Konpeki-Solutions/Nginx-Configurations
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Initial Configuration

Browse source
This commit is contained in:
Michael 2024-11-04 17:09:00 +00:00
commit 925db2c864
22 changed files with 1270 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
dhparam.txt Normal file
View file

@ -0,0 +1,8 @@
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
-----END DH PARAMETERS-----

65
http.d/auth.shad.moe Normal file
View file

@ -0,0 +1,65 @@
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
upstream authentik {
server 192.168.1.205:9443;
keepalive 10;
}
server {
listen 80;
listen [::]:80;
server_name auth.shad.moe www.auth.shad.moe;
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name auth.shad.moe www.auth.shad.moe;
ssl_certificate /etc/letsencrypt/live/auth.shad.moe/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/auth.shad.moe/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_dhparam /etc/nginx/dhparam.txt;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
include snippets/http-cat-error-pages.conf;
location / {
proxy_pass https://authentik;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
ssl_stapling on;
ssl_stapling_verify on;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/graph.shad.moe/fullchain.pem;
# replace with the IP address of your resolver
#resolver 127.0.0.1; # Defined in error pages
}

75
http.d/axoblu.konpeki.solutions Normal file
View file

@ -0,0 +1,75 @@
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
#upstream bsky {
# server 100.64.4.102:3000;
#}
server {
listen 80;
listen [::]:80;
server_name axoblu.konpeki.solutions;
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name axoblu.konpeki.solutions;
ssl_certificate /etc/letsencrypt/live/konpeki.solutions/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/konpeki.solutions/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_dhparam /etc/nginx/dhparam.txt;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
include snippets/http-cat-error-pages.conf;
proxy_set_header Connection $http_connection;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
location / {
rewrite / https://bsky.app/profile/did:plc:qxrvqly74uzia6d5pwgwjxb5 break;
return 404;
}
location /xrpc {
proxy_pass http://bsky;
}
location = /.well-known/atproto-did {
root /var/www/bsky/axoblu/;
default_type text/plain;
}
ssl_stapling on;
ssl_stapling_verify on;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/konpeki.solutions/fullchain.pem;
# replace with the IP address of your resolver
#resolver 127.0.0.1; # Defined in error pages
}

41
http.d/dash.shad.moe Normal file
View file

@ -0,0 +1,41 @@
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
listen [::]:80;
server_name dash.shad.moe www.dash.shad.moe;
if ($host = dash.shad.moe) {
return 301 https://$host$request_uri;
}
return 404;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name dash.shad.moe www.dash.shad.moe;
ssl_certificate /etc/letsencrypt/live/dash.shad.moe/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/dash.shad.moe/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
client_max_body_size 525M;
include snippets/http-cat-error-pages.conf;
location / {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://192.168.1.210:3000;
}
}

17
http.d/default.conf Normal file
View file

@ -0,0 +1,17 @@
# This is a default site configuration which will simply return 404, preventing
# chance access to any other virtualhost.
server {
listen 80 default_server;
listen [::]:80 default_server;
# Everything is a 404
location / {
return 404;
}
# You may need this to prevent return 404 recursion.
location = /404.html {
internal;
}
}

65
http.d/docs.shad.moe Normal file
View file

@ -0,0 +1,65 @@
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
upstream bookstack {
server 100.64.2.118;
}
server {
listen 80;
listen [::]:80;
server_name docs.shad.moe www.docs.shad.moe;
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name docs.shad.moe www.docs.shad.moe;
ssl_certificate /etc/letsencrypt/live/docs.shad.moe/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/docs.shad.moe/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_dhparam /etc/nginx/dhparam.txt;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
include snippets/http-cat-error-pages.conf;
location / {
client_max_body_size 512M;
proxy_pass http://bookstack;
proxy_set_header Connection $http_connection;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
ssl_stapling on;
ssl_stapling_verify on;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/docs.shad.moe/fullchain.pem;
# replace with the IP address of your resolver
#resolver 127.0.0.1; # Defined in error pages
}

