krd/angie-krdsh
1
0
Fork 0
Code

initial commit

Browse Source
This commit is contained in:
Konstantin Demin 2024-03-22 10:24:54 +03:00
commit d7d4344c53
Signed by: krd
GPG Key ID: 1F33CB0BA4731BC6
82 changed files with 1361 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
angie.conf Normal file
View File

@ -0,0 +1,15 @@
pid /run/angie.pid;
include mod.d/core-*.conf;
include mod.d/http-*.conf;
include mod.d/mail-*.conf;
include mod.d/stream-*.conf;
events {
include conf.d/core_events-*.conf;
}
include conf.d/core-*.conf;
include http.conf;
# include mail.conf;
# include stream.conf;

1
conf.avail/core-logging.conf Normal file
View File

@ -0,0 +1 @@
error_log /var/log/angie/error.log warn;

1
conf.avail/core-pcre.conf Normal file
View File

@ -0,0 +1 @@
pcre_jit on;

1
conf.avail/core-quic-bpf.conf Normal file
View File

@ -0,0 +1 @@
quic_bpf on;

1
conf.avail/core-user.conf Normal file
View File

@ -0,0 +1 @@
user angie www-data;

1
conf.avail/core-worker-processes.conf Normal file
View File

@ -0,0 +1 @@
worker_processes 4;

1
conf.avail/core-worker-rlimit-nofile.conf Normal file
View File

@ -0,0 +1 @@
worker_rlimit_nofile 1048576;

1
conf.avail/core_events-worker-connections.conf Normal file
View File

@ -0,0 +1 @@
worker_connections 16384;

1
conf.avail/core_events-worker-multi-accept.conf Normal file
View File

@ -0,0 +1 @@
multi_accept on;

24
conf.avail/http-brotli.conf Normal file
View File

@ -0,0 +1,24 @@
brotli on;
## default is 6
brotli_comp_level 5;
brotli_min_length 1024;
brotli_buffers 32 16k;
brotli_types
application/atom+xml
application/javascript
application/json
application/vnd.api+json
application/rss+xml
application/x-javascript
application/xhtml+xml
application/xml
image/svg+xml
image/x-icon
text/css
text/javascript
text/plain
text/xml
;

7
conf.avail/http-buffers-main.conf Normal file
View File

@ -0,0 +1,7 @@
subrequest_output_buffer_size 16k;
client_body_buffer_size 16k;
client_header_buffer_size 2k;
large_client_header_buffers 8 16k;
## lowering from 16k to 4k to improve time-to-first-byte
ssl_buffer_size 4k;

22
conf.avail/http-buffers-misc.conf Normal file
View File

@ -0,0 +1,22 @@
grpc_buffer_size 16k;
proxy_buffers 16 16k;
fastcgi_buffers 16 16k;
scgi_buffers 16 16k;
uwsgi_buffers 16 16k;
proxy_buffer_size 16k;
proxy_busy_buffers_size 32k;
proxy_temp_file_write_size 32k;
fastcgi_buffer_size 16k;
fastcgi_busy_buffers_size 32k;
fastcgi_temp_file_write_size 32k;
scgi_buffer_size 16k;
scgi_busy_buffers_size 32k;
scgi_temp_file_write_size 32k;
uwsgi_buffer_size 16k;
uwsgi_busy_buffers_size 32k;
uwsgi_temp_file_write_size 32k;

4
conf.avail/http-geoip.conf Normal file
View File

@ -0,0 +1,4 @@
geoip_country /usr/share/GeoIP/GeoIPv6.dat;
## in case of IPv4-only setup use this statement:
# geoip_country /usr/share/GeoIP/GeoIP.dat;

16
conf.avail/http-geoip2.conf Normal file
View File

@ -0,0 +1,16 @@
geoip2 /usr/local/share/geoip2/GeoLite2-Country.mmdb {
$geoip2_country_code country iso_code;
$geoip2_country_name country names en;
}
geoip2 /usr/local/share/geoip2/GeoLite2-City.mmdb {
# $geoip2_city_name city names en;
$geoip2_timezone location time_zone;
$geoip2_latitude location latitude;
$geoip2_longitude location longitude;
}
geoip2 /usr/local/share/geoip2/GeoLite2-ASN.mmdb {
$geoip2_asn autonomous_system_number;
$geoip2_asn_org autonomous_system_organization;
}

1
conf.avail/http-grpc-accept-encoding.conf Normal file
View File

@ -0,0 +1 @@
include snip.d/grpc-accept-encoding;

28
conf.avail/http-gzip.conf Normal file
View File

@ -0,0 +1,28 @@
gzip on;
## default is 1
gzip_comp_level 2;
gzip_min_length 1024;
gzip_vary on;
gzip_proxied any;
gzip_buffers 32 16k;
gunzip_buffers 32 16k;
gzip_types
application/atom+xml
application/javascript
application/json
application/vnd.api+json
application/rss+xml
application/x-javascript
application/xhtml+xml
application/xml
image/svg+xml
image/x-icon
text/css
text/javascript
text/plain
text/xml
;

