commit d7d4344c53766311f1225f142e6b117d7b7b4863 Author: Konstantin Demin Date: Fri Mar 22 10:24:54 2024 +0300 initial commit diff --git a/angie.conf b/angie.conf new file mode 100644 index 0000000..d282ddc --- /dev/null +++ b/angie.conf @@ -0,0 +1,15 @@ +pid /run/angie.pid; + +include mod.d/core-*.conf; +include mod.d/http-*.conf; +include mod.d/mail-*.conf; +include mod.d/stream-*.conf; + +events { + include conf.d/core_events-*.conf; +} +include conf.d/core-*.conf; + +include http.conf; +# include mail.conf; +# include stream.conf; diff --git a/conf.avail/core-logging.conf b/conf.avail/core-logging.conf new file mode 100644 index 0000000..31c967c --- /dev/null +++ b/conf.avail/core-logging.conf @@ -0,0 +1 @@ +error_log /var/log/angie/error.log warn; diff --git a/conf.avail/core-pcre.conf b/conf.avail/core-pcre.conf new file mode 100644 index 0000000..64d55ee --- /dev/null +++ b/conf.avail/core-pcre.conf @@ -0,0 +1 @@ +pcre_jit on; diff --git a/conf.avail/core-quic-bpf.conf b/conf.avail/core-quic-bpf.conf new file mode 100644 index 0000000..8741611 --- /dev/null +++ b/conf.avail/core-quic-bpf.conf @@ -0,0 +1 @@ +quic_bpf on; diff --git a/conf.avail/core-user.conf b/conf.avail/core-user.conf new file mode 100644 index 0000000..2029201 --- /dev/null +++ b/conf.avail/core-user.conf @@ -0,0 +1 @@ +user angie www-data; diff --git a/conf.avail/core-worker-processes.conf b/conf.avail/core-worker-processes.conf new file mode 100644 index 0000000..f8e2497 --- /dev/null +++ b/conf.avail/core-worker-processes.conf @@ -0,0 +1 @@ +worker_processes 4; diff --git a/conf.avail/core-worker-rlimit-nofile.conf b/conf.avail/core-worker-rlimit-nofile.conf new file mode 100644 index 0000000..cc3b607 --- /dev/null +++ b/conf.avail/core-worker-rlimit-nofile.conf @@ -0,0 +1 @@ +worker_rlimit_nofile 1048576; diff --git a/conf.avail/core_events-worker-connections.conf b/conf.avail/core_events-worker-connections.conf new file mode 100644 index 0000000..05594d5 --- /dev/null +++ b/conf.avail/core_events-worker-connections.conf @@ -0,0 +1 @@ +worker_connections 16384; diff --git a/conf.avail/core_events-worker-multi-accept.conf b/conf.avail/core_events-worker-multi-accept.conf new file mode 100644 index 0000000..7f6e3d8 --- /dev/null +++ b/conf.avail/core_events-worker-multi-accept.conf @@ -0,0 +1 @@ +multi_accept on; diff --git a/conf.avail/http-brotli.conf b/conf.avail/http-brotli.conf new file mode 100644 index 0000000..bc7f09e --- /dev/null +++ b/conf.avail/http-brotli.conf @@ -0,0 +1,24 @@ +brotli on; + +## default is 6 +brotli_comp_level 5; +brotli_min_length 1024; + +brotli_buffers 32 16k; + +brotli_types + application/atom+xml + application/javascript + application/json + application/vnd.api+json + application/rss+xml + application/x-javascript + application/xhtml+xml + application/xml + image/svg+xml + image/x-icon + text/css + text/javascript + text/plain + text/xml +; diff --git a/conf.avail/http-buffers-main.conf b/conf.avail/http-buffers-main.conf new file mode 100644 index 0000000..e7c81ba --- /dev/null +++ b/conf.avail/http-buffers-main.conf @@ -0,0 +1,7 @@ +subrequest_output_buffer_size 16k; +client_body_buffer_size 16k; +client_header_buffer_size 2k; +large_client_header_buffers 8 16k; + +## lowering from 16k to 4k to improve time-to-first-byte +ssl_buffer_size 4k; diff --git a/conf.avail/http-buffers-misc.conf b/conf.avail/http-buffers-misc.conf new file mode 100644 index 0000000..c316e16 --- /dev/null +++ b/conf.avail/http-buffers-misc.conf @@ -0,0 +1,22 @@ +grpc_buffer_size 16k; + +proxy_buffers 16 16k; +fastcgi_buffers 16 16k; +scgi_buffers 16 16k; +uwsgi_buffers 16 16k; + +proxy_buffer_size 16k; +proxy_busy_buffers_size 32k; +proxy_temp_file_write_size 32k; + +fastcgi_buffer_size 16k; +fastcgi_busy_buffers_size 32k; +fastcgi_temp_file_write_size 32k; + +scgi_buffer_size 16k; +scgi_busy_buffers_size 32k; +scgi_temp_file_write_size 32k; + +uwsgi_buffer_size 16k; +uwsgi_busy_buffers_size 32k; +uwsgi_temp_file_write_size 32k; diff --git a/conf.avail/http-geoip.conf b/conf.avail/http-geoip.conf new file mode 100644 index 0000000..c70f0b9 --- /dev/null +++ b/conf.avail/http-geoip.conf @@ -0,0 +1,4 @@ +geoip_country /usr/share/GeoIP/GeoIPv6.dat; + +## in case of IPv4-only setup use this statement: +# geoip_country /usr/share/GeoIP/GeoIP.dat; diff --git a/conf.avail/http-geoip2.conf b/conf.avail/http-geoip2.conf new file mode 100644 index 0000000..e382525 --- /dev/null +++ b/conf.avail/http-geoip2.conf @@ -0,0 +1,16 @@ +geoip2 /usr/local/share/geoip2/GeoLite2-Country.mmdb { + $geoip2_country_code country iso_code; + $geoip2_country_name country names en; +} + +geoip2 /usr/local/share/geoip2/GeoLite2-City.mmdb { + # $geoip2_city_name city names en; + $geoip2_timezone location time_zone; + $geoip2_latitude location latitude; + $geoip2_longitude location longitude; +} + +geoip2 /usr/local/share/geoip2/GeoLite2-ASN.mmdb { + $geoip2_asn autonomous_system_number; + $geoip2_asn_org autonomous_system_organization; +} diff --git a/conf.avail/http-grpc-accept-encoding.conf b/conf.avail/http-grpc-accept-encoding.conf new file mode 100644 index 0000000..a23388a --- /dev/null +++ b/conf.avail/http-grpc-accept-encoding.conf @@ -0,0 +1 @@ +include snip.d/grpc-accept-encoding; diff --git a/conf.avail/http-gzip.conf b/conf.avail/http-gzip.conf new file mode 100644 index 0000000..57cab04 --- /dev/null +++ b/conf.avail/http-gzip.conf @@ -0,0 +1,28 @@ +gzip on; + +## default is 1 +gzip_comp_level 2; +gzip_min_length 1024; + +gzip_vary on; +gzip_proxied any; + +gzip_buffers 32 16k; +gunzip_buffers 32 16k; + +gzip_types + application/atom+xml + application/javascript + application/json + application/vnd.api+json + application/rss+xml + application/x-javascript + application/xhtml+xml + application/xml + image/svg+xml + image/x-icon + text/css + text/javascript + text/plain + text/xml +; diff --git a/conf.avail/http-krd.sh.conf b/conf.avail/http-krd.sh.conf new file mode 100644 index 0000000..ba4ffed --- /dev/null +++ b/conf.avail/http-krd.sh.conf @@ -0,0 +1,67 @@ +map $scheme:$host + $krdsh_need_ssl +{ + default 1; + + ~*^[^:]+:(?:nossl-)?geo-[^.]