From 925db2c86469c252aa7f300e11d6ea40b047688e Mon Sep 17 00:00:00 2001 From: Michael Date: Mon, 4 Nov 2024 17:09:00 +0000 Subject: [PATCH] Initial Configuration --- dhparam.txt | 8 ++ http.d/auth.shad.moe | 65 ++++++++++++++ http.d/axoblu.konpeki.solutions | 75 ++++++++++++++++ http.d/dash.shad.moe | 41 +++++++++ http.d/default.conf | 17 ++++ http.d/docs.shad.moe | 65 ++++++++++++++ http.d/git.shad.moe | 65 ++++++++++++++ http.d/graph.shad.moe | 68 ++++++++++++++ http.d/internal.shad.moe | 22 +++++ http.d/konpeki.solutions | 71 +++++++++++++++ http.d/link.gpoc.konpeki.solutions | 51 +++++++++++ http.d/map.gpoc.konpeki.solutions | 56 ++++++++++++ http.d/nxt.shad.moe | 87 ++++++++++++++++++ http.d/play.gpoc-modded.konpeki.solutions | 45 ++++++++++ http.d/play.gpoc.konpeki.solutions | 51 +++++++++++ http.d/rss.shad.moe | 57 ++++++++++++ http.d/theshadoweevee.konpeki.solutions | 75 ++++++++++++++++ http.d/vault.shad.moe | 49 ++++++++++ http.d/wc.konpeki.solutions | 71 +++++++++++++++ mime.types | 99 +++++++++++++++++++++ nginx.conf | 103 ++++++++++++++++++++++ snippets/http-cat-error-pages.conf | 29 ++++++ 22 files changed, 1270 insertions(+) create mode 100644 dhparam.txt create mode 100644 http.d/auth.shad.moe create mode 100644 http.d/axoblu.konpeki.solutions create mode 100644 http.d/dash.shad.moe create mode 100644 http.d/default.conf create mode 100644 http.d/docs.shad.moe create mode 100644 http.d/git.shad.moe create mode 100644 http.d/graph.shad.moe create mode 100644 http.d/internal.shad.moe create mode 100644 http.d/konpeki.solutions create mode 100644 http.d/link.gpoc.konpeki.solutions create mode 100644 http.d/map.gpoc.konpeki.solutions create mode 100644 http.d/nxt.shad.moe create mode 100644 http.d/play.gpoc-modded.konpeki.solutions create mode 100644 http.d/play.gpoc.konpeki.solutions create mode 100644 http.d/rss.shad.moe create mode 100644 http.d/theshadoweevee.konpeki.solutions create mode 100644 http.d/vault.shad.moe create mode 100644 http.d/wc.konpeki.solutions create mode 100644 mime.types create mode 100644 nginx.conf create mode 100644 snippets/http-cat-error-pages.conf diff --git a/dhparam.txt b/dhparam.txt new file mode 100644 index 0000000..9b182b7 --- /dev/null +++ b/dhparam.txt @@ -0,0 +1,8 @@ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== +-----END DH PARAMETERS----- diff --git a/http.d/auth.shad.moe b/http.d/auth.shad.moe new file mode 100644 index 0000000..5040c9d --- /dev/null +++ b/http.d/auth.shad.moe @@ -0,0 +1,65 @@ +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +upstream authentik { + server 192.168.1.205:9443; + keepalive 10; +} + +server { + listen 80; + listen [::]:80; + + server_name auth.shad.moe www.auth.shad.moe; + + location / { + return 301 https://$host$request_uri; + } +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + + http2 on; + + server_name auth.shad.moe www.auth.shad.moe; + + ssl_certificate /etc/letsencrypt/live/auth.shad.moe/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/auth.shad.moe/privkey.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + + ssl_dhparam /etc/nginx/dhparam.txt; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; + ssl_prefer_server_ciphers off; + + add_header Strict-Transport-Security "max-age=63072000" always; + + include snippets/http-cat-error-pages.conf; + + location / { + proxy_pass https://authentik; + proxy_http_version 1.1; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $http_host; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + } + + ssl_stapling on; + ssl_stapling_verify on; + + # verify chain of trust of OCSP response using Root CA and Intermediate certs + ssl_trusted_certificate /etc/letsencrypt/live/graph.shad.moe/fullchain.pem; + + # replace with the IP address of your resolver + #resolver 127.0.0.1; # Defined in error pages + +} diff --git a/http.d/axoblu.konpeki.solutions b/http.d/axoblu.konpeki.solutions new file mode 100644 index 0000000..bc33f5e --- /dev/null +++ b/http.d/axoblu.konpeki.solutions @@ -0,0 +1,75 @@ +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +#upstream bsky { +# server 100.64.4.102:3000; +#} + +server { + listen 80; + listen [::]:80; + + server_name axoblu.konpeki.solutions; + + location / { + return 301 https://$host$request_uri; + } +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + + http2 on; + + server_name axoblu.konpeki.solutions; + + ssl_certificate /etc/letsencrypt/live/konpeki.solutions/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/konpeki.solutions/privkey.