67
conf.avail/http-krd.sh.conf Normal file
View File

@ -0,0 +1,67 @@
map $scheme:$host
$krdsh_need_ssl
{
default 1;
~*^[^:]+:(?:nossl-)?geo-[^.]+\.krd\.sh$ "";
~*^https: "";
~*^http:nossl- "";
}
map $scheme:$host
$krdsh_is_ssl
{
~*^https:nossl- "";
~*^https: 1;
}
map $scheme:$host
$krdsh_nossl_misuse
{
~*^https:nossl- 1;
}
map $host
$krdsh_nossl_realhost
{
~*^nossl-(.+)$ $1;
}
map $scheme:$host
$krdsh_need_redirect
{
~*^[^:]+:nossl-geo\.krd\.sh$ 1;
~*^[^:]+:(?:nossl-)?geo-[^.]+\.krd\.sh$ 1;
}
map $scheme:$host
$krdsh_redirector
{
default http://krd.sh;
~*^[^:]+:nossl-geo\.krd\.sh$ $scheme://geo.krd.sh$uri;
~*^[^:]+:(?:nossl-)?geo-([^.]+)\.krd\.sh$ $scheme://geo.krd.sh/$1;
}
map $krdsh_need_ssl$krdsh_is_ssl$krdsh_need_redirect
$krdsh_need_proxy
{
"" 1;
}
map $host
$krdsh_self_proxy_host
{
default $host;
~*^nossl-(.+)$ $1;
}
map $host
$krdsh_self_proxy_uri
{
default https://$host;
~*^nossl-(.+)$ https://$1;
}

12
conf.avail/http-logging.conf Normal file
View File

@ -0,0 +1,12 @@
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
log_format extended '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" rt="$request_time" '
'"$http_user_agent" "$http_x_forwarded_for" '
'h="$host" sn="$server_name" ru="$request_uri" u="$uri" '
'ucs="$upstream_cache_status" ua="$upstream_addr" us="$upstream_status" '
'uct="$upstream_connect_time" urt="$upstream_response_time"';
access_log /var/log/angie/access.log main buffer=512k flush=1m;

1
conf.avail/http-max-accept-range.conf Normal file
View File

@ -0,0 +1 @@
max_ranges 2;

8
conf.avail/http-mime-types.conf Normal file
View File

@ -0,0 +1,8 @@
include mime.types;
types {
font/ttf ttf;
application/font-sfnt otf;
}
default_type application/octet-stream;

1
conf.avail/http-misc-defaults.conf Normal file
View File

@ -0,0 +1 @@
server_tokens on;

55
conf.avail/http-proxy.conf Normal file
View File

@ -0,0 +1,55 @@
proxy_http_version 1.1;
proxy_ssl_server_name on;
proxy_ssl_protocols TLSv1.2 TLSv1.3;
proxy_cache_bypass $http_upgrade;
map $http_upgrade
$conn_upgrade_unset
{
volatile;
default upgrade;
"" "";
}
map $http_upgrade
$conn_upgrade_keepalive
{
volatile;
default upgrade;
"" keep-alive;
}
## ref:
## - https://www.digitalocean.com/community/tools/nginx?domains.0.reverseProxy.reverseProxy=true
map $remote_addr
$proxy_forwarded_elem
{
## IPv4 addresses can be sent as-is
~^[0-9.]+$ "for=$remote_addr";
## IPv6 addresses need to be bracketed and quoted
~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\"";
## Unix domain socket names cannot be represented in RFC 7239 syntax
default "for=unknown";
}
## ref:
## - https://www.digitalocean.com/community/tools/nginx?domains.0.reverseProxy.reverseProxy=true
## - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded
map $http_forwarded
$proxy_add_forwarded
{
volatile;
## if the incoming Forwarded header is syntactically valid, append to it
"~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
## otherwise, replace it
default "$proxy_forwarded_elem";
}
include snip.d/proxy-common-headers;
include snip.d/proxy-accept-encoding;
include snip.d/proxy-connection-upgrade;
include snip.d/proxy-early-data;

2
conf.avail/http-resolver.conf Normal file
View File

@ -0,0 +1,2 @@
resolver 127.1.0.1 valid=60s ipv6=off;
resolver_timeout 10s;

4
conf.avail/http-sendfile.conf Normal file
View File

@ -0,0 +1,4 @@
sendfile on;
#tcp_nopush on;
postpone_output 1000;

7
conf.avail/http-ssl.conf Normal file
View File

@ -0,0 +1,7 @@
ssl_conf_command Options PrioritizeChaCha,KTLS;
proxy_ssl_conf_command Options PrioritizeChaCha,KTLS;
grpc_ssl_conf_command Options PrioritizeChaCha,KTLS;
uwsgi_ssl_conf_command Options PrioritizeChaCha,KTLS;
include snip.d/tls-intermediate;

2
conf.avail/http-v3.conf Normal file
View File

@ -0,0 +1,2 @@
http3_stream_buffer_size 128k;
quic_active_connection_id_limit 4;

4
http.conf Normal file
View File

@ -0,0 +1,4 @@
http {
include conf.d/http-*.conf;
include site.d/http-*.conf;
}

4
mail.conf Normal file
View File

@ -0,0 +1,4 @@
mail {
include conf.d/mail-*.conf;
include site.d/mail-*.conf;
}

1
mod.avail/http-auth-jwt.conf Normal file
View File

@ -0,0 +1 @@
load_module modules/ngx_http_auth_jwt_module.so;

2
mod.avail/http-brotli.conf Normal file
View File

@ -0,0 +1,2 @@
load_module modules/ngx_http_brotli_filter_module.so;
load_module modules/ngx_http_brotli_static_module.so;

