {{ ssl_profile.prefer_server_ciphers }};
+{%- endif %}
+{%- if ssl_profile.ciphers %}
+ssl_ciphers {{ ssl_profile.ciphers }};
+{%- endif %}
+{%- if ssl_profile.dhparam %}
+ssl_dhparam {{ ssl_profile.dhparam }};
+{%- endif %}
+{%- if ssl_profile.ecdh_curve %}
+ssl_ecdh_curve {{ ssl_profile.ecdh_curve }};
+{%- endif %}
+
+{%- if ssl_profile.session_cache %}
+ssl_session_cache {{ ssl_profile.session_cache }};
+{%- endif %}
+{%- if ssl_profile.session_timeout %}
+ssl_session_timeout {{ ssl_profile.session_timeout }};
+{%- endif %}
+{%- if ssl_profile.session_tickets %}
+ssl_session_tickets {{ ssl_profile.session_tickets }};
+{%- endif %}
+{%- if ssl_profile.session_ticket_key %}
+ssl_session_ticket_key {{ ssl_profile.session_ticket_key }};
+{%- endif %}
--- a/angie/snip/uwsgi-request-headers.j2
+++ b/angie/snip/uwsgi-request-headers.j2
@@ -0,0 +1,6 @@
+## sourced by conf/uwsgi/headers.conf
+## set/remove request headers
+{%- set req_hdr_dict = j2cfg.request_headers or {} -%}
+{%- for h, v in req_hdr_dict|dictsort %}
+uwsgi_param  {{ h | as_cgi_hdr }}  {{ v | ngx_esc }};
+{%- endfor %}
--- a/angie/snip/uwsgi-response-headers.j2
+++ b/angie/snip/uwsgi-response-headers.j2
@@ -0,0 +1,7 @@
+## sourced by conf/uwsgi/headers.conf
+## hide response headers
+{%- set resp_hdr_dict = j2cfg.response_headers or {} -%}
+{%- set resp_hdr_list = resp_hdr_dict | dict_keys -%}
+{%- for h in resp_hdr_list %}
+uwsgi_hide_header  {{ h }};
+{%- endfor %}