+\.krd\.sh$ ""; + + ~*^https: ""; + ~*^http:nossl- ""; +} + +map $scheme:$host + $krdsh_is_ssl +{ + ~*^https:nossl- ""; + ~*^https: 1; +} + +map $scheme:$host + $krdsh_nossl_misuse +{ + ~*^https:nossl- 1; +} + +map $host + $krdsh_nossl_realhost +{ + ~*^nossl-(.+)$ $1; +} + +map $scheme:$host + $krdsh_need_redirect +{ + ~*^[^:]+:nossl-geo\.krd\.sh$ 1; + ~*^[^:]+:(?:nossl-)?geo-[^.]+\.krd\.sh$ 1; +} + +map $scheme:$host + $krdsh_redirector +{ + default http://krd.sh; + + ~*^[^:]+:nossl-geo\.krd\.sh$ $scheme://geo.krd.sh$uri; + ~*^[^:]+:(?:nossl-)?geo-([^.]+)\.krd\.sh$ $scheme://geo.krd.sh/$1; +} + +map $krdsh_need_ssl$krdsh_is_ssl$krdsh_need_redirect + $krdsh_need_proxy +{ + "" 1; +} + +map $host + $krdsh_self_proxy_host +{ + default $host; + + ~*^nossl-(.+)$ $1; +} + +map $host + $krdsh_self_proxy_uri +{ + default https://$host; + + ~*^nossl-(.+)$ https://$1; +} diff --git a/conf.avail/http-logging.conf b/conf.avail/http-logging.conf new file mode 100644 index 0000000..e2f643f --- /dev/null +++ b/conf.avail/http-logging.conf @@ -0,0 +1,12 @@ +log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + +log_format extended '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" rt="$request_time" ' + '"$http_user_agent" "$http_x_forwarded_for" ' + 'h="$host" sn="$server_name" ru="$request_uri" u="$uri" ' + 'ucs="$upstream_cache_status" ua="$upstream_addr" us="$upstream_status" ' + 'uct="$upstream_connect_time" urt="$upstream_response_time"'; + +access_log /var/log/angie/access.log main buffer=512k flush=1m; diff --git a/conf.avail/http-max-accept-range.conf b/conf.avail/http-max-accept-range.conf new file mode 100644 index 0000000..1827510 --- /dev/null +++ b/conf.avail/http-max-accept-range.conf @@ -0,0 +1 @@ +max_ranges 2; diff --git a/conf.avail/http-mime-types.conf b/conf.avail/http-mime-types.conf new file mode 100644 index 0000000..059b038 --- /dev/null +++ b/conf.avail/http-mime-types.conf @@ -0,0 +1,8 @@ +include mime.types; + +types { + font/ttf ttf; + application/font-sfnt otf; +} + +default_type application/octet-stream; diff --git a/conf.avail/http-misc-defaults.conf b/conf.avail/http-misc-defaults.conf new file mode 100644 index 0000000..0ae3ab3 --- /dev/null +++ b/conf.avail/http-misc-defaults.conf @@ -0,0 +1 @@ +server_tokens on; diff --git a/conf.avail/http-proxy.conf b/conf.avail/http-proxy.conf new file mode 100644 index 0000000..9f209d5 --- /dev/null +++ b/conf.avail/http-proxy.conf @@ -0,0 +1,55 @@ +proxy_http_version 1.1; +proxy_ssl_server_name on; +proxy_ssl_protocols TLSv1.2 TLSv1.3; +proxy_cache_bypass $http_upgrade; + +map $http_upgrade + $conn_upgrade_unset +{ + volatile; + + default upgrade; + "" ""; +} + +map $http_upgrade + $conn_upgrade_keepalive +{ + volatile; + + default upgrade; + "" keep-alive; +} + +## ref: +## - https://www.digitalocean.com/community/tools/nginx?domains.0.reverseProxy.reverseProxy=true +map $remote_addr + $proxy_forwarded_elem +{ + ## IPv4 addresses can be sent as-is + ~^[0-9.]+$ "for=$remote_addr"; + ## IPv6 addresses need to be bracketed and quoted + ~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\""; + ## Unix domain socket names cannot be represented in RFC 7239 syntax + default "for=unknown"; +} + +## ref: +## - https://www.digitalocean.com/community/tools/nginx?domains.0.reverseProxy.reverseProxy=true +## - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded +map $http_forwarded + $proxy_add_forwarded +{ + volatile; + + ## if the incoming Forwarded header is syntactically valid, append to it + "~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem"; + + ## otherwise, replace it + default "$proxy_forwarded_elem"; +} + +include snip.d/proxy-common-headers; +include snip.d/proxy-accept-encoding; +include snip.d/proxy-connection-upgrade; +include snip.d/proxy-early-data; diff --git a/conf.avail/http-resolver.conf b/conf.avail/http-resolver.conf new file mode 100644 index 0000000..c6c08ae --- /dev/null +++ b/conf.avail/http-resolver.conf @@ -0,0 +1,2 @@ +resolver 127.1.0.1 valid=60s ipv6=off; +resolver_timeout 10s; diff --git a/conf.avail/http-sendfile.conf b/conf.avail/http-sendfile.conf new file mode 100644 index 0000000..52646f0 --- /dev/null +++ b/conf.avail/http-sendfile.conf @@ -0,0 +1,4 @@ +sendfile on; +#tcp_nopush on; + +postpone_output 1000; diff --git a/conf.avail/http-ssl.conf b/conf.avail/http-ssl.conf new file mode 100644 index 0000000..8c73da6 --- /dev/null +++ b/conf.avail/http-ssl.conf @@ -0,0 +1,7 @@ +ssl_conf_command Options PrioritizeChaCha,KTLS; + +proxy_ssl_conf_command Options PrioritizeChaCha,KTLS; +grpc_ssl_conf_command Options PrioritizeChaCha,KTLS; +uwsgi_ssl_conf_command Options PrioritizeChaCha,KTLS; + +include snip.d/tls-intermediate; diff --git a/conf.avail/http-v3.conf b/conf.avail/http-v3.conf new file mode 100644 index 0000000..64e9115 --- /dev/null +++ b/conf.avail/http-v3.conf @@ -0,0 +1,2 @@ +http3_stream_buffer_size 128k; +quic_active_connection_id_limit 4; diff --git a/http.conf b/http.conf new file mode 100644 index 0000000..0a58f7c --- /dev/null +++ b/http.conf @@ -0,0 +1,4 @@ +http { + include conf.d/http-*.conf; + include