Added nginx configuration
This commit is contained in:
parent
72e0309dde
commit
fc6aca4855
3 changed files with 241 additions and 0 deletions
128
etc/nginx/nginx.conf
Normal file
128
etc/nginx/nginx.conf
Normal file
|
@ -0,0 +1,128 @@
|
||||||
|
user www-data;
|
||||||
|
worker_processes 2;
|
||||||
|
pid /run/nginx.pid;
|
||||||
|
pcre_jit on;
|
||||||
|
worker_rlimit_nofile 30000;
|
||||||
|
worker_shutdown_timeout 1m;
|
||||||
|
|
||||||
|
events {
|
||||||
|
worker_connections 7680;
|
||||||
|
multi_accept on;
|
||||||
|
}
|
||||||
|
|
||||||
|
http {
|
||||||
|
##
|
||||||
|
# Basic Settings
|
||||||
|
##
|
||||||
|
|
||||||
|
sendfile on;
|
||||||
|
aio threads;
|
||||||
|
aio_write on;
|
||||||
|
directio 512;
|
||||||
|
tcp_nopush on;
|
||||||
|
tcp_nodelay on;
|
||||||
|
keepalive_timeout 65;
|
||||||
|
types_hash_max_size 2048;
|
||||||
|
server_tokens off;
|
||||||
|
client_max_body_size 50M;
|
||||||
|
client_body_timeout 10s;
|
||||||
|
client_header_timeout 10s;
|
||||||
|
client_body_buffer_size 32k;
|
||||||
|
|
||||||
|
server_names_hash_bucket_size 128;
|
||||||
|
server_names_hash_max_size 1024;
|
||||||
|
server_name_in_redirect off;
|
||||||
|
port_in_redirect off;
|
||||||
|
charset UTF-8;
|
||||||
|
index index.html index.htm index.php;
|
||||||
|
|
||||||
|
include /etc/nginx/mime.types;
|
||||||
|
default_type application/octet-stream;
|
||||||
|
|
||||||
|
##
|
||||||
|
# SSL Settings
|
||||||
|
##
|
||||||
|
|
||||||
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
|
ssl_prefer_server_ciphers on;
|
||||||
|
ssl_ecdh_curve X448:X25519:secp521r1:secp384r1;
|
||||||
|
ssl_ciphers HIGH:!PSK:!aNULL:!MD5:!SHA:!CAMELLIA:!AES+SHA256:!AES+SHA384;
|
||||||
|
ssl_session_cache off;
|
||||||
|
ssl_early_data off;
|
||||||
|
ssl_stapling on;
|
||||||
|
ssl_stapling_verify on;
|
||||||
|
ssl_certificate /etc/acme.sh/danwin1210.de_ecc/fullchain.cer;
|
||||||
|
ssl_certificate_key /etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key;
|
||||||
|
ssl_dhparam /etc/nginx/dh4096.pem;
|
||||||
|
|
||||||
|
##
|
||||||
|
# Logging Settings
|
||||||
|
##
|
||||||
|
log_format custom '0.0.0.0 - $remote_user [$time_local] "$request" $status $bytes_sent "$http_referer" "$http_user_agent"';
|
||||||
|
access_log /var/log/nginx/access.log custom buffer=32k flush=1m;
|
||||||
|
error_log /var/log/nginx/error.log notice;
|
||||||
|
log_not_found off;
|
||||||
|
|
||||||
|
resolver 127.0.0.1 [::1];
|
||||||
|
resolver_timeout 2s;
|
||||||
|
root /var/www/html;
|
||||||
|
proxy_cache_path /var/lib/nginx/cache levels=2 keys_zone=cache:10m inactive=30d max_size=1g;
|
||||||
|
proxy_cache_revalidate on;
|
||||||
|
proxy_cache_use_stale http_503 timeout updating error;
|
||||||
|
proxy_no_cache $http_pragma $http_authorization;
|
||||||
|
proxy_cache_bypass $cookie_nocache $arg_nocache;
|
||||||
|
map $http_upgrade $connection_upgrade {
|
||||||
|
default upgrade;
|
||||||
|
'' '';
|
||||||
|
}
|
||||||
|
proxy_cache_lock_timeout 2m;
|
||||||
|
proxy_cache_lock_age 2m;
|
||||||
|
proxy_cache cache;
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_buffer_size 8k;
|
||||||
|
proxy_buffering off;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header Proxy "";
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
proxy_set_header X-Forwarded-Port "";
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection $connection_upgrade;
|
||||||
|
proxy_ignore_client_abort on;
|
||||||
|
