initial commit
This commit is contained in:
commit
d7d4344c53
15
angie.conf
Normal file
15
angie.conf
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
pid /run/angie.pid;
|
||||||
|
|
||||||
|
include mod.d/core-*.conf;
|
||||||
|
include mod.d/http-*.conf;
|
||||||
|
include mod.d/mail-*.conf;
|
||||||
|
include mod.d/stream-*.conf;
|
||||||
|
|
||||||
|
events {
|
||||||
|
include conf.d/core_events-*.conf;
|
||||||
|
}
|
||||||
|
include conf.d/core-*.conf;
|
||||||
|
|
||||||
|
include http.conf;
|
||||||
|
# include mail.conf;
|
||||||
|
# include stream.conf;
|
1
conf.avail/core-logging.conf
Normal file
1
conf.avail/core-logging.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
error_log /var/log/angie/error.log warn;
|
1
conf.avail/core-pcre.conf
Normal file
1
conf.avail/core-pcre.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
pcre_jit on;
|
1
conf.avail/core-quic-bpf.conf
Normal file
1
conf.avail/core-quic-bpf.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
quic_bpf on;
|
1
conf.avail/core-user.conf
Normal file
1
conf.avail/core-user.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
user angie www-data;
|
1
conf.avail/core-worker-processes.conf
Normal file
1
conf.avail/core-worker-processes.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
worker_processes 4;
|
1
conf.avail/core-worker-rlimit-nofile.conf
Normal file
1
conf.avail/core-worker-rlimit-nofile.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
worker_rlimit_nofile 1048576;
|
1
conf.avail/core_events-worker-connections.conf
Normal file
1
conf.avail/core_events-worker-connections.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
worker_connections 16384;
|
1
conf.avail/core_events-worker-multi-accept.conf
Normal file
1
conf.avail/core_events-worker-multi-accept.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
multi_accept on;
|
24
conf.avail/http-brotli.conf
Normal file
24
conf.avail/http-brotli.conf
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
brotli on;
|
||||||
|
|
||||||
|
## default is 6
|
||||||
|
brotli_comp_level 5;
|
||||||
|
brotli_min_length 1024;
|
||||||
|
|
||||||
|
brotli_buffers 32 16k;
|
||||||
|
|
||||||
|
brotli_types
|
||||||
|
application/atom+xml
|
||||||
|
application/javascript
|
||||||
|
application/json
|
||||||
|
application/vnd.api+json
|
||||||
|
application/rss+xml
|
||||||
|
application/x-javascript
|
||||||
|
application/xhtml+xml
|
||||||
|
application/xml
|
||||||
|
image/svg+xml
|
||||||
|
image/x-icon
|
||||||
|
text/css
|
||||||
|
text/javascript
|
||||||
|
text/plain
|
||||||
|
text/xml
|
||||||
|
;
|
7
conf.avail/http-buffers-main.conf
Normal file
7
conf.avail/http-buffers-main.conf
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
subrequest_output_buffer_size 16k;
|
||||||
|
client_body_buffer_size 16k;
|
||||||
|
client_header_buffer_size 2k;
|
||||||
|
large_client_header_buffers 8 16k;
|
||||||
|
|
||||||
|
## lowering from 16k to 4k to improve time-to-first-byte
|
||||||
|
ssl_buffer_size 4k;
|
22
conf.avail/http-buffers-misc.conf
Normal file
22
conf.avail/http-buffers-misc.conf
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
grpc_buffer_size 16k;
|
||||||
|
|
||||||
|
proxy_buffers 16 16k;
|
||||||
|
fastcgi_buffers 16 16k;
|
||||||
|
scgi_buffers 16 16k;
|
||||||
|
uwsgi_buffers 16 16k;
|
||||||
|
|
||||||
|
proxy_buffer_size 16k;
|
||||||
|
proxy_busy_buffers_size 32k;
|
||||||
|
proxy_temp_file_write_size 32k;
|
||||||
|
|
||||||
|
fastcgi_buffer_size 16k;
|
||||||
|
fastcgi_busy_buffers_size 32k;
|
||||||
|
fastcgi_temp_file_write_size 32k;
|
||||||
|
|
||||||
|
scgi_buffer_size 16k;
|
||||||
|
scgi_busy_buffers_size 32k;
|
||||||
|
scgi_temp_file_write_size 32k;
|
||||||
|
|
||||||
|
uwsgi_buffer_size 16k;
|
||||||
|
uwsgi_busy_buffers_size 32k;
|
||||||
|
uwsgi_temp_file_write_size 32k;
|
4
conf.avail/http-geoip.conf
Normal file
4
conf.avail/http-geoip.conf
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
geoip_country /usr/share/GeoIP/GeoIPv6.dat;
|
||||||
|
|
||||||
|
## in case of IPv4-only setup use this statement:
|
||||||
|
# geoip_country /usr/share/GeoIP/GeoIP.dat;
|
16
conf.avail/http-geoip2.conf
Normal file
16
conf.avail/http-geoip2.conf
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
geoip2 /usr/local/share/geoip2/GeoLite2-Country.mmdb {
|
||||||
|
$geoip2_country_code country iso_code;
|
||||||
|
$geoip2_country_name country names en;
|
||||||
|
}
|
||||||
|
|
||||||
|
geoip2 /usr/local/share/geoip2/GeoLite2-City.mmdb {
|
||||||
|
# $geoip2_city_name city names en;
|
||||||
|
$geoip2_timezone location time_zone;
|
||||||
|
$geoip2_latitude location latitude;
|
||||||
|
$geoip2_longitude location longitude;
|
||||||
|
}
|
||||||
|
|
||||||
|
geoip2 /usr/local/share/geoip2/GeoLite2-ASN.mmdb {
|
||||||
|
$geoip2_asn autonomous_system_number;
|
||||||
|
$geoip2_asn_org autonomous_system_organization;
|
||||||
|
}
|
1
conf.avail/http-grpc-accept-encoding.conf
Normal file
1
conf.avail/http-grpc-accept-encoding.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
include snip.d/grpc-accept-encoding;
|
28
conf.avail/http-gzip.conf
Normal file
28
conf.avail/http-gzip.conf
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
gzip on;
|
||||||
|
|
||||||
|
## default is 1
|
||||||
|
gzip_comp_level 2;
|
||||||
|
gzip_min_length 1024;
|
||||||
|
|
||||||
|
gzip_vary on;
|
||||||
|
gzip_proxied any;
|
||||||
|
|
||||||
|
gzip_buffers 32 16k;
|
||||||
|
gunzip_buffers 32 16k;
|
||||||
|
|
||||||
|
gzip_types
|
||||||
|
application/atom+xml
|
||||||
|
application/javascript
|
||||||
|
application/json
|
||||||
|
application/vnd.api+json
|
||||||
|
application/rss+xml
|
||||||
|
application/x-javascript
|
||||||
|
application/xhtml+xml
|
||||||
|
application/xml
|
||||||
|
image/svg+xml
|
||||||
|
image/x-icon
|
||||||
|
text/css
|
||||||
|
text/javascript
|
||||||
|
text/plain
|
||||||
|
text/xml
|
||||||
|
;
|
67
conf.avail/http-krd.sh.conf
Normal file
67
conf.avail/http-krd.sh.conf
Normal file
@ -0,0 +1,67 @@
|
|||||||
|
map $scheme:$host
|
||||||
|
$krdsh_need_ssl
|
||||||
|
{
|
||||||
|
default 1;
|
||||||
|
|
||||||
|
~*^[^:]+:(?:nossl-)?geo-[^.]+\.krd\.sh$ "";
|
||||||
|
|
||||||
|
~*^https: "";
|
||||||
|
~*^http:nossl- "";
|
||||||
|
}
|
||||||
|
|
||||||
|
map $scheme:$host
|
||||||
|
$krdsh_is_ssl
|
||||||
|
{
|
||||||
|
~*^https:nossl- "";
|
||||||
|
~*^https: 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