site.d/http-*.conf; +} diff --git a/mail.conf b/mail.conf new file mode 100644 index 0000000..177b040 --- /dev/null +++ b/mail.conf @@ -0,0 +1,4 @@ +mail { + include conf.d/mail-*.conf; + include site.d/mail-*.conf; +} diff --git a/mod.avail/http-auth-jwt.conf b/mod.avail/http-auth-jwt.conf new file mode 100644 index 0000000..e432942 --- /dev/null +++ b/mod.avail/http-auth-jwt.conf @@ -0,0 +1 @@ +load_module modules/ngx_http_auth_jwt_module.so; diff --git a/mod.avail/http-brotli.conf b/mod.avail/http-brotli.conf new file mode 100644 index 0000000..50f0014 --- /dev/null +++ b/mod.avail/http-brotli.conf @@ -0,0 +1,2 @@ +load_module modules/ngx_http_brotli_filter_module.so; +load_module modules/ngx_http_brotli_static_module.so; diff --git a/mod.avail/http-dav-ext.conf b/mod.avail/http-dav-ext.conf new file mode 100644 index 0000000..e852329 --- /dev/null +++ b/mod.avail/http-dav-ext.conf @@ -0,0 +1 @@ +load_module modules/ngx_http_dav_ext_module.so; diff --git a/mod.avail/http-echo.conf b/mod.avail/http-echo.conf new file mode 100644 index 0000000..a82ee29 --- /dev/null +++ b/mod.avail/http-echo.conf @@ -0,0 +1 @@ +load_module modules/ngx_http_echo_module.so; diff --git a/mod.avail/http-geoip.conf b/mod.avail/http-geoip.conf new file mode 100644 index 0000000..9721986 --- /dev/null +++ b/mod.avail/http-geoip.conf @@ -0,0 +1 @@ +load_module modules/ngx_http_geoip_module.so; diff --git a/mod.avail/http-geoip2.conf b/mod.avail/http-geoip2.conf new file mode 100644 index 0000000..9441b29 --- /dev/null +++ b/mod.avail/http-geoip2.conf @@ -0,0 +1 @@ +load_module modules/ngx_http_geoip2_module.so; diff --git a/mod.avail/http-headers-more.conf b/mod.avail/http-headers-more.conf new file mode 100644 index 0000000..266d84e --- /dev/null +++ b/mod.avail/http-headers-more.conf @@ -0,0 +1 @@ +load_module modules/ngx_http_headers_more_filter_module.so; diff --git a/mod.avail/http-image-filter.conf b/mod.avail/http-image-filter.conf new file mode 100644 index 0000000..dfa2939 --- /dev/null +++ b/mod.avail/http-image-filter.conf @@ -0,0 +1 @@ +load_module modules/ngx_http_image_filter_module.so; diff --git a/mod.avail/http-njs.conf b/mod.avail/http-njs.conf new file mode 100644 index 0000000..9907c34 --- /dev/null +++ b/mod.avail/http-njs.conf @@ -0,0 +1 @@ +load_module modules/ngx_http_js_module.so; diff --git a/mod.avail/http-perl.conf b/mod.avail/http-perl.conf new file mode 100644 index 0000000..ab3d02a --- /dev/null +++ b/mod.avail/http-perl.conf @@ -0,0 +1 @@ +load_module modules/ngx_http_perl_module.so; diff --git a/mod.avail/http-subs.conf b/mod.avail/http-subs.conf new file mode 100644 index 0000000..fe34b6c --- /dev/null +++ b/mod.avail/http-subs.conf @@ -0,0 +1 @@ +load_module modules/ngx_http_subs_filter_module.so; diff --git a/mod.avail/http-upload.conf b/mod.avail/http-upload.conf new file mode 100644 index 0000000..b24a6d5 --- /dev/null +++ b/mod.avail/http-upload.conf @@ -0,0 +1 @@ +load_module modules/ngx_http_upload_module.so; diff --git a/mod.avail/http-xslt-filter.conf b/mod.avail/http-xslt-filter.conf new file mode 100644 index 0000000..a4f87ac --- /dev/null +++ b/mod.avail/http-xslt-filter.conf @@ -0,0 +1 @@ +load_module modules/ngx_http_xslt_filter_module.so; diff --git a/mod.avail/http-zip.conf b/mod.avail/http-zip.conf new file mode 100644 index 0000000..643b41c --- /dev/null +++ b/mod.avail/http-zip.conf @@ -0,0 +1 @@ +load_module modules/ngx_http_zip_module.so; diff --git a/mod.avail/stream-geoip.conf b/mod.avail/stream-geoip.conf new file mode 100644 index 0000000..7195856 --- /dev/null +++ b/mod.avail/stream-geoip.conf @@ -0,0 +1 @@ +load_module modules/ngx_stream_geoip_module.so; diff --git a/mod.avail/stream-geoip2.conf b/mod.avail/stream-geoip2.conf new file mode 100644 index 0000000..4072597 --- /dev/null +++ b/mod.avail/stream-geoip2.conf @@ -0,0 +1 @@ +load_module modules/ngx_stream_geoip2_module.so; diff --git a/mod.avail/stream-njs.conf b/mod.avail/stream-njs.conf new file mode 100644 index 0000000..1a153bd --- /dev/null +++ b/mod.avail/stream-njs.conf @@ -0,0 +1 @@ +load_module modules/ngx_stream_js_module.so; diff --git a/njs/nexus.js b/njs/nexus.js new file mode 100644 index 0000000..a5ad0f2 --- /dev/null +++ b/njs/nexus.js @@ -0,0 +1,9 @@ +function statics(r) { + var bytes = crypto.getRandomValues(new Uint8Array(1)); + var s = (bytes[0] & 15).toString(16); + s = "https://nexus-st-" + s + ".krd.sh" + r.uri; + if (r.args.length > 0) { s += r.variables.is_args + r.variables.args; } + r.return(307, s); +} + +export default {statics}; diff --git a/site.avail/http-deb.krd.sh.conf b/site.avail/http-deb.krd.sh.conf new file mode 100644 index 0000000..7118ef3 --- /dev/null +++ b/site.avail/http-deb.krd.sh.conf @@ -0,0 +1,91 @@ +server { + server_name deb.krd.sh; + + include snip.d/listen-http; + + include snip.d/https-alt-svc; + + access_log off; + log_not_found off; + + root /var/www/deb; + + include snip.d/empty-favicon; + + location / { + return 301 https://$host$request_uri; + + include snip.d/https-alt-svc; + include snip.d/http-security-headers; + } + + ## allow APT work as usual + + location ~*/(?:InRelease|Release|Packages|Sources)$ + ~*/[^/]+/.*[^/]+\.(?:asc|dsc)$ + { + default_type text/plain; + try_files $uri $uri/ =404; + } + + ## /*/dists/*/Release.gpg + location ~*^/[^/]+/.*[^/]+\.(?:gpg)$ + { + try_files $uri $uri/ =404; + } + + location ~*\.(?:bz2|deb|gz|tar|udeb|xz|Z|zip|zstd?)$ + ## various tarball file name extensions (sic!) + ~*\.t(?:[agx]z|bz2?|[bz]2|bJ|zo|lz(?:|ma?)|zstd?