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + + ssl_dhparam /etc/nginx/dhparam.txt; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; + ssl_prefer_server_ciphers off; + + add_header Strict-Transport-Security "max-age=63072000" always; + + include snippets/http-cat-error-pages.conf; + + proxy_set_header Connection $http_connection; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + location / { + rewrite / https://bsky.app/profile/did:plc:qxrvqly74uzia6d5pwgwjxb5 break; + return 404; + } + + location /xrpc { + proxy_pass http://bsky; + } + + location = /.well-known/atproto-did { + root /var/www/bsky/axoblu/; + default_type text/plain; + } + + ssl_stapling on; + ssl_stapling_verify on; + + # verify chain of trust of OCSP response using Root CA and Intermediate certs + ssl_trusted_certificate /etc/letsencrypt/live/konpeki.solutions/fullchain.pem; + + # replace with the IP address of your resolver + #resolver 127.0.0.1; # Defined in error pages + +} diff --git a/http.d/dash.shad.moe b/http.d/dash.shad.moe new file mode 100644 index 0000000..33de055 --- /dev/null +++ b/http.d/dash.shad.moe @@ -0,0 +1,41 @@ +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +server { + listen 80; + listen [::]:80; + server_name dash.shad.moe www.dash.shad.moe; + if ($host = dash.shad.moe) { + return 301 https://$host$request_uri; + } + return 404; +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + + http2 on; + + server_name dash.shad.moe www.dash.shad.moe; + + ssl_certificate /etc/letsencrypt/live/dash.shad.moe/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/dash.shad.moe/privkey.pem; + ssl_protocols TLSv1.2 TLSv1.3; + client_max_body_size 525M; + + include snippets/http-cat-error-pages.conf; + + location / { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://192.168.1.210:3000; + } +} diff --git a/http.d/default.conf b/http.d/default.conf new file mode 100644 index 0000000..4704a69 --- /dev/null +++ b/http.d/default.conf @@ -0,0 +1,17 @@ +# This is a default site configuration which will simply return 404, preventing +# chance access to any other virtualhost. + +server { + listen 80 default_server; + listen [::]:80 default_server; + + # Everything is a 404 + location / { + return 404; + } + + # You may need this to prevent return 404 recursion. + location = /404.html { + internal; + } +} diff --git a/http.d/docs.shad.moe b/http.d/docs.shad.moe new file mode 100644 index 0000000..88fb0fa --- /dev/null +++ b/http.d/docs.shad.moe @@ -0,0 +1,65 @@ +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +upstream bookstack { + server 100.64.2.118; +} + +server { + listen 80; + listen [::]:80; + + server_name docs.shad.moe www.docs.shad.moe; + + location / { + return 301 https://$host$request_uri; + } +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + + http2 on; + + server_name docs.shad.moe www.docs.shad.moe; + + ssl_certificate /etc/letsencrypt/live/docs.shad.moe/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/docs.shad.moe/privkey.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + + ssl_dhparam /etc/nginx/dhparam.txt; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305; + ssl_prefer_server_ciphers off; + + add_header Strict-Transport-Security "max-age=63072000" always; + + include snippets/http-cat-error-pages.conf; + + location / { + client_max_body_size 512M; + proxy_pass http://bookstack; + proxy_set_header Connection $http_connection; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + ssl_stapling on; + ssl_stapling_verify on; + + # verify chain of trust of OCSP response using Root CA and Intermediate certs + ssl_trusted_certificate /etc/letsencrypt/live/docs.shad.moe/fullchain.pem; + + # replace with the IP address of your resolver + #resolver 127.0.0.1; # Defined in error pages + +} diff --git a/http.d/git.shad.moe b/http.d/git.shad.moe new file mode 100644 index 0000000..c4b960b --- /dev/null +++ b/http.d/git.shad.moe @@ -0,0 +1,65 @@ +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +upstream gitea { + server 192.168.1.215:3000; +} + +server { + listen 80; + listen [::]:80; + + server_name git.shad.moe www.git.shad.moe; + + location / { + return 301 https://$host$request_uri; + } +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + + http2 on; + + server_name git.shad.moe www.git.shad.moe; + + ssl_certificate /etc/letsencrypt/live/git.shad.moe/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/git.shad.moe/privkey.