65
http.d/git.shad.moe Normal file
View file

@ -0,0 +1,65 @@
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
upstream gitea {
server 192.168.1.215:3000;
}
server {
listen 80;
listen [::]:80;
server_name git.shad.moe www.git.shad.moe;
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name git.shad.moe www.git.shad.moe;
ssl_certificate /etc/letsencrypt/live/git.shad.moe/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/git.shad.moe/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_dhparam /etc/nginx/dhparam.txt;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
include snippets/http-cat-error-pages.conf;
location / {
client_max_body_size 512M;
proxy_pass http://gitea;
proxy_set_header Connection $http_connection;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
ssl_stapling on;
ssl_stapling_verify on;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/git.shad.moe/fullchain.pem;
# replace with the IP address of your resolver
#resolver 127.0.0.1; # Defined in error pages
}

68
http.d/graph.shad.moe Normal file
View file

@ -0,0 +1,68 @@
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
upstream grafana {
server 192.168.1.200:3000;
}
server {
listen 80;
listen [::]:80;
server_name graph.shad.moe www.graph.shad.moe;
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name graph.shad.moe www.graph.shad.moe;
ssl_certificate /etc/letsencrypt/live/graph.shad.moe/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/graph.shad.moe/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_dhparam /etc/nginx/dhparam.txt;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
include snippets/http-cat-error-pages.conf;
location / {
proxy_set_header Host $host;
proxy_pass http://grafana;
}
# Proxy Grafana Live WebSocket connections.
location /api/live/ {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_pass http://grafana;
}
ssl_stapling on;
ssl_stapling_verify on;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/graph.shad.moe/fullchain.pem;
# replace with the IP address of your resolver
#resolver 127.0.0.1; # Defined in error pages
}

22
http.d/internal.shad.moe Normal file
View file

@ -0,0 +1,22 @@
server {
listen 443 ssl;
server_name internal.shad.moe;
ssl_certificate /etc/letsencrypt/live/internal.shad.moe/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/internal.shad.moe/privkey.pem;
#ssl_protocols TLSv1.2 TLSv1.3;
#ssl_ciphers HIGH:!aNULL:!MD5;
root /var/www/internal-page-wall;
location / {
index index.htm index.html;
}
}
server {
listen 443 ssl;
server_name *.internal.shad.moe;
ssl_certificate /etc/letsencrypt/live/internal.shad.moe/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/internal.shad.moe/privkey.pem;
return 302 https://internal.shad.moe;
}

71
http.d/konpeki.solutions Normal file
View file

@ -0,0 +1,71 @@
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
upstream bsky {
server 100.64.4.102:3000;
}
server {
listen 80;
listen [::]:80;
server_name konpeki.solutions www.konpeki.solutions;
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name konpeki.solutions www.konpeki.solutions;
ssl_certificate /etc/letsencrypt/live/konpeki.solutions/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/konpeki.solutions/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_dhparam /etc/nginx/dhparam.txt;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
include snippets/http-cat-error-pages.conf;
proxy_set_header Connection $http_connection;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
location / {
client_max_body_size 512M;
#proxy_pass http://100.64.4.102;
return 404;
}
location /xrpc {
proxy_pass http://bsky;
}
ssl_stapling on;
ssl_stapling_verify on;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/konpeki.solutions/fullchain.pem;
# replace with the IP address of your resolver
#resolver 127.0.0.1; # Defined in error pages
}

51
http.d/link.gpoc.konpeki.solutions Normal file
View file

@ -0,0 +1,51 @@
server {
listen 80;
server_name link.gpoc.konpeki.solutions;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name link.gpoc.konpeki.solutions;
http2 on;
# allow larger file uploads and longer script runtimes
client_max_body_size 100m;
client_body_timeout 120s;
sendfile off;
ssl_certificate /etc/letsencrypt/live/link.gpoc.konpeki.solutions/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/link.gpoc.konpeki.solutions/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
ssl_prefer_server_ciphers on;
# See https://hstspreload.org/ before uncommenting the line below.
# add_header Strict-Transport-Security "max-age=15768000; preload;";
#add_header X-Content-Type-Options nosniff;
#add_header X-XSS-Protection "1; mode=block";
#add_header X-Robots-Tag none;
#add_header Content-Security-Policy "frame-ancestors 'self'";
#add_header X-Frame-Options DENY;
#add_header Referrer-Policy same-origin;
add_header Access-Control-Allow-Origin *;
proxy_set_header Content-Security-Policy upgrade-insecure-requests;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
proxy_buffering off;
proxy_request_buffering off;
location / {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_pass http://100.64.4.100:8080/;
}
}