1
mod.avail/http-dav-ext.conf Normal file
View File

@ -0,0 +1 @@
load_module modules/ngx_http_dav_ext_module.so;

1
mod.avail/http-echo.conf Normal file
View File

@ -0,0 +1 @@
load_module modules/ngx_http_echo_module.so;

1
mod.avail/http-geoip.conf Normal file
View File

@ -0,0 +1 @@
load_module modules/ngx_http_geoip_module.so;

1
mod.avail/http-geoip2.conf Normal file
View File

@ -0,0 +1 @@
load_module modules/ngx_http_geoip2_module.so;

1
mod.avail/http-headers-more.conf Normal file
View File

@ -0,0 +1 @@
load_module modules/ngx_http_headers_more_filter_module.so;

1
mod.avail/http-image-filter.conf Normal file
View File

@ -0,0 +1 @@
load_module modules/ngx_http_image_filter_module.so;

1
mod.avail/http-njs.conf Normal file
View File

@ -0,0 +1 @@
load_module modules/ngx_http_js_module.so;

1
mod.avail/http-perl.conf Normal file
View File

@ -0,0 +1 @@
load_module modules/ngx_http_perl_module.so;

1
mod.avail/http-subs.conf Normal file
View File

@ -0,0 +1 @@
load_module modules/ngx_http_subs_filter_module.so;

1
mod.avail/http-upload.conf Normal file
View File

@ -0,0 +1 @@
load_module modules/ngx_http_upload_module.so;

1
mod.avail/http-xslt-filter.conf Normal file
View File

@ -0,0 +1 @@
load_module modules/ngx_http_xslt_filter_module.so;

1
mod.avail/http-zip.conf Normal file
View File

@ -0,0 +1 @@
load_module modules/ngx_http_zip_module.so;

1
mod.avail/stream-geoip.conf Normal file
View File

@ -0,0 +1 @@
load_module modules/ngx_stream_geoip_module.so;

1
mod.avail/stream-geoip2.conf Normal file
View File

@ -0,0 +1 @@
load_module modules/ngx_stream_geoip2_module.so;

1
mod.avail/stream-njs.conf Normal file
View File

@ -0,0 +1 @@
load_module modules/ngx_stream_js_module.so;

9
njs/nexus.js Normal file
View File

@ -0,0 +1,9 @@
function statics(r) {
var bytes = crypto.getRandomValues(new Uint8Array(1));
var s = (bytes[0] & 15).toString(16);
s = "https://nexus-st-" + s + ".krd.sh" + r.uri;
if (r.args.length > 0) { s += r.variables.is_args + r.variables.args; }
r.return(307, s);
}
export default {statics};

91
site.avail/http-deb.krd.sh.conf Normal file
View File

@ -0,0 +1,91 @@
server {
server_name deb.krd.sh;
include snip.d/listen-http;
include snip.d/https-alt-svc;
access_log off;
log_not_found off;
root /var/www/deb;
include snip.d/empty-favicon;
location / {
return 301 https://$host$request_uri;
include snip.d/https-alt-svc;
include snip.d/http-security-headers;
}
## allow APT work as usual
location ~*/(?:InRelease|Release|Packages|Sources)$
~*/[^/]+/.*[^/]+\.(?:asc|dsc)$
{
default_type text/plain;
try_files $uri $uri/ =404;
}
## /*/dists/*/Release.gpg
location ~*^/[^/]+/.*[^/]+\.(?:gpg)$
{
try_files $uri $uri/ =404;
}
location ~*\.(?:bz2|deb|gz|tar|udeb|xz|Z|zip|zstd?)$
## various tarball file name extensions (sic!)
~*\.t(?:[agx]z|bz2?|[bz]2|bJ|zo|lz(?:|ma?)|zstd?|a?Z)$
{
gzip off;
brotli off;
try_files $uri $uri/ =404;
}
}
server {
server_name deb.krd.sh;
include snip.d/listen-https;
include snip.d/ssl-krd.sh;
access_log off;
log_not_found off;
root /var/www/deb;
autoindex on;
include snip.d/empty-favicon;
location / {
try_files $uri $uri/ =404;
include snip.d/https-alt-svc;
include snip.d/http-security-headers;
}
location ~*/(?:InRelease|Release|Packages|Sources)$
~*\.(?:asc|build|buildinfo|changes|dsc|list|log|sources)$
{
default_type text/plain;
try_files $uri $uri/ =404;
}
location ~*\.(?:bz2|deb|gz|tar|udeb|xz|Z|zip|zstd?)$
## various tarball file name extensions (sic!)
~*\.t(?:[agx]z|bz2?|[bz]2|bJ|zo|lz(?:|ma?)|zstd?|a?Z)$
{
gzip off;
brotli off;
try_files $uri $uri/ =404;
}
## "meta" usually doesn't contain sensitive data
# include snip.d/deny-dotfiles;
location ~*^/[^/]+/\.meta/
{
default_type text/plain;
try_files $uri $uri/ =404;
}
}