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + + ssl_dhparam /etc/nginx/dhparam.txt; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; + ssl_prefer_server_ciphers off; + + add_header Strict-Transport-Security "max-age=63072000" always; + + include snippets/http-cat-error-pages.conf; + + location / { + client_max_body_size 512M; + proxy_pass http://gitea; + proxy_set_header Connection $http_connection; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + ssl_stapling on; + ssl_stapling_verify on; + + # verify chain of trust of OCSP response using Root CA and Intermediate certs + ssl_trusted_certificate /etc/letsencrypt/live/git.shad.moe/fullchain.pem; + + # replace with the IP address of your resolver + #resolver 127.0.0.1; # Defined in error pages + +} diff --git a/http.d/graph.shad.moe b/http.d/graph.shad.moe new file mode 100644 index 0000000..8d37f1b --- /dev/null +++ b/http.d/graph.shad.moe @@ -0,0 +1,68 @@ +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +upstream grafana { + server 192.168.1.200:3000; +} + +server { + listen 80; + listen [::]:80; + + server_name graph.shad.moe www.graph.shad.moe; + + location / { + return 301 https://$host$request_uri; + } +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + + http2 on; + + server_name graph.shad.moe www.graph.shad.moe; + + ssl_certificate /etc/letsencrypt/live/graph.shad.moe/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/graph.shad.moe/privkey.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + + ssl_dhparam /etc/nginx/dhparam.txt; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; + ssl_prefer_server_ciphers off; + + add_header Strict-Transport-Security "max-age=63072000" always; + + include snippets/http-cat-error-pages.conf; + + location / { + proxy_set_header Host $host; + proxy_pass http://grafana; + } + + # Proxy Grafana Live WebSocket connections. + location /api/live/ { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + proxy_set_header Host $host; + proxy_pass http://grafana; + } + + ssl_stapling on; + ssl_stapling_verify on; + + # verify chain of trust of OCSP response using Root CA and Intermediate certs + ssl_trusted_certificate /etc/letsencrypt/live/graph.shad.moe/fullchain.pem; + + # replace with the IP address of your resolver + #resolver 127.0.0.1; # Defined in error pages + +} diff --git a/http.d/internal.shad.moe b/http.d/internal.shad.moe new file mode 100644 index 0000000..cb31165 --- /dev/null +++ b/http.d/internal.shad.moe @@ -0,0 +1,22 @@ +server { + listen 443 ssl; + server_name internal.shad.moe; + ssl_certificate /etc/letsencrypt/live/internal.shad.moe/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/internal.shad.moe/privkey.pem; + #ssl_protocols TLSv1.2 TLSv1.3; + #ssl_ciphers HIGH:!aNULL:!MD5; + + root /var/www/internal-page-wall; + + location / { + index index.htm index.html; + } +} + +server { + listen 443 ssl; + server_name *.internal.shad.moe; + ssl_certificate /etc/letsencrypt/live/internal.shad.moe/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/internal.shad.moe/privkey.pem; + return 302 https://internal.shad.moe; +} diff --git a/http.d/konpeki.solutions b/http.d/konpeki.solutions new file mode 100644 index 0000000..283fbbc --- /dev/null +++ b/http.d/konpeki.solutions @@ -0,0 +1,71 @@ +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +upstream bsky { + server 100.64.4.102:3000; +} + +server { + listen 80; + listen [::]:80; + + server_name konpeki.solutions www.konpeki.solutions; + + location / { + return 301 https://$host$request_uri; + } +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + + http2 on; + + server_name konpeki.solutions www.konpeki.solutions; + + ssl_certificate /etc/letsencrypt/live/konpeki.solutions/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/konpeki.solutions/privkey.