56
http.d/map.gpoc.konpeki.solutions Normal file
View file

@ -0,0 +1,56 @@
proxy_cache_path /var/www/cache levels=1:2 keys_zone=map:8m max_size=1g inactive=24h;
server {
listen 80;
server_name map.gpoc.konpeki.solutions;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name map.gpoc.konpeki.solutions;
http2 on;
# allow larger file uploads and longer script runtimes
#client_max_body_size 100m;
#client_body_timeout 120s;
#sendfile off;
ssl_certificate /etc/letsencrypt/live/map.gpoc.konpeki.solutions/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/map.gpoc.konpeki.solutions/privkey.pem;
#ssl_protocols TLSv1.2 TLSv1.3;
#ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES2>
#ssl_prefer_server_ciphers on;
# See https://hstspreload.org/ before uncommenting the line below.
# add_header Strict-Transport-Security "max-age=15768000; preload;";
#add_header X-Content-Type-Options nosniff;
#add_header X-XSS-Protection "1; mode=block";
#add_header X-Robots-Tag none;
#add_header Content-Security-Policy "frame-ancestors 'self'";
#add_header X-Frame-Options DENY;
#add_header Referrer-Policy same-origin;
#add_header Access-Control-Allow-Origin *;
#proxy_set_header Content-Security-Policy upgrade-insecure-requests;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
proxy_buffering off;
proxy_request_buffering off;
location / {
proxy_pass http://100.64.4.100:8123/;
proxy_set_header Host $host;
proxy_cache map;
proxy_cache_key "$host$uri";
proxy_cache_valid 200 302 60m;
proxy_cache_valid 404 10m;
proxy_cache_use_stale error timeout invalid_header updating http_500 http_503 http_504;
proxy_connect_timeout 10;
}
}

87
http.d/nxt.shad.moe Normal file
View file

@ -0,0 +1,87 @@
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
listen [::]:80;
server_name nxt.shad.moe www.nxt.shad.moe;
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
# http3 on;
# quic_retry on;
# add_header Alt-Svc 'h3=":443"; ma=86400';
# listen 443 quic reuseport;
# listen [::]:443 quic reuseport;
server_name nxt.shad.moe www.nxt.shad.moe;
ssl_certificate /etc/letsencrypt/live/nxt.shad.moe/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/nxt.shad.moe/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_dhparam /etc/nginx/dhparam.txt;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
# Set .mjs and .wasm MIME types
# Either include it in the default mime.types list
# and include that list explicitly or add the file extension
# only for Nextcloud like below:
include mime.types;
#types {
# text/javascript js mjs;
# application/wasm wasm;
#}
include snippets/http-cat-error-pages.conf;
location / {
proxy_pass https://192.168.1.66;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Accept-Encoding "";
proxy_set_header Host $host;
client_body_buffer_size 512k;
proxy_read_timeout 86400s;
client_max_body_size 0;
# Websocket
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/nxt.shad.moe/fullchain.pem;
# replace with the IP address of your resolver
#resolver 127.0.0.1; # Defined in error pages
}

45
http.d/play.gpoc-modded.konpeki.solutions Normal file
View file

@ -0,0 +1,45 @@
server {
listen 80;
server_name play.gpoc-modded.konpeki.solutions;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name play.gpoc-modded.konpeki.solutions;
http2 on;
# allow larger file uploads and longer script runtimes
client_max_body_size 100m;
client_body_timeout 120s;
sendfile off;
ssl_certificate /etc/letsencrypt/live/play.gpoc-modded.konpeki.solutions/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/play.gpoc-modded.konpeki.solutions/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
ssl_prefer_server_ciphers on;
# See https://hstspreload.org/ before uncommenting the line below.
# add_header Strict-Transport-Security "max-age=15768000; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header Content-Security-Policy "frame-ancestors 'self'";
add_header X-Frame-Options DENY;
add_header Referrer-Policy same-origin;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
proxy_buffering off;
proxy_request_buffering off;
location / {
proxy_pass http://100.64.4.102;
}
}