map $scheme:$host
|
||||||
|
$krdsh_nossl_misuse
|
||||||
|
{
|
||||||
|
~*^https:nossl- 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
map $host
|
||||||
|
$krdsh_nossl_realhost
|
||||||
|
{
|
||||||
|
~*^nossl-(.+)$ $1;
|
||||||
|
}
|
||||||
|
|
||||||
|
map $scheme:$host
|
||||||
|
$krdsh_need_redirect
|
||||||
|
{
|
||||||
|
~*^[^:]+:nossl-geo\.krd\.sh$ 1;
|
||||||
|
~*^[^:]+:(?:nossl-)?geo-[^.]+\.krd\.sh$ 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
map $scheme:$host
|
||||||
|
$krdsh_redirector
|
||||||
|
{
|
||||||
|
default http://krd.sh;
|
||||||
|
|
||||||
|
~*^[^:]+:nossl-geo\.krd\.sh$ $scheme://geo.krd.sh$uri;
|
||||||
|
~*^[^:]+:(?:nossl-)?geo-([^.]+)\.krd\.sh$ $scheme://geo.krd.sh/$1;
|
||||||
|
}
|
||||||
|
|
||||||
|
map $krdsh_need_ssl$krdsh_is_ssl$krdsh_need_redirect
|
||||||
|
$krdsh_need_proxy
|
||||||
|
{
|
||||||
|
"" 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
map $host
|
||||||
|
$krdsh_self_proxy_host
|
||||||
|
{
|
||||||
|
default $host;
|
||||||
|
|
||||||
|
~*^nossl-(.+)$ $1;
|
||||||
|
}
|
||||||
|
|
||||||
|
map $host
|
||||||
|
$krdsh_self_proxy_uri
|
||||||
|
{
|
||||||
|
default https://$host;
|
||||||
|
|
||||||
|
~*^nossl-(.+)$ https://$1;
|
||||||
|
}
|
12
conf.avail/http-logging.conf
Normal file
12
conf.avail/http-logging.conf
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
||||||
|
'$status $body_bytes_sent "$http_referer" '
|
||||||
|
'"$http_user_agent" "$http_x_forwarded_for"';
|
||||||
|
|
||||||
|
log_format extended '$remote_addr - $remote_user [$time_local] "$request" '
|
||||||
|
'$status $body_bytes_sent "$http_referer" rt="$request_time" '
|
||||||
|
'"$http_user_agent" "$http_x_forwarded_for" '
|
||||||
|
'h="$host" sn="$server_name" ru="$request_uri" u="$uri" '
|
||||||
|
'ucs="$upstream_cache_status" ua="$upstream_addr" us="$upstream_status" '
|
||||||
|
'uct="$upstream_connect_time" urt="$upstream_response_time"';
|
||||||
|
|
||||||
|
access_log /var/log/angie/access.log main buffer=512k flush=1m;
|
1
conf.avail/http-max-accept-range.conf
Normal file
1
conf.avail/http-max-accept-range.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
max_ranges 2;
|
8
conf.avail/http-mime-types.conf
Normal file
8
conf.avail/http-mime-types.conf
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
include mime.types;
|
||||||
|
|
||||||
|
types {
|
||||||
|
font/ttf ttf;
|
||||||
|
application/font-sfnt otf;
|
||||||
|
}
|
||||||
|
|
||||||
|
default_type application/octet-stream;
|
1
conf.avail/http-misc-defaults.conf
Normal file
1
conf.avail/http-misc-defaults.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
server_tokens on;
|
55
conf.avail/http-proxy.conf
Normal file
55
conf.avail/http-proxy.conf
Normal file
@ -0,0 +1,55 @@
|
|||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_ssl_server_name on;
|
||||||
|
proxy_ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
|
proxy_cache_bypass $http_upgrade;
|
||||||
|
|
||||||
|
map $http_upgrade
|
||||||
|
$conn_upgrade_unset
|
||||||
|
{
|
||||||
|
volatile;
|
||||||
|
|
||||||
|
default upgrade;
|
||||||
|
"" "";
|
||||||
|
}
|
||||||
|
|
||||||
|
map $http_upgrade
|
||||||
|
$conn_upgrade_keepalive
|
||||||
|
{
|
||||||
|
volatile;
|
||||||
|
|
||||||
|
default upgrade;
|
||||||
|
"" keep-alive;
|
||||||
|
}
|
||||||
|
|
||||||
|
## ref:
|
||||||
|
## - https://www.digitalocean.com/community/tools/nginx?domains.0.reverseProxy.reverseProxy=true
|
||||||
|
map $remote_addr
|
||||||
|
$proxy_forwarded_elem
|
||||||
|
{
|
||||||
|
## IPv4 addresses can be sent as-is
|
||||||
|
~^[0-9.]+$ "for=$remote_addr";
|
||||||
|
## IPv6 addresses need to be bracketed and quoted
|
||||||
|
~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\"";
|
||||||
|
## Unix domain socket names cannot be represented in RFC 7239 syntax
|
||||||
|
default "for=unknown";
|
||||||
|
}
|
||||||
|
|
||||||
|
## ref:
|
||||||
|
## - https://www.digitalocean.com/community/tools/nginx?domains.0.reverseProxy.reverseProxy=true
|
||||||
|
## - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded
|
||||||
|
map $http_forwarded
|
||||||
|
$proxy_add_forwarded
|
||||||
|
{
|
||||||
|
volatile;
|
||||||
|
|
||||||
|
## if the incoming Forwarded header is syntactically valid, append to it
|
||||||
|
"~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
|
||||||
|
|
||||||
|
## otherwise, replace it
|
||||||
|
default "$proxy_forwarded_elem";
|
||||||
|
}
|
||||||
|
|
||||||
|
include snip.d/proxy-common-headers;
|
||||||
|
include snip.d/proxy-accept-encoding;
|
||||||
|
include snip.d/proxy-connection-upgrade;
|
||||||
|
include snip.d/proxy-early-data;
|
2
conf.avail/http-resolver.conf
Normal file
2
conf.avail/http-resolver.conf
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
resolver 127.1.0.1 valid=60s ipv6=off;
|
||||||
|
resolver_timeout 10s;
|
4
conf.avail/http-sendfile.conf
Normal file
4
conf.avail/http-sendfile.conf
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
sendfile on;
|
||||||
|
#tcp_nopush on;
|
||||||
|
|
||||||
|
postpone_output 1000;
|
7
conf.avail/http-ssl.conf
Normal file
7
conf.avail/http-ssl.conf
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
ssl_conf_command Options PrioritizeChaCha,KTLS;
|
||||||
|
|
||||||
|
proxy_ssl_conf_command Options PrioritizeChaCha,KTLS;
|
||||||
|
grpc_ssl_conf_command Options PrioritizeChaCha,KTLS;
|
||||||
|
uwsgi_ssl_conf_command Options PrioritizeChaCha,KTLS;
|
||||||
|
|
||||||
|
include snip.d/tls-intermediate;
|
2
conf.avail/http-v3.conf
Normal file
2
conf.avail/http-v3.conf
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
http3_stream_buffer_size 128k;
|
||||||
|
quic_active_connection_id_limit 4;
|
4
http.conf
Normal file
4
http.conf
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
http {
|
||||||
|
include conf.d/http-*.conf;
|
||||||
|
include site.d/http-*.conf;
|
||||||
|
}
|
4
mail.conf
Normal file
4
mail.conf
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
mail {
|
||||||
|
include conf.d/mail-*.conf;
|
||||||
|
include site.d/mail-*.conf;
|
||||||
|
}
|
1
mod.avail/http-auth-jwt.conf
Normal file
1
mod.avail/http-auth-jwt.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
load_module modules/ngx_http_auth_jwt_module.so;
|
2
mod.avail/http-brotli.conf
Normal file
2
mod.avail/http-brotli.conf
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
load_module modules/ngx_http_brotli_filter_module.so;
|
||||||
|
