Added nginx configuration

etc/nginx/nginx.conf

@@ -0,0 +1,128 @@
+user www-data;
+worker_processes 2;
+pid /run/nginx.pid;
+pcre_jit on;
+worker_rlimit_nofile 30000;
+worker_shutdown_timeout 1m;
+
+events {
+	worker_connections 7680;
+	multi_accept on;
+}
+
+http {
+	##
+	# Basic Settings
+	##
+
+	sendfile on;
+	aio threads;
+	aio_write on;
+	directio 512;
+	tcp_nopush on;
+	tcp_nodelay on;
+	keepalive_timeout 65;
+	types_hash_max_size 2048;
+	server_tokens off;
+        client_max_body_size 50M;
+	client_body_timeout 10s;
+	client_header_timeout 10s;
+	client_body_buffer_size 32k;
+
+	server_names_hash_bucket_size 128;
+	server_names_hash_max_size 1024;
+	server_name_in_redirect off;
+	port_in_redirect off;
+	charset UTF-8;
+	index index.html index.htm index.php;
+
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	##
+	# SSL Settings
+	##
+
+	ssl_protocols TLSv1.2 TLSv1.3;
+	ssl_prefer_server_ciphers on;
+	ssl_ecdh_curve X448:X25519:secp521r1:secp384r1;
+	ssl_ciphers HIGH:!PSK:!aNULL:!MD5:!SHA:!CAMELLIA:!AES+SHA256:!AES+SHA384;
+	ssl_session_cache off;
+	ssl_early_data off;
+	ssl_stapling on;
+	ssl_stapling_verify on;
+	ssl_certificate /etc/acme.sh/danwin1210.de_ecc/fullchain.cer;
+	ssl_certificate_key /etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key;
+	ssl_dhparam /etc/nginx/dh4096.pem;
+
+	##
+	# Logging Settings
+	##
+	log_format custom '0.0.0.0 - $remote_user [$time_local] "$request" $status $bytes_sent "$http_referer" "$http_user_agent"';
+	access_log /var/log/nginx/access.log custom buffer=32k flush=1m;
+	error_log /var/log/nginx/error.log notice;
+	log_not_found off;
+
+	resolver 127.0.0.1 [::1];
+	resolver_timeout 2s;
+	root /var/www/html;
+	proxy_cache_path /var/lib/nginx/cache levels=2 keys_zone=cache:10m inactive=30d max_size=1g;
+	proxy_cache_revalidate on;
+	proxy_cache_use_stale http_503 timeout updating error;
+	proxy_no_cache $http_pragma $http_authorization;
+	proxy_cache_bypass $cookie_nocache $arg_nocache;
+	map $http_upgrade $connection_upgrade {
+		default upgrade;
+		'' '';
+	}
+	proxy_cache_lock_timeout 2m;
+	proxy_cache_lock_age 2m;
+	proxy_cache cache;
+	proxy_http_version 1.1;
+	proxy_buffer_size 8k;
+	proxy_buffering off;
+	proxy_set_header Host $host;
+	proxy_set_header Proxy "";
+	proxy_set_header X-Forwarded-Proto $scheme;
+	proxy_set_header X-Forwarded-Port "";
+	proxy_set_header Upgrade $http_upgrade;
+	proxy_set_header Connection $connection_upgrade;
+	proxy_ignore_client_abort on;
+	proxy_cache_key $server_name$request_method$host$request_uri;
+	proxy_read_timeout 3600; #wait up to 60 minutes for e.g. database import
+
+	##
+	# Gzip Settings
+	##
+
+	gzip on;
+
+	gzip_vary on;
+	gzip_proxied off;
+	gzip_comp_level 9;
+	# gzip_buffers 16 8k;
+	# gzip_http_version 1.1;
+	gzip_types application/eot application/font application/font-woff application/font-sfnt application/json application/javascript application/javascript-binast application/ld+json application/manifest+json application/opentype application/otf application/truetype application/ttf application/wasm application/x-httpd-cgi application/x-javascript application/x-opentype application/x-otf application/x-perl application/x-ttf application/xml application/xml+rss application/vnd.api+json application/vnd.ms-fontobject application/x-protobuf application/xhtml+xml font/otf font/ttf font/x-woff image/svg+xml image/vnd.microsoft.icon image/x-icon multipart/bag multipart/mixed text/css text/javascript text/js text/plain text/richtext text/x-script text/x-component text/x-java-source text/x-markdown text/xml;
+
+	brotli on;
+	brotli_types application/eot application/font application/font-woff application/font-sfnt application/json application/javascript application/javascript-binast application/ld+json application/manifest+json application/opentype application/otf application/truetype application/ttf application/wasm application/x-httpd-cgi application/x-javascript application/x-opentype application/x-otf application/x-perl application/x-ttf application/xml application/xml+rss application/vnd.api+json application/vnd.ms-fontobject application/x-protobuf application/xhtml+xml font/otf font/ttf font/x-woff image/svg+xml image/vnd.microsoft.icon image/x-icon multipart/bag multipart/mixed text/css text/javascript text/js text/plain text/richtext text/x-script text/x-component text/x-java-source text/x-markdown text/xml;
+
+	##
+	# Virtual Host Configs
+	##
+
+	map $sent_http_content_type $expires {
+		default		off;
+		~image/		10d;
+		~video/		10d;
+		~audio/		10d;
+		~font/          10d;
+		~application/(x-)?font  10d;
+		text/css	10d;
+		application/javascript 10d;
+	}
+	expires $expires;
+
+	include /etc/nginx/conf.d/*.conf;
+	include /etc/nginx/sites-enabled/*;
+}