50
site.avail/http-default-ssl.conf Normal file
View File

@ -0,0 +1,50 @@
server {
server_name _;
listen 443 default_server bind deferred ssl;
## TODO: reuseport
listen 443 default_server quic reuseport;
http2 on;
## nota bene
ssl_reject_handshake on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
access_log off;
default_type text/plain;
root /var/www/empty;
location / {
keepalive_timeout 0;
return 200;
}
}
## GRPC over TLS
server {
server_name _;
listen 444 default_server bind deferred ssl;
## TODO: reuseport
listen 444 default_server quic reuseport;
http2 on;
## nota bene
ssl_reject_handshake on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
access_log off;
default_type text/plain;
root /var/www/empty;
location / {
keepalive_timeout 0;
return 200;
}
}

16
site.avail/http-default.conf Normal file
View File

@ -0,0 +1,16 @@
server {
server_name _;
listen 80 default_server bind deferred;
access_log off;
default_type text/plain;
root /var/www/empty;
location / {
keepalive_timeout 0;
return 200;
}
}

30
site.avail/http-dotfiles.krd.sh.conf Normal file
View File

@ -0,0 +1,30 @@
server {
server_name dotfiles.krd.sh;
include snip.d/listen-https;
include snip.d/ssl-krd.sh;
access_log off;
log_not_found off;
root /var/www/dotfiles;
index index.txt;
try_files $uri $uri/ =404;
include snip.d/http-security-headers;
location ~* ^/(|index\.txt)$ {
default_type text/plain;
}
location = /get {
return 303 $scheme://$host/.config/dotfiles/install.sh;
}
location ~ ^/.+$ {
return 303 https://git.krd.sh/krd/dotfiles/raw/branch/main$uri;
}
include snip.d/empty-favicon;
include snip.d/robots-txt;
}

30
site.avail/http-files.krd.sh.conf Normal file
View File

@ -0,0 +1,30 @@
server {
server_name files.krd.sh;
include snip.d/listen-https;
include snip.d/ssl-krd.sh;
access_log off;
log_not_found off;
root /var/www/files;
autoindex on;
include snip.d/http-security-headers;
location / {
try_files $uri $uri/ =404;
}
location ~*^/(?:angie)/
~*\.(?:asc|conf|dsc|js|json|pem|sh|sources|txt)$
{
default_type text/plain;
try_files $uri $uri/ =404;
}
include snip.d/deny-dotfiles;
include snip.d/empty-favicon;
include snip.d/robots-txt;
}

152
site.avail/http-geo.krd.sh.conf Normal file
View File

@ -0,0 +1,152 @@
map $http3:$http2:$server_protocol
$krdsh__geo_proto
{
default $server_protocol;
~^[^:]+: $http3;
~^:[^:]+: $http2;
}
map $http_user_agent
$krdsh__geo_ua
{
default $http_user_agent;
"" "<none>";
}
map $ssl_protocol
$krdsh__geo_ssl_proto
{
default $ssl_protocol;
"" "none";
}
map $ssl_alpn_protocol
$krdsh__geo_ssl_alpn
{
default $ssl_alpn_protocol;
"" "none";
}
map $ssl_session_reused
$krdsh__geo_ssl_reuse
{
default "no";
r yes;
}
map $ssl_early_data
$krdsh__geo_ssl_early
{
default "no";
1 yes;
}
map $uri
$krdsh__geo_k
{
volatile;
## default is "help"
default help;
~^/(.+)$ $1;
}
map $krdsh__geo_k
$krdsh__geo_v
{
volatile;
## default is "help"
default "usage: $host/{key}\r\nmeta keys: [help] all geo ssl version\r\nsimple keys: ip user-agent proto ssl-proto ssl-alpn ssl-reuse ssl-early country-code country-name timezone latitude longitude asn asn-org";
ip $remote_addr;
user-agent $krdsh__geo_ua;
proto $krdsh__geo_proto;
ssl-proto $krdsh__geo_ssl_proto;
ssl-alpn $krdsh__geo_ssl_alpn;
ssl-reuse $krdsh__geo_ssl_reuse;
ssl-early $krdsh__geo_ssl_early;
country-code $geoip2_country_code;
country-name $geoip2_country_name;
timezone $geoip2_timezone;
latitude $geoip2_latitude;
longitude $geoip2_longitude;
asn $geoip2_asn;
asn-org $geoip2_asn_org;
version "angie/$angie_version";
all "ip: $remote_addr\r\nuser-agent: $krdsh__geo_ua\r\nproto: $krdsh__geo_proto\r\nssl-proto: $krdsh__geo_ssl_proto\r\nssl-alpn: $krdsh__geo_ssl_alpn\r\nssl-reuse: $krdsh__geo_ssl_reuse\r\nssl-early: $krdsh__geo_ssl_early\r\ncountry-code: $geoip2_country_code\r\ncountry-name: $geoip2_country_name\r\ntimezone: $geoip2_timezone\r\nlatitude: $geoip2_latitude\r\nlongitude: $geoip2_longitude\r\nasn: $geoip2_asn\r\nasn-org: $geoip2_asn_org";
geo "ip: $remote_addr\r\ncountry-code: $geoip2_country_code\r\ncountry-name: $geoip2_country_name\r\ntimezone: $geoip2_timezone\r\nlatitude: $geoip2_latitude\r\nlongitude: $geoip2_longitude\r\nasn: $geoip2_asn\r\nasn-org: $geoip2_asn_org";
ssl "proto: $krdsh__geo_proto\r\nssl-proto: $krdsh__geo_ssl_proto\r\nssl-alpn: $krdsh__geo_ssl_alpn\r\nssl-reuse: $krdsh__geo_ssl_reuse\r\nssl-early: $krdsh__geo_ssl_early";
}
map $uri
$krdsh__geo_file
{
## guess what?..
default default.zst;
~*^/asn\.(.+)$ GeoLite2-ASN.$1;
~*^/city\.(.+)$ GeoLite2-City.$1;
~*^/country\.(.+)$ GeoLite2-Country.$1;
}
server {
server_name geo.krd.sh;
include snip.d/listen-http;
include snip.d/listen-https;
include snip.d/ssl-krd.sh;
access_log off;
keepalive_timeout 0;
root /var/www/empty;
include snip.d/empty-favicon;
location / {
default_type text/plain;
return 200 "$krdsh__geo_v\r\n";
}
location ~*^/[^/.]+\.mmdb\.[^/.]+$
{
root /usr/local/share/geoip2;
try_files /$krdsh__geo_file @file_help;
}
location ~*^/[^/.]+\.mmdb$
{
try_files /.non-existent-uri @file_help;
}
location @file_help
{
## sync with "map $uri krdsh__geo_file"
set $krdsh__geo_bases "asn city country";
## sync with file system contents
set $krdsh__geo_comps "br bz2 gz xz zst";
## sync with two above
set $krdsh__geo_example "country.mmdb.xz";
default_type text/plain;
add_header X-GeoIp-Bases $krdsh__geo_bases always;
add_header X-GeoIp-Comps $krdsh__geo_comps always;
add_header X-GeoIp-Example $krdsh__geo_example always;
return 403 "valid file names: $krdsh__geo_bases\r\nvalid trailing extensions: $krdsh__geo_comps\r\nexample: $krdsh__geo_example\r\n";
}
}