51
http.d/play.gpoc.konpeki.solutions Normal file
View file

@ -0,0 +1,51 @@
server {
listen 80;
server_name play.gpoc.konpeki.solutions;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name play.gpoc.konpeki.solutions;
http2 on;
# allow larger file uploads and longer script runtimes
client_max_body_size 100m;
client_body_timeout 120s;
sendfile off;
ssl_certificate /etc/letsencrypt/live/play.gpoc.konpeki.solutions/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/play.gpoc.konpeki.solutions/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
ssl_prefer_server_ciphers on;
# See https://hstspreload.org/ before uncommenting the line below.
# add_header Strict-Transport-Security "max-age=15768000; preload;";
#add_header X-Content-Type-Options nosniff;
#add_header X-XSS-Protection "1; mode=block";
#add_header X-Robots-Tag none;
#add_header Content-Security-Policy "frame-ancestors 'self'";
#add_header X-Frame-Options DENY;
#add_header Referrer-Policy same-origin;
add_header Access-Control-Allow-Origin *;
proxy_set_header Content-Security-Policy upgrade-insecure-requests;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
proxy_buffering off;
proxy_request_buffering off;
location / {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_pass http://100.64.4.100:8080/;
}
}

57
http.d/rss.shad.moe Normal file
View file

@ -0,0 +1,57 @@
upstream freshrss {
server 192.168.1.219:8080;
keepalive 64;
}
server {
listen 80;
listen [::]:80;
server_name rss.shad.moe www.rss.shad.moe;
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name rss.shad.moe www.rss.shad.moe;
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
ssl_certificate /etc/letsencrypt/live/rss.shad.moe/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/rss.shad.moe/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_dhparam /etc/nginx/dhparam.txt;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
include snippets/http-cat-error-pages.conf;
location / {
proxy_pass http://freshrss/;
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_read_timeout 90;
# Forward the Authorization header for the Google Reader API.
proxy_set_header Authorization $http_authorization;
proxy_pass_header Authorization;
}
}

75
http.d/theshadoweevee.konpeki.solutions Normal file
View file

@ -0,0 +1,75 @@
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
#upstream bsky {
# server 100.64.4.102:3000;
#}
server {
listen 80;
listen [::]:80;
server_name theshadoweevee.konpeki.solutions;
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name theshadoweevee.konpeki.solutions;
ssl_certificate /etc/letsencrypt/live/konpeki.solutions/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/konpeki.solutions/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_dhparam /etc/nginx/dhparam.txt;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
include snippets/http-cat-error-pages.conf;
proxy_set_header Connection $http_connection;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
location / {
rewrite / https://bsky.app/profile/did:plc:krbzbucjaj76xjob6ju47ilo break;
return 404;
}
location /xrpc {
proxy_pass http://bsky;
}
location = /.well-known/atproto-did {
root /var/www/bsky/theshadoweevee/;
default_type text/plain;
}
ssl_stapling on;
ssl_stapling_verify on;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/konpeki.solutions/fullchain.pem;
# replace with the IP address of your resolver
#resolver 127.0.0.1; # Defined in error pages
}

49
http.d/vault.shad.moe Normal file
View file

@ -0,0 +1,49 @@
upstream vaultwarden-default {
zone vaultwarden-default 64k;
server 192.168.1.209:8000;
keepalive 2;
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
listen [::]:80;
server_name vault.shad.moe www.vault.shad.moe;
if ($host = vault.shad.moe) {
return 301 https://$host$request_uri;
}
return 404;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name vault.shad.moe www.vault.shad.moe;
ssl_certificate /etc/letsencrypt/live/vault.shad.moe/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/vault.shad.moe/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
client_max_body_size 525M;
include snippets/http-cat-error-pages.conf;
location / {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://vaultwarden-default;
}
location /admin {
return 403;
}
}

71
http.d/wc.konpeki.solutions Normal file
View file

@ -0,0 +1,71 @@
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
#upstream bsky {
# server 100.64.4.102:3000;
#}
server {
listen 80;
listen [::]:80;
server_name *.konpeki.solutions;
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name *.konpeki.solutions;
ssl_certificate /etc/letsencrypt/live/konpeki.solutions/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/konpeki.solutions/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_dhparam /etc/nginx/dhparam.txt;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
include snippets/http-cat-error-pages.conf;
proxy_set_header Connection $http_connection;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
location / {
client_max_body_size 512M;
#proxy_pass http://100.64.4.102;
return 404;
}
location /xrpc {
proxy_pass http://bsky;
}
ssl_stapling on;
ssl_stapling_verify on;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/konpeki.solutions/fullchain.pem;
# replace with the IP address of your resolver
#resolver 127.0.0.1; # Defined in error pages
}