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + + ssl_dhparam /etc/nginx/dhparam.txt; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; + ssl_prefer_server_ciphers off; + + add_header Strict-Transport-Security "max-age=63072000" always; + + include snippets/http-cat-error-pages.conf; + + proxy_set_header Connection $http_connection; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + location / { + client_max_body_size 512M; + #proxy_pass http://100.64.4.102; + return 404; + } + + location /xrpc { + proxy_pass http://bsky; + } + + ssl_stapling on; + ssl_stapling_verify on; + + # verify chain of trust of OCSP response using Root CA and Intermediate certs + ssl_trusted_certificate /etc/letsencrypt/live/konpeki.solutions/fullchain.pem; + + # replace with the IP address of your resolver + #resolver 127.0.0.1; # Defined in error pages + +} diff --git a/http.d/link.gpoc.konpeki.solutions b/http.d/link.gpoc.konpeki.solutions new file mode 100644 index 0000000..f02cc73 --- /dev/null +++ b/http.d/link.gpoc.konpeki.solutions @@ -0,0 +1,51 @@ +server { + listen 80; + server_name link.gpoc.konpeki.solutions; + return 301 https://$server_name$request_uri; +} + +server { + listen 443 ssl; + server_name link.gpoc.konpeki.solutions; + + http2 on; + + # allow larger file uploads and longer script runtimes + client_max_body_size 100m; + client_body_timeout 120s; + + sendfile off; + + ssl_certificate /etc/letsencrypt/live/link.gpoc.konpeki.solutions/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/link.gpoc.konpeki.solutions/privkey.pem; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; + ssl_prefer_server_ciphers on; + + # See https://hstspreload.org/ before uncommenting the line below. + # add_header Strict-Transport-Security "max-age=15768000; preload;"; + #add_header X-Content-Type-Options nosniff; + #add_header X-XSS-Protection "1; mode=block"; + #add_header X-Robots-Tag none; + #add_header Content-Security-Policy "frame-ancestors 'self'"; + #add_header X-Frame-Options DENY; + #add_header Referrer-Policy same-origin; + add_header Access-Control-Allow-Origin *; + proxy_set_header Content-Security-Policy upgrade-insecure-requests; + + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_redirect off; + proxy_buffering off; + proxy_request_buffering off; + + location / { + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_pass http://100.64.4.100:8080/; + } + + +} diff --git a/http.d/map.gpoc.konpeki.solutions b/http.d/map.gpoc.konpeki.solutions new file mode 100644 index 0000000..afddebc --- /dev/null +++ b/http.d/map.gpoc.konpeki.solutions @@ -0,0 +1,56 @@ +proxy_cache_path /var/www/cache levels=1:2 keys_zone=map:8m max_size=1g inactive=24h; + +server { + listen 80; + server_name map.gpoc.konpeki.solutions; + return 301 https://$server_name$request_uri; +} + +server { + listen 443 ssl; + server_name map.gpoc.konpeki.solutions; + + http2 on; + + # allow larger file uploads and longer script runtimes + #client_max_body_size 100m; + #client_body_timeout 120s; + + #sendfile off; + + ssl_certificate /etc/letsencrypt/live/map.gpoc.konpeki.solutions/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/map.gpoc.konpeki.solutions/privkey.pem; + #ssl_protocols TLSv1.2 TLSv1.3; + #ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES2> + #ssl_prefer_server_ciphers on; + + # See https://hstspreload.org/ before uncommenting the line below. + # add_header Strict-Transport-Security "max-age=15768000; preload;"; + #add_header X-Content-Type-Options nosniff; + #add_header X-XSS-Protection "1; mode=block"; + #add_header X-Robots-Tag none; + #add_header Content-Security-Policy "frame-ancestors 'self'"; + #add_header X-Frame-Options DENY; + #add_header Referrer-Policy same-origin; + #add_header Access-Control-Allow-Origin *; + #proxy_set_header Content-Security-Policy upgrade-insecure-requests; + + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_redirect off; + proxy_buffering off; + proxy_request_buffering off; + + location / { + proxy_pass http://100.64.4.100:8123/; + proxy_set_header Host $host; + proxy_cache map; + proxy_cache_key "$host$uri"; + proxy_cache_valid 200 302 60m; + proxy_cache_valid 404 10m; + proxy_cache_use_stale error timeout invalid_header updating http_500 http_503 http_504; + proxy_connect_timeout 10; + } +} diff --git a/http.d/nxt.shad.moe b/http.d/nxt.shad.moe new file mode 100644 index 0000000..6effe54 --- /dev/null +++ b/http.d/nxt.shad.moe @@ -0,0 +1,87 @@ +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +server { + listen 80; + listen [::]:80; + + server_name nxt.shad.moe www.nxt.shad.moe; + + location / { + return 301 https://$host$request_uri; + } +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + + http2 on; + + # http3 on; + # quic_retry on; + # add_header Alt-Svc 'h3=":443"; ma=86400'; + # listen 443 quic reuseport; + # listen [::]:443 quic reuseport; + + server_name nxt.shad.moe www.nxt.shad.moe; + + ssl_certificate /etc/letsencrypt/live/nxt.shad.moe/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/nxt.shad.moe/privkey.