158
site.avail/http-git.krd.sh.conf Normal file
View File

@ -0,0 +1,158 @@
server {
server_name git.krd.sh ci.krd.sh;
include snip.d/listen-http;
access_log off;
log_not_found off;
root /var/www/empty;
include snip.d/https-alt-svc;
include snip.d/http-security-headers;
keepalive_timeout 0;
include snip.d/empty-favicon;
location / {
return 301 https://$host$uri$is_args$args;
}
}
proxy_cache_path
/var/cache/angie/proxy/krdsh-git
keys_zone=krdsh_git:10m
levels=1:2 inactive=1h;
server {
server_name git.krd.sh;
include snip.d/listen-https;
include snip.d/ssl-krd.sh;
access_log off;
log_not_found off;
root /var/www/empty;
include snip.d/http-security-headers;
include snip.d/proxy-common-headers;
include snip.d/proxy-accept-encoding;
include snip.d/proxy-connection-keepalive;
include snip.d/proxy-early-data;
proxy_redirect ~*^http://(ci|git)\.krd\.sh(?:|:[0-9]+)/(.*)$ https://$1.krd.sh/$2;
location / {
proxy_pass http://127.0.0.1:3000;
## quirks
client_max_body_size 512M;
chunked_transfer_encoding off;
}
location @precache {
proxy_pass http://127.0.0.1:3000;
proxy_cache krdsh_git;
proxy_cache_key $uri;
proxy_cache_valid 200 1h;
proxy_cache_valid 30s;
proxy_ignore_client_abort on;
proxy_ignore_headers Cache-Control;
proxy_hide_header Cache-Control;
expires 2h;
## quirks
chunked_transfer_encoding off;
proxy_method GET;
proxy_buffering on;
proxy_temp_file_write_size 4m;
}
location /assets/ {
try_files /.non-existent-uri @precache;
# proxy_pass http://127.0.0.1:3000;
}
}
proxy_cache_path
/var/cache/angie/proxy/krdsh-ci
keys_zone=krdsh_ci:10m
levels=1:2 inactive=1h;
server {
server_name ci.krd.sh;
include snip.d/listen-https;
include snip.d/ssl-krd.sh;
access_log off;
log_not_found off;
root /var/www/empty;
include snip.d/http-security-headers;
include snip.d/proxy-common-headers;
include snip.d/proxy-accept-encoding;
include snip.d/proxy-connection-keepalive;
include snip.d/proxy-early-data;
proxy_redirect ~*^http://(ci|git)\.krd\.sh(?:|:[0-9]+)/(.*)$ https://$1.krd.sh/$2;
location / {
proxy_pass http://127.0.0.1:8000;
## quirks
chunked_transfer_encoding off;
client_max_body_size 16M;
proxy_buffering off;
}
location @precache {
proxy_pass http://127.0.0.1:8000;
proxy_cache krdsh_ci;
proxy_cache_key $uri;
proxy_cache_valid 200 1h;
proxy_cache_valid 30s;
proxy_ignore_client_abort on;
proxy_ignore_headers Cache-Control;
proxy_hide_header Cache-Control;
expires 2h;
## quirks
chunked_transfer_encoding off;
proxy_method GET;
proxy_buffering on;
proxy_temp_file_write_size 4m;
}
location /assets/ {
try_files /.non-existent-uri @precache;
# proxy_pass http://127.0.0.1:8000;
}
}
server {
server_name ci.krd.sh;
include snip.d/listen-grpcs;
include snip.d/ssl-krd.sh;
access_log off;
log_not_found off;
root /var/www/empty;
include snip.d/http-security-headers;
include snip.d/grpc-accept-encoding;
location / {
grpc_pass grpc://127.0.0.1:9000;
}
}

