diff --git a/maj.sh b/maj.sh index 59e8061..bd52091 100755 --- a/maj.sh +++ b/maj.sh @@ -1,7 +1,7 @@ #!/bin/bash -services=(mc nginx-rp nginx-www searxng synapse vw) +services=(mc nginx-www searxng synapse syncthing vw) if [[ ! $(echo "${services[*]} all" | grep -P "\b$1\b" ) ]]; then diff --git a/nginx-rp/copy-conf.sh b/nginx-rp/copy-conf.sh new file mode 100755 index 0000000..9cc5675 --- /dev/null +++ b/nginx-rp/copy-conf.sh @@ -0,0 +1,31 @@ +#!/bin/bash + + +if [[ $UID -ne 0 ]]; then + echo "This script must be run as root." + exit 1 +fi + +# Chemin relatif pour les cas où +# le script n'est pas exécuté depuis +# le répertoire où il se trouve. +rel_path="$(dirname "$0")" + +# Fichiers requis pour le script +files=('dhparam.txt' 'nginx.conf' 'reverse-proxy.conf') +for file in "${files[@]}"; do + if ! [[ -f "$rel_path/$file" ]]; then + echo "Required file $file is missing, exiting." + exit 1 + fi +done + + +cp "$rel_path/nginx.conf" /etc/nginx/ +cp "$rel_path/reverse-proxy.conf" /etc/nginx/sites-available/ +cp "$rel_path/dhparam.txt" /etc/nginx/ + +rm /etc/nginx/sites-enabled/* +ln -s /etc/nginx/sites-available/reverse-proxy.conf /etc/nginx/sites-enabled/reverse-proxy.conf + +systemctl reload nginx diff --git a/nginx-rp/nginx.conf b/nginx-rp/nginx.conf index 3d07e30..5861456 100644 --- a/nginx-rp/nginx.conf +++ b/nginx-rp/nginx.conf @@ -1,34 +1,38 @@ +user www-data; worker_processes auto; -worker_cpu_affinity auto; -worker_rlimit_nofile 2048; - +pid /run/nginx.pid; +include /etc/nginx/modules-enabled/*.conf; events { - worker_connections 1024; + worker_connections 768; + # multi_accept on; } http { - charset utf-8; - + + ## + # Basic Settings + ## + sendfile on; tcp_nopush on; tcp_nodelay on; gzip off; - - # Hide NGINX version in error messages. + types_hash_max_size 2048; server_tokens off; - + keepalive_timeout 65; + + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; + include /etc/nginx/mime.types; default_type application/octet-stream; - # Logging - # log_not_found on; - # access_log /var/log/nginx/access.log; - # error_log /var/log/nginx/error.log warn; + ## + # SSL Settings + ## - keepalive_timeout 65; - ssl_certificate /etc/letsencrypt/live/viyurz.fr/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/viyurz.fr/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/viyurz.fr/chain.pem; @@ -40,7 +44,7 @@ http { ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam - ssl_dhparam /dhparam.txt; + ssl_dhparam /etc/nginx/dhparam.txt; ssl_prefer_server_ciphers off; @@ -48,35 +52,35 @@ http { ssl_session_cache shared:MozSSL:10m; ssl_session_tickets off; - # HSTS (ngx_http_headers_module is required) - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - - add_header X-Robots-Tag "noindex, nofollow" always; - add_header Set-Cookie "Path=/; HttpOnly; Secure"; + ssl_stapling on; + ssl_stapling_verify on; - # OCSP stapling - ssl_stapling on; - ssl_stapling_verify on; + ## + # Logging Settings + ## + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + ## + # Headers + ## resolver 185.12.64.12 [a01:4ff:ff00::add:2] [2a01:4ff:ff00::add:1]; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + add_header X-Robots-Tag "noindex, nofollow" always; + add_header Set-Cookie "Path=/; HttpOnly; Secure"; + proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Client-Port $remote_port; + proxy_set_header X-SSL-Cert $ssl_client_cert; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; proxy_set_header X-Forwarded-Scheme $scheme; - # The `upstream` directives ensure that you have a http/1.1 connection - # This enables the keepalive option and better performance - # - # Define the server IP and ports here. - upstream vaultwarden-default { - zone vaultwarden-default 64k; - server localhost:8081; - keepalive 2; - } - # Needed to support websocket connections # See: https://nginx.org/en/docs/http/websocket.html # Instead of "close" as stated in the above link we send an empty value. @@ -86,178 +90,10 @@ http { '' ""; } - # Redirect HTTP to HTTPS - server { - listen 80 default_server; - listen [::]:80 default_server; + ## + # Virtual Host Configs + ## - http2 on; - - server_name _; - - return 308 https://$host$request_uri; - } - - server { - listen 443 ssl default_server; - listen [::]:443 ssl default_server; - - http2 on; - - server_name _; - server_name_in_redirect