99
mime.types Normal file
View file

@ -0,0 +1,99 @@
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js mjs;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/avif avif;
image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
font/woff woff;
font/woff2 woff2;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.oasis.opendocument.graphics odg;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.text odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
docx;
application/vnd.wap.wmlc wmlc;
application/wasm wasm;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}

103
nginx.conf Normal file
View file

@ -0,0 +1,103 @@
# /etc/nginx/nginx.conf
user nginx;
# Set number of worker processes automatically based on number of CPU cores.
worker_processes auto;
# Enables the use of JIT for regular expressions to speed-up their processing.
pcre_jit on;
# Configures default error logger.
error_log /var/log/nginx/error.log warn;
# Includes files with directives to load dynamic modules.
include /etc/nginx/modules/*.conf;
# Include files with config snippets into the root context.
include /etc/nginx/conf.d/*;
events {
# The maximum number of simultaneous connections that can be opened by
# a worker process.
worker_connections 1024;
}
http {
# Includes mapping of file name extensions to MIME types of responses
# and defines the default type.
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Name servers used to resolve names of upstream servers into addresses.
# It's also needed when using tcpsocket and udpsocket in Lua modules.
#resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001];
# Don't tell nginx version to the clients. Default is 'on'.
server_tokens off;
# Specifies the maximum accepted body size of a client request, as
# indicated by the request header Content-Length. If the stated content
# length is greater than this size, then the client receives the HTTP
# error code 413. Set to 0 to disable. Default is '1m'.
client_max_body_size 100m;
# Sendfile copies data between one FD and other from within the kernel,
# which is more efficient than read() + write(). Default is off.
sendfile on;
# Causes nginx to attempt to send its HTTP response head in one packet,
# instead of using partial frames. Default is 'off'.
tcp_nopush on;
# Enables the specified protocols. Default is TLSv1 TLSv1.1 TLSv1.2.
# TIP: If you're not obligated to support ancient clients, remove TLSv1.1.
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
# Path of the file with Diffie-Hellman parameters for EDH ciphers.
# TIP: Generate with: `openssl dhparam -out /etc/ssl/nginx/dh2048.pem 2048`
#ssl_dhparam /etc/ssl/nginx/dh2048.pem;
# Specifies that our cipher suits should be preferred over client ciphers.
# Default is 'off'.
ssl_prefer_server_ciphers on;
# Enables a shared SSL cache with size that can hold around 8000 sessions.
# Default is 'none'.
ssl_session_cache shared:SSL:2m;
# Specifies a time during which a client may reuse the session parameters.
# Default is '5m'.
ssl_session_timeout 1h;
# Disable TLS session tickets (they are insecure). Default is 'on'.
ssl_session_tickets off;
# Enable gzipping of responses.
#gzip on;
# Set the Vary HTTP header as defined in the RFC 2616. Default is 'off'.
gzip_vary on;
# Helper variable for proxying websockets.
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# Specifies the main log format.
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
# Sets the path, format, and configuration for a buffered log write.
access_log /var/log/nginx/access.log main;
# Includes virtual hosts configs.
include /etc/nginx/http.d/*;
}

29
snippets/http-cat-error-pages.conf Normal file
View file

@ -0,0 +1,29 @@
# ---------- Status Cats Error Pages!!! via: https://http.cat/ ---------
#
# requires that a dns resolver be set for nginx as in: resolver 127.0.0.1;
# typically uses dnsmasq for 127.0.0.1 resolver
#
# Usage:
# place this file somewhere accessible to nginx. /etc/nginx/snippets is a decent choice.
# then inside the server block(s) you want cat themed error status responses do:
# include snippets/http-cat-error-pages.conf
#
#recursive_error_pages on;
# all of the status defined at http.cat AND allowed by nginx to be error_page'd
#
#error_page 300 301 302 303 304 305 307 400 401 402 403 404 405 406 408 409 410 411 412 413 414 415 416 417 418 420 422 423 424 425 426 429 431 444 450 451 500 501 502 503 506 507 508 509 599 /status-cats-error.html;
location /status-cats-error.html {
proxy_pass https://http.cat/$status;
}
# nginx wont let you use statuses < 300 in return stmts or in error_page stmts, so provide a
# proxied location to test those....
#
location ~ ^/test-status-cats/(?<cat>.*)$ {
proxy_pass https://http.cat/$cat/;
}
resolver 100.100.100.100;