55
site.avail/http-krd.sh.conf Normal file
View File

@ -0,0 +1,55 @@
## $krdsh_* are defined in conf.d/http-krd.sh.conf
server {
server_name .krd.sh;
include snip.d/listen-http;
include snip.d/listen-https;
include snip.d/ssl-krd.sh;
log_not_found off;
access_log off;
root /var/www/empty;
include snip.d/deny-dotfiles;
include snip.d/empty-favicon;
include snip.d/http-security-headers;
default_type text/plain;
keepalive_timeout 0;
proxy_hide_header Vary;
# proxy_redirect off;
# include snip.d/proxy-common-headers;
# include snip.d/proxy-accept-encoding;
# include snip.d/proxy-connection-upgrade;
# include snip.d/proxy-early-data;
proxy_ssl_name $krdsh_self_proxy_host;
proxy_set_header Host $krdsh_self_proxy_host;
location / {
if ($krdsh_is_ssl) {
return 200;
}
if ($krdsh_need_ssl) {
return 301 https://$host$request_uri;
}
if ($krdsh_nossl_misuse) {
return 301 https://$krdsh_nossl_realhost$request_uri;
}
if ($krdsh_need_redirect) {
return 301 $krdsh_redirector;
}
if ($krdsh_need_proxy) {
proxy_pass $krdsh_self_proxy_uri;
}
}
}

216
site.avail/http-nexus.krd.sh.conf Normal file
View File

@ -0,0 +1,216 @@
server {
server_name nexus.krd.sh;
include snip.d/listen-http;
access_log off;
log_not_found off;
root /var/www/empty;
include snip.d/https-alt-svc;
include snip.d/http-base-security-headers;
proxy_redirect ~*^http://$host(?:|:[0-9]+)/(.*)$ http://$host/$1;
keepalive_timeout 0;
include snip.d/empty-favicon;
location / {
return 301 https://$host$uri$is_args$args;
}
## allow APT work as usual
location ~*^/repository/apt_[^/]+/(?:dists|pool)/
{
gzip off;
brotli off;
proxy_pass http://127.0.0.1:8081;
proxy_method GET;
}
## allow proxy repositories only for non-public usage
location ~*^/repository/proxy_[^/]+/
{
allow 127.0.0.0/8;
allow 192.0.2.0/24;
allow 240.0.0.0/4;
deny all;
proxy_pass http://127.0.0.1:8081;
proxy_method GET;
}
## quirks
chunked_transfer_encoding off;
}
server {
server_name nexus-asis.krd.sh;
include snip.d/listen-https;
include snip.d/ssl-krd.sh;
access_log off;
log_not_found off;
root /var/www/empty;
include snip.d/http-security-headers;
include snip.d/proxy-common-headers;
include snip.d/proxy-accept-encoding;
include snip.d/proxy-connection-keepalive;
include snip.d/proxy-early-data;
proxy_redirect ~*^http://$host(?:|:[0-9]+)/(.*)$ https://$host/$1;
location / {
proxy_pass http://127.0.0.1:8081;
## quirks
client_max_body_size 1024M;
}
## allow proxy repositories only for non-public usage
location ~*^/repository/proxy_[^/]+/
{
allow 127.0.0.0/8;
allow 192.0.2.0/24;
allow 240.0.0.0/4;
deny all;
proxy_pass http://127.0.0.1:8081;
}
## quirks
chunked_transfer_encoding off;
}
server {
server_name nexus.krd.sh;
include snip.d/listen-https;
include snip.d/ssl-krd.sh;
access_log off;
log_not_found off;
root /var/www/empty;
include snip.d/http-base-security-headers;
include snip.d/proxy-common-headers;
include snip.d/proxy-accept-encoding;
include snip.d/proxy-connection-keepalive;
include snip.d/proxy-early-data;
proxy_redirect ~*^http://$host(?:|:[0-9]+)/(.*)$ https://$host/$1;
location / {
proxy_pass http://127.0.0.1:8081;
## quirks
client_max_body_size 1024M;
}
## allow proxy repositories only for non-public usage
location ~*^/repository/proxy_[^/]+/
{
allow 127.0.0.0/8;
allow 192.0.2.0/24;
allow 240.0.0.0/4;
deny all;
proxy_pass http://127.0.0.1:8081;
}
js_import njs/nexus.js;
location /static/ {
js_content nexus.statics;
}
## quirks
chunked_transfer_encoding off;
}
proxy_cache_path
/var/cache/angie/proxy/krdsh-nexus
keys_zone=krdsh_nexus:10m
levels=1:2 inactive=1h;
server {
## PITA
server_name
nexus-st-0.krd.sh
nexus-st-1.krd.sh
nexus-st-2.krd.sh
nexus-st-3.krd.sh
nexus-st-4.krd.sh
nexus-st-5.krd.sh
nexus-st-6.krd.sh
nexus-st-7.krd.sh
nexus-st-8.krd.sh
nexus-st-9.krd.sh
nexus-st-a.krd.sh
nexus-st-b.krd.sh
nexus-st-c.krd.sh
nexus-st-d.krd.sh
nexus-st-e.krd.sh
nexus-st-f.krd.sh
;
include snip.d/listen-https;
include snip.d/ssl-krd.sh;
access_log off;
# log_not_found off;
root /var/www/empty;
include snip.d/http-base-security-headers;
add_header Access-Control-Allow-Origin "https://nexus.krd.sh" always;
include snip.d/proxy-common-headers;
include snip.d/proxy-accept-encoding;
include snip.d/proxy-connection-close;
include snip.d/proxy-early-data;
proxy_ignore_headers Cache-Control;
proxy_hide_header Cache-Control;
proxy_redirect ~*^http://$host(?:|:[0-9]+)/(.*)$ https://nexus.krd.sh/$1;
location / {
return 301 https://nexus.krd.sh;
}
location /static/ {
try_files /.non-existent-uri @precache;
}
location @precache {
proxy_pass http://127.0.0.1:8081;
proxy_cache krdsh_nexus;
proxy_cache_key $uri$is_args$args;
proxy_cache_valid 200 1h;
proxy_cache_valid 30s;
proxy_ignore_client_abort on;
expires 2h;
## quirks
proxy_method GET;
proxy_buffering on;
proxy_temp_file_write_size 4m;
}
## quirks
chunked_transfer_encoding off;
}