off; - - return 404; - } - - server { - listen 443 ssl; - listen [::]:443 ssl; - - http2 on; - - # http3 on; - # quic_retry on; - # add_header Alt-Svc 'h3=":$server_port"; ma=86400'; - # listen 443 quic reuseport; - # listen [::]:443 quic reuseport; - - server_name nc.viyurz.fr; - - location / { - proxy_pass http://localhost:11000; - - add_header Set-Cookie "Path=/; HttpOnly; Secure"; - - # Websocket - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - proxy_set_header Accept-Encoding ""; - - client_body_buffer_size 512k; - proxy_read_timeout 86400s; - client_max_body_size 0; - } - } - - server { - listen 443 ssl; - listen [::]:443 ssl; - - http2 on; - - server_name vw.viyurz.fr; - - location / { - proxy_pass http://vaultwarden-default; - - # Websocket - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - client_max_body_size 525M; - } - } - - server { - listen 443 ssl; - listen [::]:443 ssl; - - http2 on; - - server_name searx.viyurz.fr; - - location ~ ^/(config|healthz|stats/errors|stats/checker) { - proxy_pass http://localhost:8083; - - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - add_header Set-Cookie "Path=/; HttpOnly; Secure"; - # Disable some features - add_header Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()"; - add_header Access-Control-Allow-Methods "GET, OPTIONS"; - add_header Access-Control-Allow-Origin "*"; - } - - location /static/ { - proxy_pass http://localhost:8083; - - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - add_header Set-Cookie "Path=/; HttpOnly; Secure"; - # Disable some features - add_header Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()"; - add_header Cache-Control "public, max-age=31536000"; - } - - location /image_proxy { - proxy_pass http://localhost:8083; - - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - add_header Set-Cookie "Path=/; HttpOnly; Secure"; - # Disable some features - add_header Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()"; - add_header Content-Security-Policy "default-src 'none'; img-src 'self' data:"; - } - - location / { - proxy_pass http://localhost:8083; - - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - add_header Set-Cookie "Path=/; HttpOnly; Secure"; - # Disable some features - add_header Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()"; - # add_header Cache-Control "no-cache, no-store"; - # add_header Pragma "no-cache"; - add_header Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"; - } - } - - server { - listen 443 ssl; - listen [::]:443 ssl; - - http2 on; - - server_name matrix.viyurz.fr; - - location ~ ^(/_matrix|/_synapse/client) { - proxy_pass http://localhost:8008; - - # Nginx by default only allows file uploads up to 1M in size - # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml - client_max_body_size 50M; - } - } - - server { - listen 443 ssl; - listen [::]:443 ssl; - - http2 on; - - server_name www.viyurz.fr; - - location / { - proxy_pass http://localhost:8082; - } - } - - server { - listen 443 ssl; - listen [::]:443 ssl; - - http2 on; - - server_name viyurz.fr; - - location /.well-known/matrix/server { - default_type application/json; - return 200 '{ "m.server": "matrix.viyurz.fr:443" }'; - } - - location / { - return 308 https://www.viyurz.fr$request_uri; - } - } + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; } diff --git a/nginx-rp/reverse-proxy.conf b/nginx-rp/reverse-proxy.conf new file mode 100644 index 0000000..3fdbbf8 --- /dev/null +++ b/nginx-rp/reverse-proxy.conf @@ -0,0 +1,166 @@ +# Redirect HTTP to HTTPS +server { + listen 80 http2 default_server; + listen [::]:80 http2 default_server; + + server_name _; + + return 308 https://$host$request_uri; +} + + + +# Default HTTPS server +server { + listen 443 ssl http2 default_server; + listen [::]:443 ssl http2 default_server; + + server_name _; + server_name_in_redirect off; + + return 404; +} + + + +# Nextcloud +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name nc.viyurz.fr; + + location / { + proxy_pass http://localhost:11000; + + add_header Set-Cookie "Path=/; HttpOnly; Secure"; + + # Websocket + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + proxy_set_header Accept-Encoding ""; + + client_body_buffer_size 512k; + proxy_read_timeout 86400s; + client_max_body_size 0; + } +} + + + +# Vaultwarden +upstream vaultwarden-default { + zone