load_module modules/ngx_http_brotli_static_module.so;
|
1
mod.avail/http-dav-ext.conf
Normal file
1
mod.avail/http-dav-ext.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
load_module modules/ngx_http_dav_ext_module.so;
|
1
mod.avail/http-echo.conf
Normal file
1
mod.avail/http-echo.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
load_module modules/ngx_http_echo_module.so;
|
1
mod.avail/http-geoip.conf
Normal file
1
mod.avail/http-geoip.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
load_module modules/ngx_http_geoip_module.so;
|
1
mod.avail/http-geoip2.conf
Normal file
1
mod.avail/http-geoip2.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
load_module modules/ngx_http_geoip2_module.so;
|
1
mod.avail/http-headers-more.conf
Normal file
1
mod.avail/http-headers-more.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
load_module modules/ngx_http_headers_more_filter_module.so;
|
1
mod.avail/http-image-filter.conf
Normal file
1
mod.avail/http-image-filter.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
load_module modules/ngx_http_image_filter_module.so;
|
1
mod.avail/http-njs.conf
Normal file
1
mod.avail/http-njs.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
load_module modules/ngx_http_js_module.so;
|
1
mod.avail/http-perl.conf
Normal file
1
mod.avail/http-perl.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
load_module modules/ngx_http_perl_module.so;
|
1
mod.avail/http-subs.conf
Normal file
1
mod.avail/http-subs.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
load_module modules/ngx_http_subs_filter_module.so;
|
1
mod.avail/http-upload.conf
Normal file
1
mod.avail/http-upload.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
load_module modules/ngx_http_upload_module.so;
|
1
mod.avail/http-xslt-filter.conf
Normal file
1
mod.avail/http-xslt-filter.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
load_module modules/ngx_http_xslt_filter_module.so;
|
1
mod.avail/http-zip.conf
Normal file
1
mod.avail/http-zip.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
load_module modules/ngx_http_zip_module.so;
|
1
mod.avail/stream-geoip.conf
Normal file
1
mod.avail/stream-geoip.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
load_module modules/ngx_stream_geoip_module.so;
|
1
mod.avail/stream-geoip2.conf
Normal file
1
mod.avail/stream-geoip2.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
load_module modules/ngx_stream_geoip2_module.so;
|
1
mod.avail/stream-njs.conf
Normal file
1
mod.avail/stream-njs.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
load_module modules/ngx_stream_js_module.so;
|
9
njs/nexus.js
Normal file
9
njs/nexus.js
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
function statics(r) {
|
||||||
|
var bytes = crypto.getRandomValues(new Uint8Array(1));
|
||||||
|
var s = (bytes[0] & 15).toString(16);
|
||||||
|
s = "https://nexus-st-" + s + ".krd.sh" + r.uri;
|
||||||
|
if (r.args.length > 0) { s += r.variables.is_args + r.variables.args; }
|
||||||
|
r.return(307, s);
|
||||||
|
}
|
||||||
|
|
||||||
|
export default {statics};
|
91
site.avail/http-deb.krd.sh.conf
Normal file
91
site.avail/http-deb.krd.sh.conf
Normal file
@ -0,0 +1,91 @@
|
|||||||
|
server {
|
||||||
|
server_name deb.krd.sh;
|
||||||
|
|
||||||
|
include snip.d/listen-http;
|
||||||
|
|
||||||
|
include snip.d/https-alt-svc;
|
||||||
|
|
||||||
|
access_log off;
|
||||||
|
log_not_found off;
|
||||||
|
|
||||||
|
root /var/www/deb;
|
||||||
|
|
||||||
|
include snip.d/empty-favicon;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
return 301 https://$host$request_uri;
|
||||||
|
|
||||||
|
include snip.d/https-alt-svc;
|
||||||
|
include snip.d/http-security-headers;
|
||||||
|
}
|
||||||
|
|
||||||
|
## allow APT work as usual
|
||||||
|
|
||||||
|
location ~*/(?:InRelease|Release|Packages|Sources)$
|
||||||
|
~*/[^/]+/.*[^/]+\.(?:asc|dsc)$
|
||||||
|
{
|
||||||
|
default_type text/plain;
|
||||||
|
try_files $uri $uri/ =404;
|
||||||
|
}
|
||||||
|
|
||||||
|
## /*/dists/*/Release.gpg
|
||||||
|
location ~*^/[^/]+/.*[^/]+\.(?:gpg)$
|
||||||
|
{
|
||||||
|
try_files $uri $uri/ =404;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~*\.(?:bz2|deb|gz|tar|udeb|xz|Z|zip|zstd?)$
|
||||||
|
## various tarball file name extensions (sic!)
|
||||||
|
~*\.t(?:[agx]z|bz2?|[bz]2|bJ|zo|lz(?:|ma?)|zstd?|a?Z)$
|
||||||
|
{
|
||||||
|
gzip off;
|
||||||
|
brotli off;
|
||||||
|
try_files $uri $uri/ =404;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
server_name deb.krd.sh;
|
||||||
|
|
||||||
|
include snip.d/listen-https;
|
||||||
|
include snip.d/ssl-krd.sh;
|
||||||
|
|
||||||
|
access_log off;
|
||||||
|
log_not_found off;
|
||||||
|
|
||||||
|
root /var/www/deb;
|
||||||
|
autoindex on;
|
||||||
|
|
||||||
|
include snip.d/empty-favicon;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
try_files $uri $uri/ =404;
|
||||||
|
|
||||||
|
include snip.d/https-alt-svc;
|
||||||
|
include snip.d/http-security-headers;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~*/(?:InRelease|Release|Packages|Sources)$
|
||||||
|
~*\.(?:asc|build|buildinfo|changes|dsc|list|log|sources)$
|
||||||
|
{
|
||||||
|
default_type text/plain;
|
||||||
|
try_files $uri $uri/ =404;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~*\.(?:bz2|deb|gz|tar|udeb|xz|Z|zip|zstd?)$
|
||||||
|
## various tarball file name extensions (sic!)
|
||||||
|
~*\.t(?:[agx]z|bz2?|[bz]2|bJ|zo|lz(?:|ma?)|zstd?|a?Z)$
|
||||||
|
{
|
||||||
|
gzip off;
|
||||||
|
brotli off;
|
||||||
|
try_files $uri $uri/ =404;
|
||||||
|
}
|
||||||
|
|
||||||
|
## "meta" usually doesn't contain sensitive data
|
||||||
|
# include snip.d/deny-dotfiles;
|
||||||
|
location ~*^/[^/]+/\.meta/
|
||||||
|
{
|
||||||
|
default_type text/plain;
|
||||||
|
try_files $uri $uri/ =404;
|
||||||
|
}
|
||||||
|
}
|
50
site.avail/http-default-ssl.conf
Normal file
50
site.avail/http-default-ssl.conf
Normal file
@ -0,0 +1,50 @@
|
|||||||
|
server {
|
||||||
|
server_name _;
|
||||||
|
|
||||||
|
listen 443 default_server bind deferred ssl;
|
||||||
|
## TODO: reuseport
|
||||||
|
listen 443 default_server quic reuseport;
|
||||||
|
http2 on;
|
||||||
|
|
||||||
|
## nota bene
|
||||||
|
ssl_reject_handshake on;
|
||||||
|
|
||||||
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
|
||||||
|
|
||||||
|
access_log off;
|
||||||
|
|
||||||
|
default_type text/plain;
|
||||||
|
|
||||||
|
root /var/www/empty;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