70
site.avail/http-nodejs-org.krd.sh.conf Normal file
View File

@ -0,0 +1,70 @@
proxy_cache_path
/var/cache/angie/proxy/nodejs-org
keys_zone=nodejs_org:10m
levels=1:2 inactive=1h;
server {
server_name nodejs-org.krd.sh;
include snip.d/listen-https;
include snip.d/ssl-krd.sh;
access_log off;
log_not_found off;
root /var/www/empty;
location / {
try_files /.non-existent-uri @redirect;
}
location ~* \.(?:7z|exe|exp|gz|lib|msi|pkg|tgz|xz|zip)$
{
try_files /.non-existent-uri @redirect;
}
## merely quirk
location ~* ^/(?:dist|download)$
{
return 301 $scheme://$server_name$uri/;
}
location ~/$
~*^/(?:dist|download)/
{
try_files /.non-existent-uri @download;
}
proxy_set_header Accept "*/*";
proxy_set_header User-Agent "angie/$angie_version";
include snip.d/proxy-common-headers;
include snip.d/proxy-accept-encoding;
include snip.d/proxy-connection-close;
location @redirect {
return 301 https://nodejs.org$request_uri;
}
location @download {
proxy_pass https://nodejs.org$uri$is_args$args;
proxy_redirect https://nodejs.org $scheme://$server_name;
proxy_cache nodejs_org;
proxy_cache_key $uri$is_args$args;
proxy_cache_valid 200 1h;
proxy_cache_valid 30s;
proxy_ignore_client_abort on;
proxy_ignore_headers Cache-Control;
proxy_hide_header Cache-Control;
expires 30m;
## quirks
chunked_transfer_encoding off;
proxy_method GET;
proxy_buffering on;
proxy_temp_file_write_size 4m;
}
}

5
snip.d/area-internal Normal file
View File

@ -0,0 +1,5 @@
## always sourced by snip.d/deny-dotfiles
access_log off;
log_not_found off;
internal;

17
snip.d/common-fastcgi Normal file
View File

@ -0,0 +1,17 @@
## always sourced by snip.d/common-fcgiwrap
try_files $fastcgi_script_name =444;
## KrD: do not pass Accept-Encoding to backend
fastcgi_param HTTP_ACCEPT_ENCODING "";
## bypass the fact that try_files resets $fastcgi_path_info
## see: https://trac.nginx.org/nginx/ticket/321
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;
fastcgi_param AUTH_USER $remote_user;
fastcgi_param REMOTE_USER $remote_user;
fastcgi_param HTTP_HOST $host;
include fastcgi.conf;

3
snip.d/common-fcgiwrap Normal file
View File

@ -0,0 +1,3 @@
fastcgi_pass unix:/run/fcgiwrap.socket;
include snip.d/common-fastcgi;

3
snip.d/deny-dotfiles Normal file
View File

@ -0,0 +1,3 @@
location ~ /\. {
include snip.d/area-internal;
}

4
snip.d/empty-favicon Normal file
View File

@ -0,0 +1,4 @@
location = /favicon.ico {
empty_gif;
expires 1d;
}

3
snip.d/grpc-accept-encoding Normal file
View File

@ -0,0 +1,3 @@
## always sourced by conf.d/http-grpc-accept-encoding.conf
grpc_set_header Accept-Encoding "";

13
snip.d/http-base-security-headers Normal file
View File

@ -0,0 +1,13 @@
## always sourced by include snip.d/http-security-headers
include snip.d/http-proxy-hide-security-headers;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
# add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header Permissions-Policy "interest-cohort=()" always;
## obsolete
add_header X-Frame-Options "SAMEORIGIN" always;