etc/nginx/sites-enabled/mail

@@ -0,0 +1,92 @@
+server {
+	add_header Content-Security-Policy "base-uri 'self'; style-src 'self' 'unsafe-inline'; default-src 'none'; frame-ancestors 'self'; form-action 'self'; require-trusted-types-for 'script'" always;
+	add_header X-Content-Type-Options nosniff always;
+	add_header X-Xss-Protection "0" always;
+	add_header Referrer-Policy no-referrer always;
+	add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), geolocation=(), fullscreen=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), speaker-selection=(), conversion-measurement=(), focus-without-user-activation=(), hid=(), idle-detection=(), sync-script=(), vertical-scroll=(), serial=(), trust-token-redemption=(), interest-cohort=(), otp-credentials=()" always;
+	add_header Cross-Origin-Embedder-Policy require-corp always;
+	add_header Cross-Origin-Opener-Policy same-origin always;
+	add_header Cross-Origin-Resource-Policy same-origin always;
+	listen unix:/var/run/nginx.sock default_server;
+	root /var/www/html;
+	index index.php;
+	server_name danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion;
+	location / {
+		try_files $uri $uri/ =404;
+	}
+	location ~ ^/mail/squirrelmail/.git {
+		return 403;
+	}
+	rewrite /.well-known/openpgpkey/hu /mail/openpgpkey_wkd.php last;
+	location ~ ^/mail/squirrelmail/.*\.php$ {
+		add_header Content-Security-Policy "base-uri 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; child-src 'self'; default-src 'none'; img-src 'self' data: https://*; frame-ancestors 'self'; form-action 'self'; require-trusted-types-for 'script'" always;
+		add_header X-Content-Type-Options nosniff always;
+		add_header X-Xss-Protection "0" always;
+		add_header Referrer-Policy no-referrer always;
+		add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), geolocation=(), fullscreen=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), speaker-selection=(), conversion-measurement=(), focus-without-user-activation=(), hid=(), idle-detection=(), sync-script=(), vertical-scroll=(), serial=(), trust-token-redemption=(), interest-cohort=(), otp-credentials=()" always;
+		add_header Cross-Origin-Embedder-Policy require-corp always;
+		add_header Cross-Origin-Opener-Policy same-origin always;
+		add_header Cross-Origin-Resource-Policy same-origin always;
+		include snippets/fastcgi-php.conf;
+		fastcgi_pass unix:/run/php/php8.1-fpm.sock;
+		expires off;
+	}
+	location ~ \.php$ {
+		add_header Referrer-Policy no-referrer always;
+		include snippets/fastcgi-php.conf;
+		fastcgi_pass unix:/run/php/php8.1-fpm.sock;
+		expires off;
+	}
+}
+server {
+	add_header Content-Security-Policy "base-uri 'self'; style-src 'self' 'unsafe-inline'; default-src 'none'; frame-ancestors 'self'; form-action 'self'; require-trusted-types-for 'script'" always;
+	add_header X-Content-Type-Options nosniff always;
+	add_header X-Xss-Protection "0" always;
+	add_header Referrer-Policy no-referrer always;
+	add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), geolocation=(), fullscreen=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), speaker-selection=(), conversion-measurement=(), focus-without-user-activation=(), hid=(), idle-detection=(), sync-script=(), vertical-scroll=(), serial=(), trust-token-redemption=(), interest-cohort=(), otp-credentials=()" always;