proxy_cache_key $server_name$request_method$host$request_uri;
|
||||||
|
proxy_read_timeout 3600; #wait up to 60 minutes for e.g. database import
|
||||||
|
|
||||||
|
##
|
||||||
|
# Gzip Settings
|
||||||
|
##
|
||||||
|
|
||||||
|
gzip on;
|
||||||
|
|
||||||
|
gzip_vary on;
|
||||||
|
gzip_proxied off;
|
||||||
|
gzip_comp_level 9;
|
||||||
|
# gzip_buffers 16 8k;
|
||||||
|
# gzip_http_version 1.1;
|
||||||
|
gzip_types application/eot application/font application/font-woff application/font-sfnt application/json application/javascript application/javascript-binast application/ld+json application/manifest+json application/opentype application/otf application/truetype application/ttf application/wasm application/x-httpd-cgi application/x-javascript application/x-opentype application/x-otf application/x-perl application/x-ttf application/xml application/xml+rss application/vnd.api+json application/vnd.ms-fontobject application/x-protobuf application/xhtml+xml font/otf font/ttf font/x-woff image/svg+xml image/vnd.microsoft.icon image/x-icon multipart/bag multipart/mixed text/css text/javascript text/js text/plain text/richtext text/x-script text/x-component text/x-java-source text/x-markdown text/xml;
|
||||||
|
|
||||||
|
brotli on;
|
||||||
|
brotli_types application/eot application/font application/font-woff application/font-sfnt application/json application/javascript application/javascript-binast application/ld+json application/manifest+json application/opentype application/otf application/truetype application/ttf application/wasm application/x-httpd-cgi application/x-javascript application/x-opentype application/x-otf application/x-perl application/x-ttf application/xml application/xml+rss application/vnd.api+json application/vnd.ms-fontobject application/x-protobuf application/xhtml+xml font/otf font/ttf font/x-woff image/svg+xml image/vnd.microsoft.icon image/x-icon multipart/bag multipart/mixed text/css text/javascript text/js text/plain text/richtext text/x-script text/x-component text/x-java-source text/x-markdown text/xml;
|
||||||
|
|
||||||
|
##
|
||||||
|
# Virtual Host Configs
|
||||||
|
##
|
||||||
|
|
||||||
|
map $sent_http_content_type $expires {
|
||||||
|
default off;
|
||||||
|
~image/ 10d;
|
||||||
|
~video/ 10d;
|
||||||
|
~audio/ 10d;
|
||||||
|
~font/ 10d;
|
||||||
|
~application/(x-)?font 10d;
|
||||||
|
text/css 10d;
|
||||||
|
application/javascript 10d;
|
||||||
|
}
|
||||||
|
expires $expires;
|
||||||
|
|
||||||
|
include /etc/nginx/conf.d/*.conf;
|
||||||
|
include /etc/nginx/sites-enabled/*;
|
||||||
|
}
|
92
etc/nginx/sites-enabled/mail
Normal file
92
etc/nginx/sites-enabled/mail
Normal file
|
@ -0,0 +1,92 @@
|
||||||
|
server {
|
||||||
|
add_header Content-Security-Policy "base-uri 'self'; style-src 'self' 'unsafe-inline'; default-src 'none'; frame-ancestors 'self'; form-action 'self'; require-trusted-types-for 'script'" always;
|
||||||
|
add_header X-Content-Type-Options nosniff always;
|
||||||
|
add_header X-Xss-Protection "0" always;
|
||||||
|
add_header Referrer-Policy no-referrer always;
|
||||||
|
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), geolocation=(), fullscreen=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), speaker-selection=(), conversion-measurement=(), focus-without-user-activation=(), hid=(), idle-detection=(), sync-script=(), vertical-scroll=(), serial=(), trust-token-redemption=(), interest-cohort=(), otp-credentials=()" always;
|
||||||
|