44
snip.d/http-proxy-hide-security-headers Normal file
View File

@ -0,0 +1,44 @@
## always sourced by include snip.d/http-base-security-headers
proxy_hide_header X-XSS-Protection;
fastcgi_hide_header X-XSS-Protection;
grpc_hide_header X-XSS-Protection;
scgi_hide_header X-XSS-Protection;
uwsgi_hide_header X-XSS-Protection;
proxy_hide_header X-Content-Type-Options;
fastcgi_hide_header X-Content-Type-Options;
grpc_hide_header X-Content-Type-Options;
scgi_hide_header X-Content-Type-Options;
uwsgi_hide_header X-Content-Type-Options;
proxy_hide_header Referrer-Policy;
fastcgi_hide_header Referrer-Policy;
grpc_hide_header Referrer-Policy;
scgi_hide_header Referrer-Policy;
uwsgi_hide_header Referrer-Policy;
proxy_hide_header Strict-Transport-Security;
fastcgi_hide_header Strict-Transport-Security;
grpc_hide_header Strict-Transport-Security;
scgi_hide_header Strict-Transport-Security;
uwsgi_hide_header Strict-Transport-Security;
proxy_hide_header Permissions-Policy;
fastcgi_hide_header Permissions-Policy;
grpc_hide_header Permissions-Policy;
scgi_hide_header Permissions-Policy;
uwsgi_hide_header Permissions-Policy;
proxy_hide_header Content-Security-Policy;
fastcgi_hide_header Content-Security-Policy;
grpc_hide_header Content-Security-Policy;
scgi_hide_header Content-Security-Policy;
uwsgi_hide_header Content-Security-Policy;
## obsolete
proxy_hide_header X-Frame-Options;
fastcgi_hide_header X-Frame-Options;
grpc_hide_header X-Frame-Options;
scgi_hide_header X-Frame-Options;
uwsgi_hide_header X-Frame-Options;

3
snip.d/http-security-headers Normal file
View File

@ -0,0 +1,3 @@
include snip.d/http-base-security-headers;
add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline' 'unsafe-eval' ; frame-ancestors 'self';" always;

3
snip.d/https-alt-svc Normal file
View File

@ -0,0 +1,3 @@
## always sourced by snip.d/listen-https
add_header Alt-Svc 'h3=":443"; ma=3600, h2=":443"; ma=3600' always;

3
snip.d/listen-grpcs Normal file
View File

@ -0,0 +1,3 @@
listen 444 ssl;
listen 444 quic;
http2 on;

1
snip.d/listen-http Normal file
View File

@ -0,0 +1 @@
listen 80;

5
snip.d/listen-https Normal file
View File

@ -0,0 +1,5 @@
listen 443 ssl;
listen 443 quic;
http2 on;
include snip.d/https-alt-svc;

3
snip.d/proxy-accept-encoding Normal file
View File

@ -0,0 +1,3 @@
## always sourced by conf.d/http-proxy.conf
proxy_set_header Accept-Encoding "";

9
snip.d/proxy-common-headers Normal file
View File

@ -0,0 +1,9 @@
## always sourced by conf.d/http-proxy.conf
## $proxy_add_forwarded is defined in conf.d/http-proxy.conf
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Forwarded $proxy_add_forwarded;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;

2
snip.d/proxy-connection-close Normal file
View File

@ -0,0 +1,2 @@
proxy_set_header Connection close;
proxy_set_header Upgrade "";

3
snip.d/proxy-connection-keepalive Normal file
View File

@ -0,0 +1,3 @@
## $conn_upgrade_keepalive is defined in conf.d/http-proxy.conf
proxy_set_header Connection $conn_upgrade_keepalive;
proxy_set_header Upgrade $http_upgrade;

5
snip.d/proxy-connection-upgrade Normal file
View File

@ -0,0 +1,5 @@
## always sourced by conf.d/http-proxy.conf
## $conn_upgrade_unset is defined in conf.d/http-proxy.conf
proxy_set_header Connection $conn_upgrade_unset;
proxy_set_header Upgrade $http_upgrade;

3
snip.d/proxy-early-data Normal file
View File

@ -0,0 +1,3 @@
## always sourced by conf.d/http-proxy.conf
proxy_set_header Early-Data $ssl_early_data;

4
snip.d/robots-txt Normal file
View File

@ -0,0 +1,4 @@
location = /robots.txt {
try_files /.robots.txt /robots.txt =404;
log_not_found off;
}

3
snip.d/ssl-krd.sh Normal file
View File

@ -0,0 +1,3 @@
ssl_certificate /etc/letsencrypt/live/krd.sh/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/krd.sh/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/krd.sh/chain.pem;

5
snip.d/tls-common Normal file
View File

@ -0,0 +1,5 @@
ssl_session_timeout 7m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;

11
snip.d/tls-intermediate Normal file
View File

@ -0,0 +1,11 @@
## always sourced by conf.d/http-ssl.conf
include snip.d/tls-common;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_session_cache shared:tls-intermediate:10m;
ssl_prefer_server_ciphers off;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
## openssl genpkey -genparam -algorithm DH -out /etc/angie/tls/ffdhe2048.pem -pkeyopt group:ffdhe2048
ssl_dhparam /etc/angie/tls/ffdhe2048.pem;

6
snip.d/tls-modern Normal file
View File

@ -0,0 +1,6 @@
include snip.d/tls-common;
ssl_protocols TLSv1.3;
ssl_session_cache shared:ssl-modern:10m;
ssl_prefer_server_ciphers off;
ssl_early_data on;

9
snip.d/tls-old Normal file
View File

@ -0,0 +1,9 @@
include snip.d/tls-common;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_session_cache shared:tls-old:10m;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;
## openssl genpkey -genparam -algorithm DH -out /etc/angie/tls/dh1024.pem -pkeyopt dh_paramgen_prime_len:1024
ssl_dhparam /etc/angie/tls/dh1024.pem;

4
stream.conf Normal file
View File

@ -0,0 +1,4 @@
stream {
include conf.d/stream-*.conf;
include site.d/stream-*.conf;
}