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + + ssl_dhparam /etc/nginx/dhparam.txt; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; + ssl_prefer_server_ciphers off; + + add_header Strict-Transport-Security "max-age=63072000" always; + + # Set .mjs and .wasm MIME types + # Either include it in the default mime.types list + # and include that list explicitly or add the file extension + # only for Nextcloud like below: + include mime.types; + + #types { + # text/javascript js mjs; + # application/wasm wasm; + #} + + include snippets/http-cat-error-pages.conf; + + location / { + proxy_pass https://192.168.1.66; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Scheme $scheme; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Accept-Encoding ""; + proxy_set_header Host $host; + + client_body_buffer_size 512k; + proxy_read_timeout 86400s; + client_max_body_size 0; + + # Websocket + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + } + + ssl_stapling on; + ssl_stapling_verify on; + + ssl_trusted_certificate /etc/letsencrypt/live/nxt.shad.moe/fullchain.pem; + + # replace with the IP address of your resolver + #resolver 127.0.0.1; # Defined in error pages + +} diff --git a/http.d/play.gpoc-modded.konpeki.solutions b/http.d/play.gpoc-modded.konpeki.solutions new file mode 100644 index 0000000..81c1ffd --- /dev/null +++ b/http.d/play.gpoc-modded.konpeki.solutions @@ -0,0 +1,45 @@ +server { + listen 80; + server_name play.gpoc-modded.konpeki.solutions; + return 301 https://$server_name$request_uri; +} + +server { + listen 443 ssl; + server_name play.gpoc-modded.konpeki.solutions; + + http2 on; + + # allow larger file uploads and longer script runtimes + client_max_body_size 100m; + client_body_timeout 120s; + + sendfile off; + + ssl_certificate /etc/letsencrypt/live/play.gpoc-modded.konpeki.solutions/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/play.gpoc-modded.konpeki.solutions/privkey.pem; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; + ssl_prefer_server_ciphers on; + + # See https://hstspreload.org/ before uncommenting the line below. + # add_header Strict-Transport-Security "max-age=15768000; preload;"; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header Content-Security-Policy "frame-ancestors 'self'"; + add_header X-Frame-Options DENY; + add_header Referrer-Policy same-origin; + + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_redirect off; + proxy_buffering off; + proxy_request_buffering off; + + location / { + proxy_pass http://100.64.4.102; + } +} diff --git a/http.d/play.gpoc.konpeki.solutions b/http.d/play.gpoc.konpeki.solutions new file mode 100644 index 0000000..3e0308d --- /dev/null +++ b/http.d/play.gpoc.konpeki.solutions @@ -0,0 +1,51 @@ +server { + listen 80; + server_name play.gpoc.konpeki.solutions; + return 301 https://$server_name$request_uri; +} + +server { + listen 443 ssl; + server_name play.gpoc.konpeki.solutions; + + http2 on; + + # allow larger file uploads and longer script runtimes + client_max_body_size 100m; + client_body_timeout 120s; + + sendfile off; + + ssl_certificate /etc/letsencrypt/live/play.gpoc.konpeki.solutions/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/play.gpoc.konpeki.solutions/privkey.pem; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; + ssl_prefer_server_ciphers on; + + # See https://hstspreload.org/ before uncommenting the line below. + # add_header Strict-Transport-Security "max-age=15768000; preload;"; + #add_header X-Content-Type-Options nosniff; + #add_header X-XSS-Protection "1; mode=block"; + #add_header X-Robots-Tag none; + #add_header Content-Security-Policy "frame-ancestors 'self'"; + #add_header X-Frame-Options DENY; + #add_header Referrer-Policy same-origin; + add_header Access-Control-Allow-Origin *; + proxy_set_header Content-Security-Policy upgrade-insecure-requests; + + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_redirect off; + proxy_buffering off; + proxy_request_buffering