|a?Z)$ + { + gzip off; + brotli off; + try_files $uri $uri/ =404; + } +} + +server { + server_name deb.krd.sh; + + include snip.d/listen-https; + include snip.d/ssl-krd.sh; + + access_log off; + log_not_found off; + + root /var/www/deb; + autoindex on; + + include snip.d/empty-favicon; + + location / { + try_files $uri $uri/ =404; + + include snip.d/https-alt-svc; + include snip.d/http-security-headers; + } + + location ~*/(?:InRelease|Release|Packages|Sources)$ + ~*\.(?:asc|build|buildinfo|changes|dsc|list|log|sources)$ + { + default_type text/plain; + try_files $uri $uri/ =404; + } + + location ~*\.(?:bz2|deb|gz|tar|udeb|xz|Z|zip|zstd?)$ + ## various tarball file name extensions (sic!) + ~*\.t(?:[agx]z|bz2?|[bz]2|bJ|zo|lz(?:|ma?)|zstd?|a?Z)$ + { + gzip off; + brotli off; + try_files $uri $uri/ =404; + } + + ## "meta" usually doesn't contain sensitive data + # include snip.d/deny-dotfiles; + location ~*^/[^/]+/\.meta/ + { + default_type text/plain; + try_files $uri $uri/ =404; + } +} diff --git a/site.avail/http-default-ssl.conf b/site.avail/http-default-ssl.conf new file mode 100644 index 0000000..01bc224 --- /dev/null +++ b/site.avail/http-default-ssl.conf @@ -0,0 +1,50 @@ +server { + server_name _; + + listen 443 default_server bind deferred ssl; + ## TODO: reuseport + listen 443 default_server quic reuseport; + http2 on; + + ## nota bene + ssl_reject_handshake on; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + + access_log off; + + default_type text/plain; + + root /var/www/empty; + + location / { + keepalive_timeout 0; + return 200; + } +} + +## GRPC over TLS +server { + server_name _; + + listen 444 default_server bind deferred ssl; + ## TODO: reuseport + listen 444 default_server quic reuseport; + http2 on; + + ## nota bene + ssl_reject_handshake on; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + + access_log off; + + default_type text/plain; + + root /var/www/empty; + + location / { + keepalive_timeout 0; + return 200; + } +} diff --git a/site.avail/http-default.conf b/site.avail/http-default.conf new file mode 100644 index 0000000..9f69d5a --- /dev/null +++ b/site.avail/http-default.conf @@ -0,0 +1,16 @@ +server { + server_name _; + + listen 80 default_server bind deferred; + + access_log off; + + default_type text/plain; + + root /var/www/empty; + + location / { + keepalive_timeout 0; + return 200; + } +} diff --git a/site.avail/http-dotfiles.krd.sh.conf b/site.avail/http-dotfiles.krd.sh.conf new file mode 100644 index 0000000..f940964 --- /dev/null +++ b/site.avail/http-dotfiles.krd.sh.conf @@ -0,0 +1,30 @@ +server { + server_name dotfiles.krd.sh; + + include snip.d/listen-https; + include snip.d/ssl-krd.sh; + + access_log off; + log_not_found off; + + root /var/www/dotfiles; + index index.txt; + try_files $uri $uri/ =404; + + include snip.d/http-security-headers; + + location ~* ^/(|index\.txt)$ { + default_type text/plain; + } + + location = /get { + return 303 $scheme://$host/.config/dotfiles/install.sh; + } + + location ~ ^/.+$ { + return 303 https://git.krd.sh/krd/dotfiles/raw/branch/main$uri; + } + + include snip.d/empty-favicon; + include snip.d/robots-txt; +} diff --git a/site.avail/http-files.krd.sh.conf b/site.avail/http-files.krd.sh.conf new file mode 100644 index 0000000..423666b --- /dev/null +++ b/site.avail/http-files.krd.sh.conf @@ -0,0 +1,30 @@ +server { + server_name files.krd.sh; + + include snip.d/listen-https; + include snip.d/ssl-krd.sh; + + access_log off; + log_not_found off; + + root /var/www/files; + autoindex on; + + include snip.d/http-security-headers; + + location / { + try_files $uri $uri/ =404; + } + + location ~*^/(?:angie)/ + ~*\.(?:asc|conf|dsc|js|json|pem|sh|sources|txt)$ + { + default_type text/plain; + + try_files $uri $uri/ =404; + } + + include snip.d/deny-dotfiles; + include snip.d/empty-favicon; + include snip.d/robots-txt; +} diff --git a/site.avail/http-geo.krd.sh.conf b/site.avail/http-geo.krd.sh.conf new file mode 100644 index 0000000..d95c020 --- /dev/null +++ b/site.avail/http-geo.krd.sh.conf @@ -0,0 +1,152 @@ +map $http3:$http2:$server_protocol + $krdsh__geo_proto +{ + default $server_protocol; + + ~^[^:]+: $http3; + ~^:[^:]+: $http2; +} + +map $http_user_agent + $krdsh__geo_ua +{ + default $http_user_agent; + + "" ""; +} + +map $ssl_protocol + $krdsh__geo_ssl_proto +{ + default $ssl_protocol; + + "" "none"; +} + +map $ssl_alpn_protocol + $krdsh__geo_ssl_alpn +{ + default $ssl_alpn_protocol; + + "" "none"; +} + +map $ssl_session_reused + $krdsh__geo_ssl_reuse +{ + default "no"; + + r yes; +} + +map $ssl_early_data + $krdsh__geo_ssl_early +{ + default "no"; + + 1 yes; +} + +map $uri + $krdsh__geo_k +{ + volatile; + ## default is "help" + default help; + + ~^/(.+)$ $1; +} + +map $krdsh__geo_k + $krdsh__geo_v +{ + volatile; + ## default is "help" + default "usage: $host/{key}\r\nmeta keys: [help] all geo ssl version\r\nsimple keys: ip user-agent proto ssl-proto ssl-alpn ssl-reuse ssl-early country-code country-name timezone latitude longitude asn asn-org"; + + ip $remote_addr; + user-agent $krdsh__geo_ua; + + proto $krdsh__geo_proto; + ssl-proto $krdsh__geo_ssl_proto; + ssl-alpn $krdsh__geo_ssl_alpn; + ssl-reuse $krdsh__geo_ssl_reuse; + ssl-early $krdsh__geo_ssl_early; + + country-code $geoip2_country_code; + country-name $geoip2_country_name; + + timezone $geoip2_timezone; + latitude $geoip2_latitude; + longitude $geoip2_longitude; + + asn $geoip2_asn; + asn-org $geoip2_asn_org; + + version "angie/$angie_version"; + + all "ip: $remote_addr\r\nuser-agent: $krdsh__geo_ua\r\nproto: $krdsh__geo_proto\r\nssl-proto: $krdsh__geo_ssl_proto\r\nssl-alpn: $krdsh__geo_ssl_alpn\r\nssl-reuse: $krdsh__geo_ssl_reuse\r\nssl-early: $krdsh__geo_ssl_early\r\ncountry-code: $geoip2_country_code\r\ncountry-name: $geoip2_country_name\r\ntimezone: $geoip2_timezone\r\nlatitude: $geoip2_latitude\r\nlongitude: $geoip2_longitude\r\nasn: $geoip2_asn\r\nasn-org: $geoip2_asn_org"; + + geo "ip: $remote_addr\r\ncountry-code: $geoip2_country_code\r\ncountry-name: $geoip2_country_name\r\ntimezone: $geoip2_timezone\r\nlatitude: $geoip2_latitude\r\nlongitude: $geoip2_longitude\r\nasn: $geoip2_asn\r\nasn-org: $geoip2_asn_org"; + + ssl "proto: $krdsh__geo_proto\r\nssl-proto: $krdsh__geo_ssl_proto\r\nssl-alpn: $krdsh__geo_ssl_alpn\r\nssl-reuse: $krdsh__geo_ssl_reuse\r\nssl-early: $krdsh__geo_ssl_early"; + +} + +map $uri + $krdsh__geo_file +{ + ## guess what?.. + default default.zst; + + ~*^/asn\.