add_header Cross-Origin-Embedder-Policy require-corp always;
|
||||||
|
add_header Cross-Origin-Opener-Policy same-origin always;
|
||||||
|
add_header Cross-Origin-Resource-Policy same-origin always;
|
||||||
|
listen unix:/var/run/nginx.sock default_server;
|
||||||
|
root /var/www/html;
|
||||||
|
index index.php;
|
||||||
|
server_name danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion;
|
||||||
|
location / {
|
||||||
|
try_files $uri $uri/ =404;
|
||||||
|
}
|
||||||
|
location ~ ^/mail/squirrelmail/.git {
|
||||||
|
return 403;
|
||||||
|
}
|
||||||
|
rewrite /.well-known/openpgpkey/hu /mail/openpgpkey_wkd.php last;
|
||||||
|
location ~ ^/mail/squirrelmail/.*\.php$ {
|
||||||
|
add_header Content-Security-Policy "base-uri 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; child-src 'self'; default-src 'none'; img-src 'self' data: https://*; frame-ancestors 'self'; form-action 'self'; require-trusted-types-for 'script'" always;
|
||||||
|
add_header X-Content-Type-Options nosniff always;
|
||||||
|
add_header X-Xss-Protection "0" always;
|
||||||
|
add_header Referrer-Policy no-referrer always;
|
||||||
|
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), geolocation=(), fullscreen=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), speaker-selection=(), conversion-measurement=(), focus-without-user-activation=(), hid=(), idle-detection=(), sync-script=(), vertical-scroll=(), serial=(), trust-token-redemption=(), interest-cohort=(), otp-credentials=()" always;
|
||||||
|
add_header Cross-Origin-Embedder-Policy require-corp always;
|
||||||
|
add_header Cross-Origin-Opener-Policy same-origin always;
|
||||||
|
add_header Cross-Origin-Resource-Policy same-origin always;
|
||||||
|
include snippets/fastcgi-php.conf;
|
||||||
|
fastcgi_pass unix:/run/php/php8.1-fpm.sock;
|
||||||
|
expires off;
|
||||||
|
}
|
||||||
|
location ~ \.php$ {
|
||||||
|
add_header Referrer-Policy no-referrer always;
|
||||||
|
include snippets/fastcgi-php.conf;
|
||||||
|
fastcgi_pass unix:/run/php/php8.1-fpm.sock;
|
||||||
|
expires off;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
server {
|
||||||
|
add_header Content-Security-Policy "base-uri 'self'; style-src 'self' 'unsafe-inline'; default-src 'none'; frame-ancestors 'self'; form-action 'self'; require-trusted-types-for 'script'" always;
|
||||||
|
add_header X-Content-Type-Options nosniff always;
|
||||||
|
add_header X-Xss-Protection "0" always;
|
||||||
|
add_header Referrer-Policy no-referrer always;
|
||||||
|
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), geolocation=(), fullscreen=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), speaker-selection=(), conversion-measurement=(), focus-without-user-activation=(), hid=(), idle-detection=(), sync-script=(), vertical-scroll=(), serial=(), trust-token-redemption=(), interest-cohort=(), otp-credentials=()" always;
|
||||||
|
add_header Onion-Location http://danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion$request_uri always;
|
||||||
|
add_header Expect-CT "max-age=86400, enforce" always;
|
||||||
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||||
|
add_header Cross-Origin-Embedder-Policy require-corp always;
|
||||||
|
add_header Cross-Origin-Opener-Policy same-origin always;
|
||||||
|
add_header Cross-Origin-Resource-Policy same-origin always;
|
||||||
|
listen [::]:443 ssl proxy_protocol http2;
|
||||||
|
ssl_certificate /etc/acme.sh/danwin1210.de_ecc/fullchain.cer;
|
||||||
|