keepalive_timeout 0;
|
||||||
|
return 200;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
## GRPC over TLS
|
||||||
|
server {
|
||||||
|
server_name _;
|
||||||
|
|
||||||
|
listen 444 default_server bind deferred ssl;
|
||||||
|
## TODO: reuseport
|
||||||
|
listen 444 default_server quic reuseport;
|
||||||
|
http2 on;
|
||||||
|
|
||||||
|
## nota bene
|
||||||
|
ssl_reject_handshake on;
|
||||||
|
|
||||||
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
|
||||||
|
|
||||||
|
access_log off;
|
||||||
|
|
||||||
|
default_type text/plain;
|
||||||
|
|
||||||
|
root /var/www/empty;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
keepalive_timeout 0;
|
||||||
|
return 200;
|
||||||
|
}
|
||||||
|
}
|
16
site.avail/http-default.conf
Normal file
16
site.avail/http-default.conf
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
server {
|
||||||
|
server_name _;
|
||||||
|
|
||||||
|
listen 80 default_server bind deferred;
|
||||||
|
|
||||||
|
access_log off;
|
||||||
|
|
||||||
|
default_type text/plain;
|
||||||
|
|
||||||
|
root /var/www/empty;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
keepalive_timeout 0;
|
||||||
|
return 200;
|
||||||
|
}
|
||||||
|
}
|
30
site.avail/http-dotfiles.krd.sh.conf
Normal file
30
site.avail/http-dotfiles.krd.sh.conf
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
server {
|
||||||
|
server_name dotfiles.krd.sh;
|
||||||
|
|
||||||
|
include snip.d/listen-https;
|
||||||
|
include snip.d/ssl-krd.sh;
|
||||||
|
|
||||||
|
access_log off;
|
||||||
|
log_not_found off;
|
||||||
|
|
||||||
|
root /var/www/dotfiles;
|
||||||
|
index index.txt;
|
||||||
|
try_files $uri $uri/ =404;
|
||||||
|
|
||||||
|
include snip.d/http-security-headers;
|
||||||
|
|
||||||
|
location ~* ^/(|index\.txt)$ {
|
||||||
|
default_type text/plain;
|
||||||
|
}
|
||||||
|
|
||||||
|
location = /get {
|
||||||
|
return 303 $scheme://$host/.config/dotfiles/install.sh;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~ ^/.+$ {
|
||||||
|
return 303 https://git.krd.sh/krd/dotfiles/raw/branch/main$uri;
|
||||||
|
}
|
||||||
|
|
||||||
|
include snip.d/empty-favicon;
|
||||||
|
include snip.d/robots-txt;
|
||||||
|
}
|
30
site.avail/http-files.krd.sh.conf
Normal file
30
site.avail/http-files.krd.sh.conf
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
server {
|
||||||
|
server_name files.krd.sh;
|
||||||
|
|
||||||
|
include snip.d/listen-https;
|
||||||
|
include snip.d/ssl-krd.sh;
|
||||||
|
|
||||||
|
access_log off;
|
||||||
|
log_not_found off;
|
||||||
|
|
||||||
|
root /var/www/files;
|
||||||
|
autoindex on;
|
||||||
|
|
||||||
|
include snip.d/http-security-headers;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
try_files $uri $uri/ =404;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~*^/(?:angie)/
|
||||||
|
~*\.(?:asc|conf|dsc|js|json|pem|sh|sources|txt)$
|
||||||
|
{
|
||||||
|
default_type text/plain;
|
||||||
|
|
||||||
|
try_files $uri $uri/ =404;
|
||||||
|
}
|
||||||
|
|
||||||
|
include snip.d/deny-dotfiles;
|
||||||
|
include snip.d/empty-favicon;
|
||||||
|
include snip.d/robots-txt;
|
||||||
|
}
|
152
site.avail/http-geo.krd.sh.conf
Normal file
152
site.avail/http-geo.krd.sh.conf
Normal file
@ -0,0 +1,152 @@
|
|||||||
|
map $http3:$http2:$server_protocol
|
||||||
|
$krdsh__geo_proto
|
||||||
|
{
|
||||||
|
default $server_protocol;
|
||||||
|
|
||||||
|
~^[^:]+: $http3;
|
||||||
|
~^:[^:]+: $http2;
|
||||||
|
}
|
||||||
|
|
||||||
|
map $http_user_agent
|
||||||
|
$krdsh__geo_ua
|
||||||
|
{
|
||||||
|
default $http_user_agent;
|
||||||
|
|
||||||
|
"" "<none>";
|
||||||
|
}
|
||||||
|
|
||||||
|
map $ssl_protocol
|
||||||
|
$krdsh__geo_ssl_proto
|
||||||
|
{
|
||||||
|
default $ssl_protocol;
|
||||||
|
|
||||||
|
"" "none";
|
||||||
|
}
|
||||||
|
|
||||||
|
map $ssl_alpn_protocol
|
||||||
|
$krdsh__geo_ssl_alpn
|
||||||
|
{
|
||||||
|
default $ssl_alpn_protocol;
|
||||||
|
|
||||||
|
"" "none";
|
||||||
|
}
|
||||||
|
|
||||||
|
map $ssl_session_reused
|
||||||
|
$krdsh__geo_ssl_reuse
|
||||||
|
{
|
||||||
|
default "no";
|
||||||
|
|
||||||
|
r yes;
|
||||||
|
}
|
||||||
|
|
||||||
|
map $ssl_early_data
|
||||||
|
$krdsh__geo_ssl_early
|
||||||
|
{
|
||||||
|
default "no";
|
||||||
|
|
||||||
|
1 yes;
|
||||||
|
}
|
||||||
|
|
||||||
|
map $uri
|
||||||
|
$krdsh__geo_k
|
||||||
|
{
|
||||||
|
volatile;
|
||||||
|
## default is "help"
|
||||||
|
default help;
|
||||||
|
|
||||||
|
~^/(.+)$ $1;
|
||||||
|
}
|
||||||
|
|
||||||
|
map $krdsh__geo_k
|
||||||
|
$krdsh__geo_v
|
||||||
|
{
|
||||||
|
volatile;
|
||||||
|
## default is "help"
|
||||||
|
default "usage: $host/{key}\r\nmeta keys: [help] all geo ssl version\r\nsimple keys: ip user-agent proto ssl-proto ssl-alpn ssl-reuse ssl-early country-code country-name timezone latitude longitude asn asn-org";
|
||||||
|
|
||||||
|
ip $remote_addr;
|
||||||
|
user-agent $krdsh__geo_ua;
|
||||||
|
|
||||||
|
proto $krdsh__geo_proto;
|
||||||
|
ssl-proto $krdsh__geo_ssl_proto;
|
||||||
|
ssl-alpn $krdsh__geo_ssl_alpn;
|
||||||
|
ssl-reuse $krdsh__geo_ssl_reuse;
|
||||||
|
ssl-early $krdsh__geo_ssl_early;
|
||||||
|
|
||||||
|
country-code $geoip2_country_code;
|
||||||
|
country-name $geoip2_country_name;
|
||||||
|
|
||||||
|
timezone $geoip2_timezone;
|
||||||
|
latitude $geoip2_latitude;
|
||||||
|
longitude $geoip2_longitude;
|
||||||
|
|
||||||
|
asn $geoip2_asn;
|
||||||
|
asn-org $geoip2_asn_org;
|
||||||
|
|
||||||
|
version "angie/$angie_version";
|
||||||
|
|
||||||
|
all "ip: $remote_addr\r\nuser-agent: $krdsh__geo_ua\r\nproto: $krdsh__geo_proto\r\nssl-proto: $krdsh__geo_ssl_proto\r\nssl-alpn: $krdsh__geo_ssl_alpn\r\nssl-reuse: $krdsh__geo_ssl_reuse\r\nssl-early: $krdsh__geo_ssl_early\r\ncountry-code: $geoip2_country_code\r\ncountry-name: $geoip2_country_name\r\ntimezone: $geoip2_timezone\r\nlatitude: $geoip2_latitude\r\nlongitude: $geoip2_longitude\r\nasn: $geoip2_asn\r\nasn-org: $geoip2_asn_org";
|
||||||
|
|
||||||
|
geo "ip: $remote_addr\r\ncountry-code: $geoip2_country_code\r\ncountry-name: $geoip2_country_name\r\ntimezone: $geoip2_timezone\r\nlatitude: $geoip2_latitude\r\nlongitude: $geoip2_longitude\r\nasn: $geoip2_asn\r\nasn-org: $geoip2_asn_org";
|
||||||
|
|
||||||
|
ssl "proto: $krdsh__geo_proto\r\nssl-proto: $krdsh__geo_ssl_proto\r\nssl-alpn: $krdsh__geo_ssl_alpn\r\nssl-reuse: $krdsh__geo_ssl_reuse\r\nssl-early: $krdsh__geo_ssl_early";