(.+)$ GeoLite2-ASN.$1; + ~*^/city\.(.+)$ GeoLite2-City.$1; + ~*^/country\.(.+)$ GeoLite2-Country.$1; +} + +server { + server_name geo.krd.sh; + + include snip.d/listen-http; + include snip.d/listen-https; + include snip.d/ssl-krd.sh; + + access_log off; + keepalive_timeout 0; + + root /var/www/empty; + + include snip.d/empty-favicon; + + location / { + default_type text/plain; + return 200 "$krdsh__geo_v\r\n"; + } + + location ~*^/[^/.]+\.mmdb\.[^/.]+$ + { + root /usr/local/share/geoip2; + try_files /$krdsh__geo_file @file_help; + } + location ~*^/[^/.]+\.mmdb$ + { + try_files /.non-existent-uri @file_help; + } + location @file_help + { + ## sync with "map $uri krdsh__geo_file" + set $krdsh__geo_bases "asn city country"; + ## sync with file system contents + set $krdsh__geo_comps "br bz2 gz xz zst"; + ## sync with two above + set $krdsh__geo_example "country.mmdb.xz"; + + default_type text/plain; + + add_header X-GeoIp-Bases $krdsh__geo_bases always; + add_header X-GeoIp-Comps $krdsh__geo_comps always; + add_header X-GeoIp-Example $krdsh__geo_example always; + + return 403 "valid file names: $krdsh__geo_bases\r\nvalid trailing extensions: $krdsh__geo_comps\r\nexample: $krdsh__geo_example\r\n"; + } +} diff --git a/site.avail/http-git.krd.sh.conf b/site.avail/http-git.krd.sh.conf new file mode 100644 index 0000000..c4b203d --- /dev/null +++ b/site.avail/http-git.krd.sh.conf @@ -0,0 +1,158 @@ +server { + server_name git.krd.sh ci.krd.sh; + + include snip.d/listen-http; + + access_log off; + log_not_found off; + + root /var/www/empty; + + include snip.d/https-alt-svc; + include snip.d/http-security-headers; + + keepalive_timeout 0; + + include snip.d/empty-favicon; + + location / { + return 301 https://$host$uri$is_args$args; + } +} + +proxy_cache_path + /var/cache/angie/proxy/krdsh-git + keys_zone=krdsh_git:10m + levels=1:2 inactive=1h; + +server { + server_name git.krd.sh; + + include snip.d/listen-https; + include snip.d/ssl-krd.sh; + + access_log off; + log_not_found off; + + root /var/www/empty; + + include snip.d/http-security-headers; + + include snip.d/proxy-common-headers; + include snip.d/proxy-accept-encoding; + include snip.d/proxy-connection-keepalive; + include snip.d/proxy-early-data; + + proxy_redirect ~*^http://(ci|git)\.krd\.sh(?:|:[0-9]+)/(.*)$ https://$1.krd.sh/$2; + + location / { + proxy_pass http://127.0.0.1:3000; + ## quirks + client_max_body_size 512M; + chunked_transfer_encoding off; + } + + location @precache { + proxy_pass http://127.0.0.1:3000; + + proxy_cache krdsh_git; + proxy_cache_key $uri; + proxy_cache_valid 200 1h; + proxy_cache_valid 30s; + proxy_ignore_client_abort on; + + proxy_ignore_headers Cache-Control; + proxy_hide_header Cache-Control; + expires 2h; + + ## quirks + chunked_transfer_encoding off; + proxy_method GET; + proxy_buffering on; + proxy_temp_file_write_size 4m; + } + + location /assets/ { + try_files /.non-existent-uri @precache; + # proxy_pass http://127.0.0.1:3000; + } +} + +proxy_cache_path + /var/cache/angie/proxy/krdsh-ci + keys_zone=krdsh_ci:10m + levels=1:2 inactive=1h; + +server { + server_name ci.krd.sh; + + include snip.d/listen-https; + include snip.d/ssl-krd.sh; + + access_log off; + log_not_found off; + + root /var/www/empty; + + include snip.d/http-security-headers; + + include snip.d/proxy-common-headers; + include snip.d/proxy-accept-encoding; + include snip.d/proxy-connection-keepalive; + include snip.d/proxy-early-data; + + proxy_redirect ~*^http://(ci|git)\.krd\.sh(?:|:[0-9]+)/(.*)$ https://$1.krd.sh/$2; + + location / { + proxy_pass http://127.0.0.1:8000; + ## quirks + chunked_transfer_encoding off; + client_max_body_size 16M; + proxy_buffering off; + } + + location @precache { + proxy_pass http://127.0.0.1:8000; + + proxy_cache krdsh_ci; + proxy_cache_key $uri; + proxy_cache_valid 200 1h; + proxy_cache_valid 30s; + proxy_ignore_client_abort on; + + proxy_ignore_headers Cache-Control; + proxy_hide_header Cache-Control; + expires 2h; + + ## quirks + chunked_transfer_encoding off; + proxy_method GET; + proxy_buffering on; + proxy_temp_file_write_size 4m; + } + + location /assets/ { + try_files /.non-existent-uri @precache; + # proxy_pass http://127.0.0.1:8000; + } +} + +server { + server_name ci.krd.sh; + + include snip.d/listen-grpcs; + include snip.d/ssl-krd.sh; + + access_log off; + log_not_found off; + + root /var/www/empty; + + include snip.d/http-security-headers; + + include snip.d/grpc-accept-encoding; + + location / { + grpc_pass grpc://127.0.0.1:9000; + } +} diff --git a/site.avail/http-krd.sh.conf b/site.avail/http-krd.sh.conf new file mode 100644 index 0000000..f9eb308 --- /dev/null +++ b/site.avail/http-krd.sh.conf @@ -0,0 +1,55 @@ +## $krdsh_* are defined in conf.d/http-krd.sh.conf + +server { + server_name .krd.sh; + + include snip.d/listen-http; + include snip.d/listen-https; + include snip.d/ssl-krd.sh; + + log_not_found