off; + + location / { + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_pass http://100.64.4.100:8080/; + } + + +} diff --git a/http.d/rss.shad.moe b/http.d/rss.shad.moe new file mode 100644 index 0000000..e5206e3 --- /dev/null +++ b/http.d/rss.shad.moe @@ -0,0 +1,57 @@ +upstream freshrss { + server 192.168.1.219:8080; + keepalive 64; +} + +server { + listen 80; + listen [::]:80; + + server_name rss.shad.moe www.rss.shad.moe; + + location / { + return 301 https://$host$request_uri; + } +} + +server { + server_name rss.shad.moe www.rss.shad.moe; + listen 443 ssl; + listen [::]:443 ssl; + + http2 on; + + ssl_certificate /etc/letsencrypt/live/rss.shad.moe/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/rss.shad.moe/privkey.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + + ssl_dhparam /etc/nginx/dhparam.txt; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305; + ssl_prefer_server_ciphers off; + + add_header Strict-Transport-Security "max-age=63072000" always; + + include snippets/http-cat-error-pages.conf; + + location / { + proxy_pass http://freshrss/; + add_header X-Frame-Options SAMEORIGIN; + add_header X-XSS-Protection "1; mode=block"; + proxy_redirect off; + proxy_buffering off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Port $server_port; + proxy_read_timeout 90; + + # Forward the Authorization header for the Google Reader API. + proxy_set_header Authorization $http_authorization; + proxy_pass_header Authorization; + } +} diff --git a/http.d/theshadoweevee.konpeki.solutions b/http.d/theshadoweevee.konpeki.solutions new file mode 100644 index 0000000..335230c --- /dev/null +++ b/http.d/theshadoweevee.konpeki.solutions @@ -0,0 +1,75 @@ +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +#upstream bsky { +# server 100.64.4.102:3000; +#} + +server { + listen 80; + listen [::]:80; + + server_name theshadoweevee.konpeki.solutions; + + location / { + return 301 https://$host$request_uri; + } +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + + http2 on; + + server_name theshadoweevee.konpeki.solutions; + + ssl_certificate /etc/letsencrypt/live/konpeki.solutions/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/konpeki.solutions/privkey.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + + ssl_dhparam /etc/nginx/dhparam.txt; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; + ssl_prefer_server_ciphers off; + + add_header Strict-Transport-Security "max-age=63072000" always; + + include snippets/http-cat-error-pages.conf; + + proxy_set_header Connection $http_connection; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + location / { + rewrite / https://bsky.app/profile/did:plc:krbzbucjaj76xjob6ju47ilo break; + return 404; + } + + location /xrpc { + proxy_pass http://bsky; + } + + location = /.well-known/atproto-did { + root /var/www/bsky/theshadoweevee/; + default_type text/plain; + } + + ssl_stapling on; + ssl_stapling_verify on; + + # verify chain of trust of OCSP response using Root CA and Intermediate certs + ssl_trusted_certificate /etc/letsencrypt/live/konpeki.solutions/fullchain.pem; + + # replace with the IP address of your resolver + #resolver 127.0.0.1; # Defined in error pages + +} diff --git a/http.d/vault.shad.moe b/http.d/vault.shad.moe new file mode 100644 index 0000000..9f1d6dc --- /dev/null +++ b/http.d/vault.shad.moe @@ -0,0 +1,49 @@ +upstream vaultwarden-default { + zone vaultwarden-default 64k; + server 192.168.1.209:8000; + keepalive 2; +} +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} +server { + listen 80; + listen [::]:80; + server_name vault.shad.moe www.vault.shad.moe; + if ($host = vault.shad.moe) { + return 301 https://$host$request_uri; + } + return 404; +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + + http2 on; + + server_name vault.shad.moe www.vault.shad.moe; + + ssl_certificate /etc/letsencrypt/live/vault.shad.moe/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/vault.shad.moe/privkey.pem; + ssl_protocols TLSv1.2 TLSv1.3; + client_max_body_size 525M; + + include snippets/http-cat-error-pages.conf; + + location / { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://vaultwarden-default; + } + + location /admin { + return 403; + } +} diff --git a/http.d/wc.konpeki.solutions b/http.d/wc.konpeki.solutions new file mode 100644 index 0000000..c57830d --- /dev/null +++ b/http.d/wc.konpeki.solutions @@ -0,0 +1,71 @@ +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +#upstream bsky { +# server 100.64.4.102:3000; +#} + +server { + listen 80; + listen [::]:80; + + server_name *.konpeki.solutions; + + location / { + return 301 https://$host$request_uri; + } +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + + http2 on; + + server_name *.konpeki.solutions; + + ssl_certificate /etc/letsencrypt/live/konpeki.solutions/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/konpeki.solutions/privkey.