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
map $uri
|
||||||
|
$krdsh__geo_file
|
||||||
|
{
|
||||||
|
## guess what?..
|
||||||
|
default default.zst;
|
||||||
|
|
||||||
|
~*^/asn\.(.+)$ GeoLite2-ASN.$1;
|
||||||
|
~*^/city\.(.+)$ GeoLite2-City.$1;
|
||||||
|
~*^/country\.(.+)$ GeoLite2-Country.$1;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
server_name geo.krd.sh;
|
||||||
|
|
||||||
|
include snip.d/listen-http;
|
||||||
|
include snip.d/listen-https;
|
||||||
|
include snip.d/ssl-krd.sh;
|
||||||
|
|
||||||
|
access_log off;
|
||||||
|
keepalive_timeout 0;
|
||||||
|
|
||||||
|
root /var/www/empty;
|
||||||
|
|
||||||
|
include snip.d/empty-favicon;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
default_type text/plain;
|
||||||
|
return 200 "$krdsh__geo_v\r\n";
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~*^/[^/.]+\.mmdb\.[^/.]+$
|
||||||
|
{
|
||||||
|
root /usr/local/share/geoip2;
|
||||||
|
try_files /$krdsh__geo_file @file_help;
|
||||||
|
}
|
||||||
|
location ~*^/[^/.]+\.mmdb$
|
||||||
|
{
|
||||||
|
try_files /.non-existent-uri @file_help;
|
||||||
|
}
|
||||||
|
location @file_help
|
||||||
|
{
|
||||||
|
## sync with "map $uri krdsh__geo_file"
|
||||||
|
set $krdsh__geo_bases "asn city country";
|
||||||
|
## sync with file system contents
|
||||||
|
set $krdsh__geo_comps "br bz2 gz xz zst";
|
||||||
|
## sync with two above
|
||||||
|
set $krdsh__geo_example "country.mmdb.xz";
|
||||||
|
|
||||||
|
default_type text/plain;
|
||||||
|
|
||||||
|
add_header X-GeoIp-Bases $krdsh__geo_bases always;
|
||||||
|
add_header X-GeoIp-Comps $krdsh__geo_comps always;
|
||||||
|
add_header X-GeoIp-Example $krdsh__geo_example always;
|
||||||
|
|
||||||
|
return 403 "valid file names: $krdsh__geo_bases\r\nvalid trailing extensions: $krdsh__geo_comps\r\nexample: $krdsh__geo_example\r\n";
|
||||||
|
}
|
||||||
|
}
|
158
site.avail/http-git.krd.sh.conf
Normal file
158
site.avail/http-git.krd.sh.conf
Normal file
@ -0,0 +1,158 @@
|
|||||||
|
server {
|
||||||
|
server_name git.krd.sh ci.krd.sh;
|
||||||
|
|
||||||
|
include snip.d/listen-http;
|
||||||
|
|
||||||
|
access_log off;
|
||||||
|
log_not_found off;
|
||||||
|
|
||||||
|
root /var/www/empty;
|
||||||
|
|
||||||
|
include snip.d/https-alt-svc;
|
||||||
|
include snip.d/http-security-headers;
|
||||||
|
|
||||||
|
keepalive_timeout 0;
|
||||||
|
|
||||||
|
include snip.d/empty-favicon;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
return 301 https://$host$uri$is_args$args;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
proxy_cache_path
|
||||||
|
/var/cache/angie/proxy/krdsh-git
|
||||||
|
keys_zone=krdsh_git:10m
|
||||||
|
levels=1:2 inactive=1h;
|
||||||
|
|
||||||
|
server {
|
||||||
|
server_name git.krd.sh;
|
||||||
|
|
||||||
|
include snip.d/listen-https;
|
||||||
|
include snip.d/ssl-krd.sh;
|
||||||
|
|
||||||
|
access_log off;
|
||||||
|
log_not_found off;
|
||||||
|
|
||||||
|
root /var/www/empty;
|
||||||
|
|
||||||
|
include snip.d/http-security-headers;
|
||||||
|
|
||||||
|
include snip.d/proxy-common-headers;
|
||||||
|
include snip.d/proxy-accept-encoding;
|
||||||
|
include snip.d/proxy-connection-keepalive;
|
||||||
|
include snip.d/proxy-early-data;
|
||||||
|
|
||||||
|
proxy_redirect ~*^http://(ci|git)\.krd\.sh(?:|:[0-9]+)/(.*)$ https://$1.krd.sh/$2;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://127.0.0.1:3000;
|
||||||
|
## quirks
|
||||||
|
client_max_body_size 512M;
|
||||||
|
chunked_transfer_encoding off;
|
||||||
|
}
|
||||||
|
|
||||||
|
location @precache {
|
||||||
|
proxy_pass http://127.0.0.1:3000;
|
||||||
|
|
||||||
|
proxy_cache krdsh_git;
|
||||||
|
proxy_cache_key $uri;
|
||||||
|
proxy_cache_valid 200 1h;
|
||||||
|
proxy_cache_valid 30s;
|
||||||
|
proxy_ignore_client_abort on;
|
||||||
|
|
||||||
|
proxy_ignore_headers Cache-Control;
|
||||||
|
proxy_hide_header Cache-Control;
|
||||||
|
expires 2h;
|
||||||
|
|
||||||
|
## quirks
|
||||||
|
chunked_transfer_encoding off;
|
||||||
|
proxy_method GET;
|
||||||
|
proxy_buffering on;
|
||||||
|
proxy_temp_file_write_size 4m;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /assets/ {
|
||||||
|
try_files /.non-existent-uri @precache;
|
||||||
|
# proxy_pass http://127.0.0.1:3000;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
proxy_cache_path
|
||||||
|
/var/cache/angie/proxy/krdsh-ci
|
||||||
|
keys_zone=krdsh_ci:10m
|
||||||
|
levels=1:2 inactive=1h;
|
||||||
|
|
||||||
|
server {
|
||||||
|
server_name ci.krd.sh;
|
||||||
|
|
||||||
|
include snip.d/listen-https;
|
||||||
|
include snip.d/ssl-krd.sh;
|
||||||
|
|
||||||
|
access_log off;
|
||||||
|
log_not_found off;
|
||||||
|
|
||||||
|
root /var/www/empty;
|
||||||
|
|
||||||
|
include snip.d/http-security-headers;
|
||||||
|
|
||||||
|
include snip.d/proxy-common-headers;
|
||||||
|
include snip.d/proxy-accept-encoding;
|
||||||
|
include snip.d/proxy-connection-keepalive;
|
||||||
|
include snip.d/proxy-early-data;
|
||||||
|
|
||||||
|
proxy_redirect ~*^http://(ci|git)\.krd\.sh(?:|:[0-9]+)/(.*)$ https://$1.krd.sh/$2;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://127.0.0.1:8000;
|
||||||
|
## quirks
|
||||||
|
chunked_transfer_encoding off;
|
||||||
|
client_max_body_size 16M;
|
||||||
|
proxy_buffering off;
|
||||||
|
}
|
||||||
|
|
||||||
|
location @precache {
|
||||||
|
proxy_pass http://127.0.0.1:8000;
|
||||||
|
|
||||||
|
proxy_cache krdsh_ci;
|
||||||
|
proxy_cache_key $uri;
|
||||||
|
proxy_cache_valid 200 1h;
|
||||||
|
proxy_cache_valid 30s;
|
||||||
|
proxy_ignore_client_abort on;
|
||||||
|
|
||||||
|
proxy_ignore_headers Cache-Control;
|
||||||
|
proxy_hide_header Cache-Control;
|
||||||
|
expires 2h;
|
||||||
|
|
||||||
|
## quirks
|
||||||
|
chunked_transfer_encoding off;
|
||||||
|
proxy_method GET;
|
||||||
|
proxy_buffering on;
|
||||||
|
proxy_temp_file_write_size 4m;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /assets/ {
|
||||||
|
try_files /.non-existent-uri @precache;
|
||||||
|
# proxy_pass http://127.0.0.1:8000;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
server_name ci.krd.sh;
|
||||||
|
|
||||||
|
include snip.d/listen-grpcs;
|
||||||
|
include snip.d/ssl-krd.sh;
|
||||||
|
|
||||||
|
access_log off;
|
||||||
|
log_not_found off;
|
||||||
|
|
||||||
|
root /var/www/empty;
|
||||||
|
|
||||||
|
include snip.d/http-security-headers;
|
||||||
|
|
||||||
|
include snip.d/grpc-accept-encoding;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
grpc_pass grpc://127.0.0.1:9000;
|
||||||
|
}
|
||||||
|
}
|
55
site.avail/http-krd.sh.conf
Normal file
55
site.avail/http-krd.sh.conf
Normal file
@ -0,0 +1,55 @@
|
|||||||
|
## $krdsh_* are defined in conf.d/http-krd.sh.conf
|