off; + access_log off; + + root /var/www/empty; + + include snip.d/deny-dotfiles; + include snip.d/empty-favicon; + + include snip.d/http-security-headers; + + default_type text/plain; + keepalive_timeout 0; + + proxy_hide_header Vary; + # proxy_redirect off; + + # include snip.d/proxy-common-headers; + # include snip.d/proxy-accept-encoding; + # include snip.d/proxy-connection-upgrade; + # include snip.d/proxy-early-data; + + proxy_ssl_name $krdsh_self_proxy_host; + proxy_set_header Host $krdsh_self_proxy_host; + + location / { + if ($krdsh_is_ssl) { + return 200; + } + + if ($krdsh_need_ssl) { + return 301 https://$host$request_uri; + } + + if ($krdsh_nossl_misuse) { + return 301 https://$krdsh_nossl_realhost$request_uri; + } + + if ($krdsh_need_redirect) { + return 301 $krdsh_redirector; + } + + if ($krdsh_need_proxy) { + proxy_pass $krdsh_self_proxy_uri; + } + } +} diff --git a/site.avail/http-nexus.krd.sh.conf b/site.avail/http-nexus.krd.sh.conf new file mode 100644 index 0000000..701db3a --- /dev/null +++ b/site.avail/http-nexus.krd.sh.conf @@ -0,0 +1,216 @@ +server { + server_name nexus.krd.sh; + + include snip.d/listen-http; + + access_log off; + log_not_found off; + + root /var/www/empty; + + include snip.d/https-alt-svc; + include snip.d/http-base-security-headers; + + proxy_redirect ~*^http://$host(?:|:[0-9]+)/(.*)$ http://$host/$1; + + keepalive_timeout 0; + + include snip.d/empty-favicon; + + location / { + return 301 https://$host$uri$is_args$args; + } + + ## allow APT work as usual + + location ~*^/repository/apt_[^/]+/(?:dists|pool)/ + { + gzip off; + brotli off; + + proxy_pass http://127.0.0.1:8081; + proxy_method GET; + } + + ## allow proxy repositories only for non-public usage + + location ~*^/repository/proxy_[^/]+/ + { + allow 127.0.0.0/8; + allow 192.0.2.0/24; + allow 240.0.0.0/4; + deny all; + + proxy_pass http://127.0.0.1:8081; + proxy_method GET; + } + + ## quirks + chunked_transfer_encoding off; +} + +server { + server_name nexus-asis.krd.sh; + + include snip.d/listen-https; + include snip.d/ssl-krd.sh; + + access_log off; + log_not_found off; + + root /var/www/empty; + + include snip.d/http-security-headers; + + include snip.d/proxy-common-headers; + include snip.d/proxy-accept-encoding; + include snip.d/proxy-connection-keepalive; + include snip.d/proxy-early-data; + + proxy_redirect ~*^http://$host(?:|:[0-9]+)/(.*)$ https://$host/$1; + + location / { + proxy_pass http://127.0.0.1:8081; + ## quirks + client_max_body_size 1024M; + } + + ## allow proxy repositories only for non-public usage + + location ~*^/repository/proxy_[^/]+/ + { + allow 127.0.0.0/8; + allow 192.0.2.0/24; + allow 240.0.0.0/4; + deny all; + + proxy_pass http://127.0.0.1:8081; + } + + ## quirks + chunked_transfer_encoding off; +} + +server { + server_name nexus.krd.sh; + + include snip.d/listen-https; + include snip.d/ssl-krd.sh; + + access_log off; + log_not_found off; + + root /var/www/empty; + + include snip.d/http-base-security-headers; + + include snip.d/proxy-common-headers; + include snip.d/proxy-accept-encoding; + include snip.d/proxy-connection-keepalive; + include snip.d/proxy-early-data; + + proxy_redirect ~*^http://$host(?:|:[0-9]+)/(.*)$ https://$host/$1; + + location / { + proxy_pass http://127.0.0.1:8081; + ## quirks + client_max_body_size 1024M; + } + + ## allow proxy repositories only for non-public usage + + location ~*^/repository/proxy_[^/]+/ + { + allow 127.0.0.0/8; + allow 192.0.2.0/24; + allow 240.0.0.0/4; + deny all; + + proxy_pass http://127.0.0.1:8081; + } + + js_import njs/nexus.js; + + location /static/ { + js_content nexus.statics; + } + + ## quirks + chunked_transfer_encoding off; +} + +proxy_cache_path + /var/cache/angie/proxy/krdsh-nexus + keys_zone=krdsh_nexus:10m + levels=1:2 inactive=1h; + +server { + ## PITA + server_name + nexus-st-0.krd.sh + nexus-st-1.krd.sh + nexus-st-2.krd.sh + nexus-st-3.krd.sh + nexus-st-4.krd.sh + nexus-st-5.krd.sh + nexus-st-6.krd.sh + nexus-st-7.krd.sh + nexus-st-8.krd.sh + nexus-st-9.krd.sh + nexus-st-a.krd.sh + nexus-st-b.krd.sh + nexus-st-c.krd.sh + nexus-st-d.krd.sh + nexus-st-e.krd.sh + nexus-st-f.krd.sh + ; + + include snip.d/listen-https; + include snip.d/ssl-krd.sh; + + access_log off; + # log_not_found off; + + root /var/www/empty; + + include snip.d/http-base-security-headers; + + add_header Access-Control-Allow-Origin "https://nexus.krd.sh" always; + + include snip.d/proxy-common-headers; + include snip.d/proxy-accept-encoding; + include snip.d/proxy-connection-close; + include snip.d/proxy-early-data; + + proxy_ignore_headers Cache-Control; + proxy_hide_header Cache-Control; + + proxy_redirect ~*^http://$host(?:|:[0-9]+)/(.*)$ https://nexus.krd.sh/$1; + + location / { + return 301 https://nexus.krd.sh; + } + + location /static/ { + try_files /.non-existent-uri @precache; + } + + location @precache { + proxy_pass http://127.0.0.1:8081; + + proxy_cache krdsh_nexus; + proxy_cache_key $uri$is_args$args; + proxy_cache_valid 200 1h; + proxy_cache_valid 30s; + proxy_ignore_client_abort on; + expires 2h; + + ## quirks + proxy_method GET; + proxy_buffering on; + proxy_temp_file_write_size 4m; + } + + ## quirks + chunked_transfer_encoding off; +} diff --git a/site.avail/http-nodejs-org.krd.sh.conf b/site.avail/http-nodejs-org.krd.sh.conf new file mode 100644 index 0000000..cdb53ba --- /dev/null +++ b/site.avail/http-nodejs-org.krd.sh.conf @@ -0,0 +1,70 @@ +proxy_cache_path + /var/cache/angie/proxy/nodejs-org + keys_zone=nodejs_org:10m + levels=1:2 inactive=1h; + +server { + server_name nodejs-org.krd.sh; + + include snip.d/listen-https; + include snip.d/ssl-krd.sh; + + access_log off; + log_not_found off; + + root /var/www/empty; + + location / { + try_files /.non-existent-uri @redirect; + } + + location ~* \.