vaultwarden-default 64k; + server localhost:8081; + keepalive 2; +} +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name vw.viyurz.fr; + + location / { + proxy_pass http://vaultwarden-default; + + # Websocket + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + client_max_body_size 525M; + } +} + + + +# SearxNG +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name searx.viyurz.fr; + + location / { + proxy_pass http://localhost:8083; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + add_header Set-Cookie "Path=/; HttpOnly; Secure"; + add_header Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"; + } +} + + + +# Matrix/Synapse +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name matrix.viyurz.fr; + + location ~ ^(/_matrix|/_synapse/client) { + proxy_pass http://localhost:8008; + + # Nginx by default only allows file uploads up to 1M in size + # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml + client_max_body_size 50M; + } +} + + + +# Syncthing Discovery +upstream stdisco.viyurz.fr { + # Local IP address:port for discovery server + server localhost:8443; +} +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name stdisco.viyurz.fr; + + ssl_verify_client optional_no_ca; + + location / { + proxy_pass http://stdisco.viyurz.fr; + + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $http_connection; + } +} + + + +# Homepage +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name www.viyurz.fr; + + location / { + proxy_pass http://localhost:8082; + } +} + + + +# Base domain redirect +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name viyurz.fr; + + location /.well-known/matrix/server { + default_type application/json; + return 200 '{ "m.server": "matrix.viyurz.fr:443" }'; + } + + location / { + return 308 https://www.viyurz.fr$request_uri; + } +} diff --git a/unused-nginx-rp-docker/dhparam.txt b/unused-nginx-rp-docker/dhparam.txt new file mode 100644 index 0000000..088f967 --- /dev/null +++ b/unused-nginx-rp-docker/dhparam.txt @@ -0,0 +1,8 @@ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== +-----END DH PARAMETERS----- \ No newline at end of file diff --git a/nginx-rp/docker-compose.yaml b/unused-nginx-rp-docker/docker-compose.yaml similarity index 100% rename from nginx-rp/docker-compose.yaml rename to unused-nginx-rp-docker/docker-compose.yaml diff --git a/unused-nginx-rp-docker/nginx.conf b/unused-nginx-rp-docker/nginx.conf new file mode 100644 index 0000000..5f38196 --- /dev/null +++ b/unused-nginx-rp-docker/nginx.conf @@ -0,0 +1,288 @@ +worker_processes auto; +worker_cpu_affinity auto; +worker_rlimit_nofile 2048; + + +events { + worker_connections 1024; +} + +http { + charset utf-8; + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + + gzip off; + + # Hide NGINX version in error messages. + server_tokens off; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + # Logging + # log_not_found on; + # access_log /var/log/nginx/access.log; + # error_log /var/log/nginx/error.log warn; + + keepalive_timeout 65; + + ssl_certificate /etc/letsencrypt/live/viyurz.fr/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/viyurz.fr/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/viyurz.fr/chain.pem; + + # modern configuration + # ssl_protocols TLSv1.3; + + # intermediate configuration + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; + # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam + ssl_dhparam /dhparam.txt; + + ssl_prefer_server_ciphers off; + + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; + ssl_session_tickets off; + + # HSTS (ngx_http_headers_module is required) + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + + add_header X-Robots-Tag "noindex, nofollow" always; + add_header Set-Cookie "Path=/; HttpOnly; Secure"; + + # OCSP stapling + ssl_stapling on; + ssl_stapling_verify on; + + resolver 185.12.64.12 [a01:4ff:ff00::add:2] [2a01:4ff:ff00::add:1]; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Client-Port $remote_port; + proxy_set_header X-SSL-Cert $ssl_client_cert; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; + proxy_set_header X-Forwarded-Scheme $scheme; + + # The `upstream` directives ensure that you have a http/1.1 connection + # This enables the keepalive option and better performance + # + # Define the server IP and ports here. + upstream vaultwarden-default { + zone vaultwarden-default 64k; + server localhost:8081; + keepalive 2; + } + + # Needed to support websocket connections + # See: https://nginx.org/en/docs/http/websocket.html + # Instead of "close" as stated in the above link we send an empty value. + # Else all keepalive connections will not work. + map $http_upgrade $connection_upgrade { + default upgrade; + '' ""; + } + + # Redirect HTTP to HTTPS + server { + listen 80 default_server; + listen [::]:80 default_server; + + http2 on; + + server_name _; + + return 308 https://$host$request_uri; + } + + server { + listen 443 ssl default_server; + listen [::]:443 ssl default_server; + + http2 on; + + server_name _; + server_name_in_redirect off; + + return 404; + } + + server { + listen 443 ssl; + listen [::]:443 ssl; + + http2 on; + + # http3 on; + # quic_retry on; + # add_header Alt-Svc 'h3=":$server_port"; ma=86400'; + # listen 443 quic reuseport; + # listen [::]:443 quic reuseport; + + server_name nc.viyurz.fr; + + location / { + proxy_pass http://localhost:11000; + + add_header Set-Cookie "Path=/; HttpOnly; Secure"; + + # Websocket + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + proxy_set_header Accept-Encoding ""; + + client_body_buffer_size 512k; + proxy_read_timeout 86400s; + client_max_body_size 0; + } + } + + server { + listen 443 ssl; + listen [::]:443 ssl; + + http2 on; + + server_name vw.viyurz.fr; + + location / { + proxy_pass http://vaultwarden-default; + + # Websocket + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + client_max_body_size 525M; + } + } + + server { + listen 443 ssl; + listen [::]:443 ssl; + + http2 on; + + server_name searx.viyurz.fr; + + location ~ ^/(config|healthz|stats/errors|stats/checker) { + proxy_pass http://localhost:8083; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + add_header Set-Cookie "Path=/; HttpOnly; Secure"; + # Disable some features + add_header Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()"; + add_header Access-Control-Allow-Methods "GET, OPTIONS"; + add_header Access-Control-Allow-Origin "*"; + } + + location /static/ { + proxy_pass http://localhost:8083; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + add_header Set-Cookie "Path=/; HttpOnly; Secure"; + # Disable some features + add_header Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()"; + add_header Cache-Control "public, max-age=31536000"; + } + + location /image_proxy { + proxy_pass http://localhost:8083; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + add_header Set-Cookie "Path=/; HttpOnly; Secure"; + # Disable some features + add_header Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()"; + add_header Content-Security-Policy "default-src 'none'; img-src 'self' data:"; + } + + location / { + proxy_pass http://localhost:8083; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + add_header Set-Cookie "Path=/; HttpOnly; Secure"; + # Disable some features + add_header Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()"; + # add_header Cache-Control "no-cache, no-store"; + # add_header Pragma "no-cache"; + add_header Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"; + } + } + + server { + listen 443 ssl; + listen [::]:443 ssl; + + http2 on; + + server_name matrix.viyurz.fr; + + location ~ ^(/_matrix|/_synapse/client) { + proxy_pass http://localhost:8008; + + # Nginx by default only allows file uploads up to 1M in size + # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml + client_max_body_size 50M; + } + } + + upstream stdisco.viyurz.fr { + # Local IP address:port for discovery server + server localhost:8443; + } + + server { + listen 443 ssl; + listen [::]:443 ssl; + + http2 on; + + server_name stdisco.viyurz.fr; + + ssl_verify_client optional_no_ca; + + location / { + proxy_pass http://stdisco.viyurz.fr; + + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $http_connection; + } + } + + server { + listen 443 ssl; + listen [::]:443 ssl; + + http2 on; + + server_name www.viyurz.fr; + + location / { + proxy_pass http://localhost:8082; + } + } + + server { + listen 443 ssl; + listen [::]:443 ssl; + + http2 on; + + server_name viyurz.fr; + + location /.well-known/matrix/server { + default_type application/json; + return 200 '{ "m.server": "matrix.viyurz.fr:443" }'; + } + + location / { + return 308 https://www.viyurz.fr$request_uri; + } + } +}