||||||
|
|
||||||
|
server {
|
||||||
|
server_name .krd.sh;
|
||||||
|
|
||||||
|
include snip.d/listen-http;
|
||||||
|
include snip.d/listen-https;
|
||||||
|
include snip.d/ssl-krd.sh;
|
||||||
|
|
||||||
|
log_not_found off;
|
||||||
|
access_log off;
|
||||||
|
|
||||||
|
root /var/www/empty;
|
||||||
|
|
||||||
|
include snip.d/deny-dotfiles;
|
||||||
|
include snip.d/empty-favicon;
|
||||||
|
|
||||||
|
include snip.d/http-security-headers;
|
||||||
|
|
||||||
|
default_type text/plain;
|
||||||
|
keepalive_timeout 0;
|
||||||
|
|
||||||
|
proxy_hide_header Vary;
|
||||||
|
# proxy_redirect off;
|
||||||
|
|
||||||
|
# include snip.d/proxy-common-headers;
|
||||||
|
# include snip.d/proxy-accept-encoding;
|
||||||
|
# include snip.d/proxy-connection-upgrade;
|
||||||
|
# include snip.d/proxy-early-data;
|
||||||
|
|
||||||
|
proxy_ssl_name $krdsh_self_proxy_host;
|
||||||
|
proxy_set_header Host $krdsh_self_proxy_host;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
if ($krdsh_is_ssl) {
|
||||||
|
return 200;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($krdsh_need_ssl) {
|
||||||
|
return 301 https://$host$request_uri;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($krdsh_nossl_misuse) {
|
||||||
|
return 301 https://$krdsh_nossl_realhost$request_uri;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($krdsh_need_redirect) {
|
||||||
|
return 301 $krdsh_redirector;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($krdsh_need_proxy) {
|
||||||
|
proxy_pass $krdsh_self_proxy_uri;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
216
site.avail/http-nexus.krd.sh.conf
Normal file
216
site.avail/http-nexus.krd.sh.conf
Normal file
@ -0,0 +1,216 @@
|
|||||||
|
server {
|
||||||
|
server_name nexus.krd.sh;
|
||||||
|
|
||||||
|
include snip.d/listen-http;
|
||||||
|
|
||||||
|
access_log off;
|
||||||
|
log_not_found off;
|
||||||
|
|
||||||
|
root /var/www/empty;
|
||||||
|
|
||||||
|
include snip.d/https-alt-svc;
|
||||||
|
include snip.d/http-base-security-headers;
|
||||||
|
|
||||||
|
proxy_redirect ~*^http://$host(?:|:[0-9]+)/(.*)$ http://$host/$1;
|
||||||
|
|
||||||
|
keepalive_timeout 0;
|
||||||
|
|
||||||
|
include snip.d/empty-favicon;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
return 301 https://$host$uri$is_args$args;
|
||||||
|
}
|
||||||
|
|
||||||
|
## allow APT work as usual
|
||||||
|
|
||||||
|
location ~*^/repository/apt_[^/]+/(?:dists|pool)/
|
||||||
|
{
|
||||||
|
gzip off;
|
||||||
|
brotli off;
|
||||||
|
|
||||||
|
proxy_pass http://127.0.0.1:8081;
|
||||||
|
proxy_method GET;
|
||||||
|
}
|
||||||
|
|
||||||
|
## allow proxy repositories only for non-public usage
|
||||||
|
|
||||||
|
location ~*^/repository/proxy_[^/]+/
|
||||||
|
{
|
||||||
|
allow 127.0.0.0/8;
|
||||||
|
allow 192.0.2.0/24;
|
||||||
|
allow 240.0.0.0/4;
|
||||||
|
deny all;
|
||||||
|
|
||||||
|
proxy_pass http://127.0.0.1:8081;
|
||||||
|
proxy_method GET;
|
||||||
|
}
|
||||||
|
|
||||||
|
## quirks
|
||||||
|
chunked_transfer_encoding off;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
server_name nexus-asis.krd.sh;
|
||||||
|
|
||||||
|
include snip.d/listen-https;
|
||||||
|
include snip.d/ssl-krd.sh;
|
||||||
|
|
||||||
|
access_log off;
|
||||||
|
log_not_found off;
|
||||||
|
|
||||||
|
root /var/www/empty;
|
||||||
|
|
||||||
|
include snip.d/http-security-headers;
|
||||||
|
|
||||||
|
include snip.d/proxy-common-headers;
|
||||||
|
include snip.d/proxy-accept-encoding;
|
||||||
|
include snip.d/proxy-connection-keepalive;
|
||||||
|
include snip.d/proxy-early-data;
|
||||||
|
|
||||||
|
proxy_redirect ~*^http://$host(?:|:[0-9]+)/(.*)$ https://$host/$1;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://127.0.0.1:8081;
|
||||||
|
## quirks
|
||||||
|
client_max_body_size 1024M;
|
||||||
|
}
|
||||||
|
|
||||||
|
## allow proxy repositories only for non-public usage
|
||||||
|
|
||||||
|
location ~*^/repository/proxy_[^/]+/
|
||||||
|
{
|
||||||
|
allow 127.0.0.0/8;
|
||||||
|
allow 192.0.2.0/24;
|
||||||
|
allow 240.0.0.0/4;
|
||||||
|
deny all;
|
||||||
|
|
||||||
|
proxy_pass http://127.0.0.1:8081;
|
||||||
|
}
|
||||||
|
|
||||||
|
## quirks
|
||||||
|
chunked_transfer_encoding off;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
server_name nexus.krd.sh;
|
||||||
|
|
||||||
|
include snip.d/listen-https;
|
||||||
|
include snip.d/ssl-krd.sh;
|
||||||
|
|
||||||
|
access_log off;
|
||||||
|
log_not_found off;
|
||||||
|
|
||||||
|
root /var/www/empty;
|
||||||
|
|
||||||
|
include snip.d/http-base-security-headers;
|
||||||
|
|
||||||
|
include snip.d/proxy-common-headers;
|
||||||
|
include snip.d/proxy-accept-encoding;
|
||||||
|
include snip.d/proxy-connection-keepalive;
|
||||||
|
include snip.d/proxy-early-data;
|
||||||
|
|
||||||
|
proxy_redirect ~*^http://$host(?:|:[0-9]+)/(.*)$ https://$host/$1;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://127.0.0.1:8081;
|
||||||
|
## quirks
|
||||||
|
client_max_body_size 1024M;
|
||||||
|
}
|
||||||
|
|
||||||
|
## allow proxy repositories only for non-public usage
|
||||||
|
|
||||||
|
location ~*^/repository/proxy_[^/]+/
|
||||||
|
{
|
||||||
|
allow 127.0.0.0/8;
|
||||||
|
allow 192.0.2.0/24;
|
||||||
|
allow 240.0.0.0/4;
|
||||||
|
deny all;
|
||||||
|
|
||||||
|
proxy_pass http://127.0.0.1:8081;
|
||||||
|
}
|
||||||
|
|
||||||
|
js_import njs/nexus.js;
|
||||||
|
|
||||||
|
location /static/ {
|
||||||
|
js_content nexus.statics;
|
||||||
|
}
|
||||||
|
|
||||||
|
## quirks
|
||||||
|
chunked_transfer_encoding off;
|
||||||
|
}
|
||||||
|
|
||||||
|
proxy_cache_path
|
||||||
|
/var/cache/angie/proxy/krdsh-nexus
|
||||||
|
keys_zone=krdsh_nexus:10m
|
||||||
|
levels=1:2 inactive=1h;
|
||||||
|
|
||||||
|
server {
|
||||||
|
## PITA
|
||||||
|
server_name
|
||||||
|
nexus-st-0.krd.sh
|
||||||
|
nexus-st-1.krd.sh
|
||||||
|
nexus-st-2.krd.sh
|
||||||
|
nexus-st-3.krd.sh
|
||||||
|
nexus-st-4.krd.sh
|
||||||
|
nexus-st-5.krd.sh
|
||||||
|
nexus-st-6.krd.sh
|
||||||
|
nexus-st-7.krd.sh
|
||||||
|
nexus-st-8.krd.sh
|
||||||
|
nexus-st-9.krd.sh
|
||||||
|
nexus-st-a.krd.sh
|
||||||
|
nexus-st-b.krd.sh
|
||||||
|
nexus-st-c.krd.sh
|
||||||
|
nexus-st-d.krd.sh
|
||||||
|
nexus-st-e.krd.sh
|
||||||
|
nexus-st-f.krd.sh
|
||||||
|
;
|
||||||
|
|
||||||
|
include snip.d/listen-https;
|
||||||
|
include snip.d/ssl-krd.sh;
|
||||||
|
|
||||||
|
access_log off;
|
||||||
|
# log_not_found off;
|
||||||
|
|
||||||
|
root /var/www/empty;
|
||||||
|
|
||||||
|
include snip.d/http-base-security-headers;
|
||||||
|
|
||||||
|
add_header Access-Control-Allow-Origin "https://nexus.krd.sh" always;
|
||||||
|
|
||||||
|
include snip.d/proxy-common-headers;
|
||||||
|