(?:7z|exe|exp|gz|lib|msi|pkg|tgz|xz|zip)$ + { + try_files /.non-existent-uri @redirect; + } + + ## merely quirk + location ~* ^/(?:dist|download)$ + { + return 301 $scheme://$server_name$uri/; + } + + location ~/$ + ~*^/(?:dist|download)/ + { + try_files /.non-existent-uri @download; + } + + proxy_set_header Accept "*/*"; + proxy_set_header User-Agent "angie/$angie_version"; + + include snip.d/proxy-common-headers; + include snip.d/proxy-accept-encoding; + include snip.d/proxy-connection-close; + + location @redirect { + return 301 https://nodejs.org$request_uri; + } + + location @download { + proxy_pass https://nodejs.org$uri$is_args$args; + + proxy_redirect https://nodejs.org $scheme://$server_name; + + proxy_cache nodejs_org; + proxy_cache_key $uri$is_args$args; + proxy_cache_valid 200 1h; + proxy_cache_valid 30s; + proxy_ignore_client_abort on; + + proxy_ignore_headers Cache-Control; + proxy_hide_header Cache-Control; + expires 30m; + + ## quirks + chunked_transfer_encoding off; + proxy_method GET; + proxy_buffering on; + proxy_temp_file_write_size 4m; + } +} diff --git a/snip.d/area-internal b/snip.d/area-internal new file mode 100644 index 0000000..a394351 --- /dev/null +++ b/snip.d/area-internal @@ -0,0 +1,5 @@ +## always sourced by snip.d/deny-dotfiles + +access_log off; +log_not_found off; +internal; diff --git a/snip.d/common-fastcgi b/snip.d/common-fastcgi new file mode 100644 index 0000000..875f001 --- /dev/null +++ b/snip.d/common-fastcgi @@ -0,0 +1,17 @@ +## always sourced by snip.d/common-fcgiwrap + +try_files $fastcgi_script_name =444; + +## KrD: do not pass Accept-Encoding to backend +fastcgi_param HTTP_ACCEPT_ENCODING ""; + +## bypass the fact that try_files resets $fastcgi_path_info +## see: https://trac.nginx.org/nginx/ticket/321 +set $path_info $fastcgi_path_info; +fastcgi_param PATH_INFO $path_info; + +fastcgi_param AUTH_USER $remote_user; +fastcgi_param REMOTE_USER $remote_user; +fastcgi_param HTTP_HOST $host; + +include fastcgi.conf; diff --git a/snip.d/common-fcgiwrap b/snip.d/common-fcgiwrap new file mode 100644 index 0000000..9357cf7 --- /dev/null +++ b/snip.d/common-fcgiwrap @@ -0,0 +1,3 @@ +fastcgi_pass unix:/run/fcgiwrap.socket; + +include snip.d/common-fastcgi; diff --git a/snip.d/deny-dotfiles b/snip.d/deny-dotfiles new file mode 100644 index 0000000..46d1681 --- /dev/null +++ b/snip.d/deny-dotfiles @@ -0,0 +1,3 @@ +location ~ /\. { + include snip.d/area-internal; +} diff --git a/snip.d/empty-favicon b/snip.d/empty-favicon new file mode 100644 index 0000000..05b3311 --- /dev/null +++ b/snip.d/empty-favicon @@ -0,0 +1,4 @@ +location = /favicon.ico { + empty_gif; + expires 1d; +} diff --git a/snip.d/grpc-accept-encoding b/snip.d/grpc-accept-encoding new file mode 100644 index 0000000..c525706 --- /dev/null +++ b/snip.d/grpc-accept-encoding @@ -0,0 +1,3 @@ +## always sourced by conf.d/http-grpc-accept-encoding.conf + +grpc_set_header Accept-Encoding ""; diff --git a/snip.d/http-base-security-headers b/snip.d/http-base-security-headers new file mode 100644 index 0000000..e64c075 --- /dev/null +++ b/snip.d/http-base-security-headers @@ -0,0 +1,13 @@ +## always sourced by include snip.d/http-security-headers + +include snip.d/http-proxy-hide-security-headers; + +add_header X-XSS-Protection "1; mode=block" always; +add_header X-Content-Type-Options "nosniff" always; +# add_header Referrer-Policy "strict-origin-when-cross-origin" always; +add_header Referrer-Policy "no-referrer-when-downgrade" always; +add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; +add_header Permissions-Policy "interest-cohort=()" always; + +## obsolete +add_header X-Frame-Options "SAMEORIGIN" always; diff --git a/snip.d/http-proxy-hide-security-headers b/snip.d/http-proxy-hide-security-headers new file mode 100644 index 0000000..cae281c --- /dev/null +++ b/snip.d/http-proxy-hide-security-headers @@ -0,0 +1,44 @@ +## always sourced by include snip.d/http-base-security-headers + +proxy_hide_header X-XSS-Protection; +fastcgi_hide_header X-XSS-Protection; +grpc_hide_header X-XSS-Protection; +scgi_hide_header X-XSS-Protection; +uwsgi_hide_header X-XSS-Protection; + +proxy_hide_header X-Content-Type-Options; +fastcgi_hide_header X-Content-Type-Options; +grpc_hide_header X-Content-Type-Options; +scgi_hide_header X-Content-Type-Options; +uwsgi_hide_header X-Content-Type-Options; + +proxy_hide_header Referrer-Policy; +fastcgi_hide_header Referrer-Policy; +grpc_hide_header Referrer-Policy; +scgi_hide_header Referrer-Policy; +uwsgi_hide_header Referrer-Policy; + +proxy_hide_header Strict-Transport-Security; +fastcgi_hide_header Strict-Transport-Security; +grpc_hide_header Strict-Transport-Security; +scgi_hide_header Strict-Transport-Security; +uwsgi_hide_header Strict-Transport-Security; + +proxy_hide_header Permissions-Policy; +fastcgi_hide_header Permissions-Policy; +grpc_hide_header Permissions-Policy; +scgi_hide_header Permissions-Policy; +uwsgi_hide_header Permissions-Policy; + +proxy_hide_header Content-Security-Policy; +fastcgi_hide_header Content-Security-Policy; +grpc_hide_header Content-Security-Policy; +scgi_hide_header Content-Security-Policy; +uwsgi_hide_header Content-Security-Policy; + +## obsolete +proxy_hide_header X-Frame-Options; +fastcgi_hide_header X-Frame-Options; +grpc_hide_header X-Frame-Options; +scgi_hide_header X-Frame-Options; +uwsgi_hide_header X-Frame-Options; diff --git a/snip.d/http-security-headers b/snip.d/http-security-headers