+	add_header Onion-Location http://danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion$request_uri always;
+	add_header Expect-CT "max-age=86400, enforce" always;
+	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+	add_header Cross-Origin-Embedder-Policy require-corp always;
+	add_header Cross-Origin-Opener-Policy same-origin always;
+	add_header Cross-Origin-Resource-Policy same-origin always;
+        listen [::]:443 ssl proxy_protocol http2;
+	ssl_certificate /etc/acme.sh/danwin1210.de_ecc/fullchain.cer;
+	ssl_certificate_key /etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key;
+	root /var/www/html;
+	index index.php;
+	server_name danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion danwin1210.de;
+	location / {
+		try_files $uri $uri/ =404;
+	}
+	location ~ ^/mail/squirrelmail/.git {
+		return 403;
+	}
+	rewrite /.well-known/openpgpkey/hu /mail/openpgpkey_wkd.php last;
+	location ~ ^/mail/squirrelmail/.*\.php$ {
+		add_header Content-Security-Policy "base-uri 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; child-src 'self'; default-src 'none'; img-src 'self' data: https://*; frame-ancestors 'self'; form-action 'self'; require-trusted-types-for 'script'" always;
+		add_header X-Content-Type-Options nosniff always;
+		add_header X-Xss-Protection "0" always;
+		add_header Referrer-Policy no-referrer always;
+		add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), geolocation=(), fullscreen=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), speaker-selection=(), conversion-measurement=(), focus-without-user-activation=(), hid=(), idle-detection=(), sync-script=(), vertical-scroll=(), serial=(), trust-token-redemption=(), interest-cohort=(), otp-credentials=()" always;
+		add_header Onion-Location http://danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion$request_uri always;
+		add_header Expect-CT "max-age=86400, enforce" always;
+		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+		add_header Cross-Origin-Embedder-Policy require-corp always;
+		add_header Cross-Origin-Opener-Policy same-origin always;
+		add_header Cross-Origin-Resource-Policy same-origin always;
+		include snippets/fastcgi-php.conf;
+		fastcgi_pass unix:/run/php/php8.1-fpm.sock;
+		expires off;
+	}
+	location ~ \.php$ {
+		add_header Referrer-Policy no-referrer always;
+		add_header Onion-Location http://danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion$request_uri always;
+		add_header Expect-CT "max-age=86400, enforce" always;
+		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+		include snippets/fastcgi-php.conf;
+		fastcgi_pass unix:/run/php/php8.1-fpm.sock;
+		expires off;
+	}
+}
+

etc/nginx/sites-enabled/openpgpkey

@@ -0,0 +1,21 @@
+server {
+	listen [::]:443 ssl proxy_protocol http2;
+	add_header Expect-CT "max-age=86400, enforce" always;
+	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+	root /var/www/html;
+	location / {
+		try_files $uri $uri/ =404;
+	}
+	server_name openpgpkey.danwin1210.de;
+	location ~ ^/\.well-known/openpgpkey/(.*)/policy$ {
+		return 200 "";
+	}
+	rewrite /.well-known/openpgpkey/(.*)/hu /mail/openpgpkey_wkd.php?domain=$1 last;
+	location ~ \.php$ {
+		include snippets/fastcgi-php.conf;
+		fastcgi_pass unix:/run/php/php8.1-fpm.sock;
+		expires off;
+	}
+	ssl_certificate /etc/acme.sh/danwin1210.de_ecc/fullchain.cer;
+	ssl_certificate_key /etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key;
+}