include snip.d/proxy-accept-encoding;
|
||||||
|
include snip.d/proxy-connection-close;
|
||||||
|
include snip.d/proxy-early-data;
|
||||||
|
|
||||||
|
proxy_ignore_headers Cache-Control;
|
||||||
|
proxy_hide_header Cache-Control;
|
||||||
|
|
||||||
|
proxy_redirect ~*^http://$host(?:|:[0-9]+)/(.*)$ https://nexus.krd.sh/$1;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
return 301 https://nexus.krd.sh;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /static/ {
|
||||||
|
try_files /.non-existent-uri @precache;
|
||||||
|
}
|
||||||
|
|
||||||
|
location @precache {
|
||||||
|
proxy_pass http://127.0.0.1:8081;
|
||||||
|
|
||||||
|
proxy_cache krdsh_nexus;
|
||||||
|
proxy_cache_key $uri$is_args$args;
|
||||||
|
proxy_cache_valid 200 1h;
|
||||||
|
proxy_cache_valid 30s;
|
||||||
|
proxy_ignore_client_abort on;
|
||||||
|
expires 2h;
|
||||||
|
|
||||||
|
## quirks
|
||||||
|
proxy_method GET;
|
||||||
|
proxy_buffering on;
|
||||||
|
proxy_temp_file_write_size 4m;
|
||||||
|
}
|
||||||
|
|
||||||
|
## quirks
|
||||||
|
chunked_transfer_encoding off;
|
||||||
|
}
|
70
site.avail/http-nodejs-org.krd.sh.conf
Normal file
70
site.avail/http-nodejs-org.krd.sh.conf
Normal file
@ -0,0 +1,70 @@
|
|||||||
|
proxy_cache_path
|
||||||
|
/var/cache/angie/proxy/nodejs-org
|
||||||
|
keys_zone=nodejs_org:10m
|
||||||
|
levels=1:2 inactive=1h;
|
||||||
|
|
||||||
|
server {
|
||||||
|
server_name nodejs-org.krd.sh;
|
||||||
|
|
||||||
|
include snip.d/listen-https;
|
||||||
|
include snip.d/ssl-krd.sh;
|
||||||
|
|
||||||
|
access_log off;
|
||||||
|
log_not_found off;
|
||||||
|
|
||||||
|
root /var/www/empty;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
try_files /.non-existent-uri @redirect;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~* \.(?:7z|exe|exp|gz|lib|msi|pkg|tgz|xz|zip)$
|
||||||
|
{
|
||||||
|
try_files /.non-existent-uri @redirect;
|
||||||
|
}
|
||||||
|
|
||||||
|
## merely quirk
|
||||||
|
location ~* ^/(?:dist|download)$
|
||||||
|
{
|
||||||
|
return 301 $scheme://$server_name$uri/;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~/$
|
||||||
|
~*^/(?:dist|download)/
|
||||||
|
{
|
||||||
|
try_files /.non-existent-uri @download;
|
||||||
|
}
|
||||||
|
|
||||||
|
proxy_set_header Accept "*/*";
|
||||||
|
proxy_set_header User-Agent "angie/$angie_version";
|
||||||
|
|
||||||
|
include snip.d/proxy-common-headers;
|
||||||
|
include snip.d/proxy-accept-encoding;
|
||||||
|
include snip.d/proxy-connection-close;
|
||||||
|
|
||||||
|
location @redirect {
|
||||||
|
return 301 https://nodejs.org$request_uri;
|
||||||
|
}
|
||||||
|
|
||||||
|
location @download {
|
||||||
|
proxy_pass https://nodejs.org$uri$is_args$args;
|
||||||
|
|
||||||
|
proxy_redirect https://nodejs.org $scheme://$server_name;
|
||||||
|
|
||||||
|
proxy_cache nodejs_org;
|
||||||
|
proxy_cache_key $uri$is_args$args;
|
||||||
|
proxy_cache_valid 200 1h;
|
||||||
|
proxy_cache_valid 30s;
|
||||||
|
proxy_ignore_client_abort on;
|
||||||
|
|
||||||
|
proxy_ignore_headers Cache-Control;
|
||||||
|
proxy_hide_header Cache-Control;
|
||||||
|
expires 30m;
|
||||||
|
|
||||||
|
## quirks
|
||||||
|
chunked_transfer_encoding off;
|
||||||
|
proxy_method GET;
|
||||||
|
proxy_buffering on;
|
||||||
|
proxy_temp_file_write_size 4m;
|
||||||
|
}
|
||||||
|
}
|
5
snip.d/area-internal
Normal file
5
snip.d/area-internal
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
## always sourced by snip.d/deny-dotfiles
|
||||||
|
|
||||||
|
access_log off;
|
||||||
|
log_not_found off;
|
||||||
|
internal;
|
17
snip.d/common-fastcgi
Normal file
17
snip.d/common-fastcgi
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
## always sourced by snip.d/common-fcgiwrap
|
||||||
|
|
||||||
|
try_files $fastcgi_script_name =444;
|
||||||
|
|
||||||
|
## KrD: do not pass Accept-Encoding to backend
|
||||||
|
fastcgi_param HTTP_ACCEPT_ENCODING "";
|
||||||
|
|
||||||
|
## bypass the fact that try_files resets $fastcgi_path_info
|
||||||
|
## see: https://trac.nginx.org/nginx/ticket/321
|
||||||
|
set $path_info $fastcgi_path_info;
|
||||||
|
fastcgi_param PATH_INFO $path_info;
|
||||||
|
|
||||||
|
fastcgi_param AUTH_USER $remote_user;
|
||||||
|
fastcgi_param REMOTE_USER $remote_user;
|
||||||
|
fastcgi_param HTTP_HOST $host;
|
||||||
|
|
||||||
|
include fastcgi.conf;
|
3
snip.d/common-fcgiwrap
Normal file
3
snip.d/common-fcgiwrap
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
fastcgi_pass unix:/run/fcgiwrap.socket;
|
||||||
|
|
||||||
|
include snip.d/common-fastcgi;
|
3
snip.d/deny-dotfiles
Normal file
3
snip.d/deny-dotfiles
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
location ~ /\. {
|
||||||
|
include snip.d/area-internal;
|
||||||
|
}
|
4
snip.d/empty-favicon
Normal file
4
snip.d/empty-favicon
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
location = /favicon.ico {
|
||||||
|
empty_gif;
|
||||||
|
expires 1d;
|
||||||
|
}
|
3
snip.d/grpc-accept-encoding
Normal file
3
snip.d/grpc-accept-encoding
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
## always sourced by conf.d/http-grpc-accept-encoding.conf
|
||||||
|
|
||||||
|
grpc_set_header Accept-Encoding "";
|
13
snip.d/http-base-security-headers
Normal file
13
snip.d/http-base-security-headers
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
## always sourced by include snip.d/http-security-headers
|
||||||
|
|
||||||
|
include snip.d/http-proxy-hide-security-headers;
|
||||||
|
|
||||||
|
add_header X-XSS-Protection "1; mode=block" always;
|
||||||
|
add_header X-Content-Type-Options "nosniff" always;
|
||||||
|
# add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
||||||
|
add_header Referrer-Policy "no-referrer-when-downgrade" always;
|
||||||
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||||
|
add_header Permissions-Policy "interest-cohort=()" always;
|
||||||
|
|
||||||
|
## obsolete
|
||||||
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
44
snip.d/http-proxy-hide-security-headers
Normal file
44
snip.d/http-proxy-hide-security-headers
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
## always sourced by include snip.d/http-base-security-headers
|
||||||
|
|
||||||
|
proxy_hide_header X-XSS-Protection;
|
||||||
|
fastcgi_hide_header X-XSS-Protection;
|
||||||
|
grpc_hide_header X-XSS-Protection;
|
||||||
|
scgi_hide_header X-XSS-Protection;
|
||||||
|
uwsgi_hide_header X-XSS-Protection;
|
||||||
|
|
||||||
|
proxy_hide_header X-Content-Type-Options;
|
||||||
|
fastcgi_hide_header X-Content-Type-Options;
|
||||||
|
grpc_hide_header X-Content-Type-Options;
|
||||||
|
scgi_hide_header X-Content-Type-Options;
|
||||||
|
uwsgi_hide_header X-Content-Type-Options;
|
||||||
|
|
||||||
|