ssl_certificate_key /etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key;
|
||||||
|
root /var/www/html;
|
||||||
|
index index.php;
|
||||||
|
server_name danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion danwin1210.de;
|
||||||
|
location / {
|
||||||
|
try_files $uri $uri/ =404;
|
||||||
|
}
|
||||||
|
location ~ ^/mail/squirrelmail/.git {
|
||||||
|
return 403;
|
||||||
|
}
|
||||||
|
rewrite /.well-known/openpgpkey/hu /mail/openpgpkey_wkd.php last;
|
||||||
|
location ~ ^/mail/squirrelmail/.*\.php$ {
|
||||||
|
add_header Content-Security-Policy "base-uri 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; child-src 'self'; default-src 'none'; img-src 'self' data: https://*; frame-ancestors 'self'; form-action 'self'; require-trusted-types-for 'script'" always;
|
||||||
|
add_header X-Content-Type-Options nosniff always;
|
||||||
|
add_header X-Xss-Protection "0" always;
|
||||||
|
add_header Referrer-Policy no-referrer always;
|
||||||
|
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), geolocation=(), fullscreen=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), speaker-selection=(), conversion-measurement=(), focus-without-user-activation=(), hid=(), idle-detection=(), sync-script=(), vertical-scroll=(), serial=(), trust-token-redemption=(), interest-cohort=(), otp-credentials=()" always;
|
||||||
|
add_header Onion-Location http://danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion$request_uri always;
|
||||||
|
add_header Expect-CT "max-age=86400, enforce" always;
|
||||||
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||||
|
add_header Cross-Origin-Embedder-Policy require-corp always;
|
||||||
|
add_header Cross-Origin-Opener-Policy same-origin always;
|
||||||
|
add_header Cross-Origin-Resource-Policy same-origin always;
|
||||||
|
include snippets/fastcgi-php.conf;
|
||||||
|
fastcgi_pass unix:/run/php/php8.1-fpm.sock;
|
||||||
|
expires off;
|
||||||
|
}
|
||||||
|
location ~ \.php$ {
|
||||||
|
add_header Referrer-Policy no-referrer always;
|
||||||
|
add_header Onion-Location http://danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion$request_uri always;
|
||||||
|
add_header Expect-CT "max-age=86400, enforce" always;
|
||||||
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||||
|
include snippets/fastcgi-php.conf;
|
||||||
|
fastcgi_pass unix:/run/php/php8.1-fpm.sock;
|
||||||
|
expires off;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
21
etc/nginx/sites-enabled/openpgpkey
Normal file
21
etc/nginx/sites-enabled/openpgpkey
Normal file
|
@ -0,0 +1,21 @@
|
||||||
|
server {
|
||||||
|
listen [::]:443 ssl proxy_protocol http2;
|
||||||
|
add_header Expect-CT "max-age=86400, enforce" always;
|
||||||
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||||
|
root /var/www/html;
|
||||||
|
location / {
|
||||||
|
try_files $uri $uri/ =404;
|
||||||
|
}
|
||||||
|
server_name openpgpkey.danwin1210.de;
|
||||||
|
location ~ ^/\.well-known/openpgpkey/(.*)/policy$ {
|
||||||
|
return 200 "";
|
||||||
|
}
|
||||||
|
rewrite /.well-known/openpgpkey/(.*)/hu /mail/openpgpkey_wkd.php?domain=$1 last;
|
||||||
|
location ~ \.php$ {
|
||||||
|
include snippets/fastcgi-php.conf;
|
||||||
|
fastcgi_pass unix:/run/php/php8.1-fpm.sock;
|
||||||
|
expires off;
|
||||||
|
}
|
||||||
|
ssl_certificate /etc/acme.sh/danwin1210.de_ecc/fullchain.cer;
|
||||||
|
ssl_certificate_key /etc/acme.sh/danwin1210.de_ecc/danwin1210.de.key;
|
||||||
|
}
|
Loading…
Reference in a new issue