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + + ssl_dhparam /etc/nginx/dhparam.txt; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; + ssl_prefer_server_ciphers off; + + add_header Strict-Transport-Security "max-age=63072000" always; + + include snippets/http-cat-error-pages.conf; + + proxy_set_header Connection $http_connection; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + location / { + client_max_body_size 512M; + #proxy_pass http://100.64.4.102; + return 404; + } + + location /xrpc { + proxy_pass http://bsky; + } + + ssl_stapling on; + ssl_stapling_verify on; + + # verify chain of trust of OCSP response using Root CA and Intermediate certs + ssl_trusted_certificate /etc/letsencrypt/live/konpeki.solutions/fullchain.pem; + + # replace with the IP address of your resolver + #resolver 127.0.0.1; # Defined in error pages + +} diff --git a/mime.types b/mime.types new file mode 100644 index 0000000..3f0dc72 --- /dev/null +++ b/mime.types @@ -0,0 +1,99 @@ + +types { + text/html html htm shtml; + text/css css; + text/xml xml; + image/gif gif; + image/jpeg jpeg jpg; + application/javascript js mjs; + application/atom+xml atom; + application/rss+xml rss; + + text/mathml mml; + text/plain txt; + text/vnd.sun.j2me.app-descriptor jad; + text/vnd.wap.wml wml; + text/x-component htc; + + image/avif avif; + image/png png; + image/svg+xml svg svgz; + image/tiff tif tiff; + image/vnd.wap.wbmp wbmp; + image/webp webp; + image/x-icon ico; + image/x-jng jng; + image/x-ms-bmp bmp; + + font/woff woff; + font/woff2 woff2; + + application/java-archive jar war ear; + application/json json; + application/mac-binhex40 hqx; + application/msword doc; + application/pdf pdf; + application/postscript ps eps ai; + application/rtf rtf; + application/vnd.apple.mpegurl m3u8; + application/vnd.google-earth.kml+xml kml; + application/vnd.google-earth.kmz kmz; + application/vnd.ms-excel xls; + application/vnd.ms-fontobject eot; + application/vnd.ms-powerpoint ppt; + application/vnd.oasis.opendocument.graphics odg; + application/vnd.oasis.opendocument.presentation odp; + application/vnd.oasis.opendocument.spreadsheet ods; + application/vnd.oasis.opendocument.text odt; + application/vnd.openxmlformats-officedocument.presentationml.presentation + pptx; + application/vnd.openxmlformats-officedocument.spreadsheetml.sheet + xlsx; + application/vnd.openxmlformats-officedocument.wordprocessingml.document + docx; + application/vnd.wap.wmlc wmlc; + application/wasm wasm; + application/x-7z-compressed 7z; + application/x-cocoa cco; + application/x-java-archive-diff jardiff; + application/x-java-jnlp-file jnlp; + application/x-makeself run; + application/x-perl pl pm; + application/x-pilot prc pdb; + application/x-rar-compressed rar; + application/x-redhat-package-manager rpm; + application/x-sea sea; + application/x-shockwave-flash swf; + application/x-stuffit sit; + application/x-tcl tcl tk; + application/x-x509-ca-cert der pem crt; + application/x-xpinstall xpi; + application/xhtml+xml xhtml; + application/xspf+xml xspf; + application/zip zip; + + application/octet-stream bin exe dll; + application/octet-stream deb; + application/octet-stream dmg; + application/octet-stream iso img; + application/octet-stream msi msp msm; + + audio/midi mid midi kar; + audio/mpeg mp3; + audio/ogg ogg; + audio/x-m4a m4a; + audio/x-realaudio ra; + + video/3gpp 3gpp 3gp; + video/mp2t ts; + video/mp4 mp4; + video/mpeg mpeg mpg; + video/quicktime mov; + video/webm webm; + video/x-flv flv; + video/x-m4v m4v; + video/x-mng mng; + video/x-ms-asf asx asf; + video/x-ms-wmv wmv; + video/x-msvideo avi; +} diff --git a/nginx.conf b/nginx.conf new file mode 100644 index 0000000..23e1b1e --- /dev/null +++ b/nginx.conf @@ -0,0 +1,103 @@ +# /etc/nginx/nginx.conf + +user nginx; + +# Set number of worker processes automatically based on