proxy_hide_header Referrer-Policy;
|
||||||
|
fastcgi_hide_header Referrer-Policy;
|
||||||
|
grpc_hide_header Referrer-Policy;
|
||||||
|
scgi_hide_header Referrer-Policy;
|
||||||
|
uwsgi_hide_header Referrer-Policy;
|
||||||
|
|
||||||
|
proxy_hide_header Strict-Transport-Security;
|
||||||
|
fastcgi_hide_header Strict-Transport-Security;
|
||||||
|
grpc_hide_header Strict-Transport-Security;
|
||||||
|
scgi_hide_header Strict-Transport-Security;
|
||||||
|
uwsgi_hide_header Strict-Transport-Security;
|
||||||
|
|
||||||
|
proxy_hide_header Permissions-Policy;
|
||||||
|
fastcgi_hide_header Permissions-Policy;
|
||||||
|
grpc_hide_header Permissions-Policy;
|
||||||
|
scgi_hide_header Permissions-Policy;
|
||||||
|
uwsgi_hide_header Permissions-Policy;
|
||||||
|
|
||||||
|
proxy_hide_header Content-Security-Policy;
|
||||||
|
fastcgi_hide_header Content-Security-Policy;
|
||||||
|
grpc_hide_header Content-Security-Policy;
|
||||||
|
scgi_hide_header Content-Security-Policy;
|
||||||
|
uwsgi_hide_header Content-Security-Policy;
|
||||||
|
|
||||||
|
## obsolete
|
||||||
|
proxy_hide_header X-Frame-Options;
|
||||||
|
fastcgi_hide_header X-Frame-Options;
|
||||||
|
grpc_hide_header X-Frame-Options;
|
||||||
|
scgi_hide_header X-Frame-Options;
|
||||||
|
uwsgi_hide_header X-Frame-Options;
|
3
snip.d/http-security-headers
Normal file
3
snip.d/http-security-headers
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
include snip.d/http-base-security-headers;
|
||||||
|
|
||||||
|
add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline' 'unsafe-eval' ; frame-ancestors 'self';" always;
|
3
snip.d/https-alt-svc
Normal file
3
snip.d/https-alt-svc
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
## always sourced by snip.d/listen-https
|
||||||
|
|
||||||
|
add_header Alt-Svc 'h3=":443"; ma=3600, h2=":443"; ma=3600' always;
|
3
snip.d/listen-grpcs
Normal file
3
snip.d/listen-grpcs
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
listen 444 ssl;
|
||||||
|
listen 444 quic;
|
||||||
|
http2 on;
|
1
snip.d/listen-http
Normal file
1
snip.d/listen-http
Normal file
@ -0,0 +1 @@
|
|||||||
|
listen 80;
|
5
snip.d/listen-https
Normal file
5
snip.d/listen-https
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
listen 443 ssl;
|
||||||
|
listen 443 quic;
|
||||||
|
http2 on;
|
||||||
|
|
||||||
|
include snip.d/https-alt-svc;
|
3
snip.d/proxy-accept-encoding
Normal file
3
snip.d/proxy-accept-encoding
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
## always sourced by conf.d/http-proxy.conf
|
||||||
|
|
||||||
|
proxy_set_header Accept-Encoding "";
|
9
snip.d/proxy-common-headers
Normal file
9
snip.d/proxy-common-headers
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
## always sourced by conf.d/http-proxy.conf
|
||||||
|
|
||||||
|
## $proxy_add_forwarded is defined in conf.d/http-proxy.conf
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header Forwarded $proxy_add_forwarded;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
proxy_set_header X-Forwarded-Host $host;
|
||||||
|
proxy_set_header X-Forwarded-Port $server_port;
|
2
snip.d/proxy-connection-close
Normal file
2
snip.d/proxy-connection-close
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
proxy_set_header Connection close;
|
||||||
|
proxy_set_header Upgrade "";
|
3
snip.d/proxy-connection-keepalive
Normal file
3
snip.d/proxy-connection-keepalive
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
## $conn_upgrade_keepalive is defined in conf.d/http-proxy.conf
|
||||||
|
proxy_set_header Connection $conn_upgrade_keepalive;
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
5
snip.d/proxy-connection-upgrade
Normal file
5
snip.d/proxy-connection-upgrade
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
## always sourced by conf.d/http-proxy.conf
|
||||||
|
|
||||||
|
## $conn_upgrade_unset is defined in conf.d/http-proxy.conf
|
||||||
|
proxy_set_header Connection $conn_upgrade_unset;
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
3
snip.d/proxy-early-data
Normal file
3
snip.d/proxy-early-data
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
## always sourced by conf.d/http-proxy.conf
|
||||||
|
|
||||||
|
proxy_set_header Early-Data $ssl_early_data;
|
4
snip.d/robots-txt
Normal file
4
snip.d/robots-txt
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
location = /robots.txt {
|
||||||
|
try_files /.robots.txt /robots.txt =404;
|
||||||
|
log_not_found off;
|
||||||
|
}
|
3
snip.d/ssl-krd.sh
Normal file
3
snip.d/ssl-krd.sh
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
ssl_certificate /etc/letsencrypt/live/krd.sh/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/krd.sh/privkey.pem;
|
||||||
|
ssl_trusted_certificate /etc/letsencrypt/live/krd.sh/chain.pem;
|
5
snip.d/tls-common
Normal file
5
snip.d/tls-common
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
ssl_session_timeout 7m;
|
||||||
|
ssl_session_tickets off;
|
||||||
|
|
||||||
|
ssl_stapling on;
|
||||||
|
ssl_stapling_verify on;
|
11
snip.d/tls-intermediate
Normal file
11
snip.d/tls-intermediate
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
## always sourced by conf.d/http-ssl.conf
|
||||||
|
|
||||||
|
include snip.d/tls-common;
|
||||||
|
|
||||||
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
|
ssl_session_cache shared:tls-intermediate:10m;
|
||||||
|
ssl_prefer_server_ciphers off;
|
||||||
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
|
||||||
|
|
||||||
|
## openssl genpkey -genparam -algorithm DH -out /etc/angie/tls/ffdhe2048.pem -pkeyopt group:ffdhe2048
|
||||||
|
ssl_dhparam /etc/angie/tls/ffdhe2048.pem;
|
6
snip.d/tls-modern
Normal file
6
snip.d/tls-modern
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
include snip.d/tls-common;
|
||||||
|
|
||||||
|
ssl_protocols TLSv1.3;
|
||||||
|
ssl_session_cache shared:ssl-modern:10m;
|
||||||
|
ssl_prefer_server_ciphers off;
|
||||||
|
ssl_early_data on;
|
9
snip.d/tls-old
Normal file
9
snip.d/tls-old
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
include snip.d/tls-common;
|
||||||
|
|
||||||
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
|
||||||
|
ssl_session_cache shared:tls-old:10m;
|
||||||
|
ssl_prefer_server_ciphers on;
|
||||||
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;
|
||||||
|
|
||||||
|
## openssl genpkey -genparam -algorithm DH -out /etc/angie/tls/dh1024.pem -pkeyopt dh_paramgen_prime_len:1024
|
||||||
|
ssl_dhparam /etc/angie/tls/dh1024.pem;
|
4
stream.conf
Normal file
4
stream.conf
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
stream {
|
||||||
|
include conf.d/stream-*.conf;
|
||||||
|
include site.d/stream-*.conf;
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user