new file mode 100644 index 0000000..c8f6a3d --- /dev/null +++ b/snip.d/http-security-headers @@ -0,0 +1,3 @@ +include snip.d/http-base-security-headers; + +add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline' 'unsafe-eval' ; frame-ancestors 'self';" always; diff --git a/snip.d/https-alt-svc b/snip.d/https-alt-svc new file mode 100644 index 0000000..451bfb3 --- /dev/null +++ b/snip.d/https-alt-svc @@ -0,0 +1,3 @@ +## always sourced by snip.d/listen-https + +add_header Alt-Svc 'h3=":443"; ma=3600, h2=":443"; ma=3600' always; diff --git a/snip.d/listen-grpcs b/snip.d/listen-grpcs new file mode 100644 index 0000000..f78a816 --- /dev/null +++ b/snip.d/listen-grpcs @@ -0,0 +1,3 @@ +listen 444 ssl; +listen 444 quic; +http2 on; diff --git a/snip.d/listen-http b/snip.d/listen-http new file mode 100644 index 0000000..3d12025 --- /dev/null +++ b/snip.d/listen-http @@ -0,0 +1 @@ +listen 80; \ No newline at end of file diff --git a/snip.d/listen-https b/snip.d/listen-https new file mode 100644 index 0000000..aa34c35 --- /dev/null +++ b/snip.d/listen-https @@ -0,0 +1,5 @@ +listen 443 ssl; +listen 443 quic; +http2 on; + +include snip.d/https-alt-svc; diff --git a/snip.d/proxy-accept-encoding b/snip.d/proxy-accept-encoding new file mode 100644 index 0000000..63fb628 --- /dev/null +++ b/snip.d/proxy-accept-encoding @@ -0,0 +1,3 @@ +## always sourced by conf.d/http-proxy.conf + +proxy_set_header Accept-Encoding ""; diff --git a/snip.d/proxy-common-headers b/snip.d/proxy-common-headers new file mode 100644 index 0000000..7ca7011 --- /dev/null +++ b/snip.d/proxy-common-headers @@ -0,0 +1,9 @@ +## always sourced by conf.d/http-proxy.conf + +## $proxy_add_forwarded is defined in conf.d/http-proxy.conf +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header Forwarded $proxy_add_forwarded; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $scheme; +proxy_set_header X-Forwarded-Host $host; +proxy_set_header X-Forwarded-Port $server_port; diff --git a/snip.d/proxy-connection-close b/snip.d/proxy-connection-close new file mode 100644 index 0000000..895c3a6 --- /dev/null +++ b/snip.d/proxy-connection-close @@ -0,0 +1,2 @@ +proxy_set_header Connection close; +proxy_set_header Upgrade ""; diff --git a/snip.d/proxy-connection-keepalive b/snip.d/proxy-connection-keepalive new file mode 100644 index 0000000..b6155e1 --- /dev/null +++ b/snip.d/proxy-connection-keepalive @@ -0,0 +1,3 @@ +## $conn_upgrade_keepalive is defined in conf.d/http-proxy.conf +proxy_set_header Connection $conn_upgrade_keepalive; +proxy_set_header Upgrade $http_upgrade; diff --git a/snip.d/proxy-connection-upgrade b/snip.d/proxy-connection-upgrade new file mode 100644 index 0000000..5638394 --- /dev/null +++ b/snip.d/proxy-connection-upgrade @@ -0,0 +1,5 @@ +## always sourced by conf.d/http-proxy.conf + +## $conn_upgrade_unset is defined in conf.d/http-proxy.conf +proxy_set_header Connection $conn_upgrade_unset; +proxy_set_header Upgrade $http_upgrade; diff --git a/snip.d/proxy-early-data b/snip.d/proxy-early-data new file mode 100644 index 0000000..250277e --- /dev/null +++ b/snip.d/proxy-early-data @@ -0,0 +1,3 @@ +## always sourced by conf.d/http-proxy.conf + +proxy_set_header Early-Data $ssl_early_data; diff --git a/snip.d/robots-txt b/snip.d/robots-txt new file mode 100644 index 0000000..0c7cf98 --- /dev/null +++ b/snip.d/robots-txt @@ -0,0 +1,4 @@ +location = /robots.txt { + try_files /.robots.txt /robots.txt =404; + log_not_found off; +} diff --git a/snip.d/ssl-krd.sh b/snip.d/ssl-krd.sh new file mode 100644 index 0000000..7d00987 --- /dev/null +++ b/snip.d/ssl-krd.sh @@ -0,0 +1,3 @@ +ssl_certificate /etc/letsencrypt/live/krd.sh/fullchain.pem; +ssl_certificate_key /etc/letsencrypt/live/krd.sh/privkey.pem; +ssl_trusted_certificate /etc/letsencrypt/live/krd.sh/chain.pem; diff --git a/snip.d/tls-common b/snip.d/tls-common new file mode 100644 index 0000000..6a5b7c6 --- /dev/null +++ b/snip.d/tls-common @@ -0,0 +1,5 @@ +ssl_session_timeout 7m; +ssl_session_tickets off; + +ssl_stapling on; +ssl_stapling_verify on; diff --git a/snip.d/tls-intermediate b/snip.d/tls-intermediate new file mode 100644 index 0000000..9865eee --- /dev/null +++ b/snip.d/tls-intermediate @@ -0,0 +1,11 @@ +## always sourced by conf.d/http-ssl.conf + +include snip.d/tls-common; + +ssl_protocols TLSv1.2 TLSv1.3; +ssl_session_cache shared:tls-intermediate:10m; +ssl_prefer_server_ciphers off; +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; + +## openssl genpkey -genparam -algorithm DH -out /etc/angie/tls/ffdhe2048.pem -pkeyopt group:ffdhe2048 +ssl_dhparam /etc/angie/tls/ffdhe2048.pem; diff --git a/snip.d/tls-modern b/snip.d/tls-modern new file mode 100644 index 0000000..58c185b --- /dev/null +++ b/snip.d/tls-modern @@ -0,0 +1,6 @@ +include snip.d/tls-common; + +ssl_protocols TLSv1.3; +ssl_session_cache shared:ssl-modern:10m; +ssl_prefer_server_ciphers off; +ssl_early_data on; diff --git a/snip.d/tls-old b/snip.d/tls-old new file mode 100644 index 0000000..d11ba5a --- /dev/null +++ b/snip.d/tls-old @@ -0,0 +1,9 @@ +include snip.d/tls-common; + +ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; +ssl_session_cache shared:tls-old:10m; +ssl_prefer_server_ciphers on; +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA; + +## openssl genpkey -genparam -algorithm DH -out /etc/angie/tls/dh1024.pem -pkeyopt dh_paramgen_prime_len:1024 +ssl_dhparam /etc/angie/tls/dh1024.pem; diff --git a/stream.conf b/stream.conf new file mode 100644 index 0000000..f325608 --- /dev/null +++ b/stream.conf @@ -0,0 +1,4 @@ +stream { + include conf.d/stream-*.conf; + include site.d/stream-*.conf; +}