number of CPU cores. +worker_processes auto; + +# Enables the use of JIT for regular expressions to speed-up their processing. +pcre_jit on; + +# Configures default error logger. +error_log /var/log/nginx/error.log warn; + +# Includes files with directives to load dynamic modules. +include /etc/nginx/modules/*.conf; + +# Include files with config snippets into the root context. +include /etc/nginx/conf.d/*; + +events { + # The maximum number of simultaneous connections that can be opened by + # a worker process. + worker_connections 1024; +} + +http { + # Includes mapping of file name extensions to MIME types of responses + # and defines the default type. + include /etc/nginx/mime.types; + default_type application/octet-stream; + + # Name servers used to resolve names of upstream servers into addresses. + # It's also needed when using tcpsocket and udpsocket in Lua modules. + #resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]; + + # Don't tell nginx version to the clients. Default is 'on'. + server_tokens off; + + # Specifies the maximum accepted body size of a client request, as + # indicated by the request header Content-Length. If the stated content + # length is greater than this size, then the client receives the HTTP + # error code 413. Set to 0 to disable. Default is '1m'. + client_max_body_size 100m; + + # Sendfile copies data between one FD and other from within the kernel, + # which is more efficient than read() + write(). Default is off. + sendfile on; + + # Causes nginx to attempt to send its HTTP response head in one packet, + # instead of using partial frames. Default is 'off'. + tcp_nopush on; + + + # Enables the specified protocols. Default is TLSv1 TLSv1.1 TLSv1.2. + # TIP: If you're not obligated to support ancient clients, remove TLSv1.1. + ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; + + # Path of the file with Diffie-Hellman parameters for EDH ciphers. + # TIP: Generate with: `openssl dhparam -out /etc/ssl/nginx/dh2048.pem 2048` + #ssl_dhparam /etc/ssl/nginx/dh2048.pem; + + # Specifies that our cipher suits should be preferred over client ciphers. + # Default is 'off'. + ssl_prefer_server_ciphers on; + + # Enables a shared SSL cache with size that can hold around 8000 sessions. + # Default is 'none'. + ssl_session_cache shared:SSL:2m; + + # Specifies a time during which a client may reuse the session parameters. + # Default is '5m'. + ssl_session_timeout 1h; + + # Disable TLS session tickets (they are insecure). Default is 'on'. + ssl_session_tickets off; + + + # Enable gzipping of responses. + #gzip on; + + # Set the Vary HTTP header as defined in the RFC 2616. Default is 'off'. + gzip_vary on; + + + # Helper variable for proxying websockets. + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + + + # Specifies the main log format. + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + # Sets the path, format, and configuration for a buffered log write. + access_log /var/log/nginx/access.log main; + + + # Includes virtual hosts configs. + include /etc/nginx/http.d/*; +} diff --git a/snippets/http-cat-error-pages.conf b/snippets/http-cat-error-pages.conf new file mode 100644 index 0000000..c4af070 --- /dev/null +++ b/snippets/http-cat-error-pages.conf @@ -0,0 +1,29 @@ +# ---------- Status Cats Error Pages!!! via: https://http.cat/ --------- +# +# requires that a dns resolver be set for nginx as in: resolver 127.0.0.1; +# typically uses dnsmasq for 127.0.0.1 resolver +# +# Usage: +# place this file somewhere accessible to nginx. /etc/nginx/snippets is a decent choice. +# then inside the server block(s) you want cat themed error status responses do: +# include snippets/http-cat-error-pages.conf +# + +#recursive_error_pages on; + +# all of the status defined at http.cat AND allowed by nginx to be error_page'd +# +#error_page 300 301 302 303 304 305 307 400 401 402 403 404 405 406 408 409 410 411 412 413 414 415 416 417 418 420 422 423 424 425 426 429 431 444 450 451 500 501 502 503 506 507 508 509 599 /status-cats-error.html; + +location /status-cats-error.html { + proxy_pass https://http.cat/$status; +} + +# nginx wont let you use statuses < 300 in return stmts or in error_page stmts, so provide a +# proxied location to test those.... +# +location ~ ^/test-status-cats/(?.*)$ { + proxy_pass https://http.cat/$cat/; +} + +resolver 100.100.100.100;