worker_processes auto; worker_cpu_affinity auto; worker_rlimit_nofile 2048; events { worker_connections 1024; } http { charset utf-8; sendfile on; tcp_nopush on; tcp_nodelay on; gzip off; # Hide NGINX version in error messages. server_tokens off; include /etc/nginx/mime.types; default_type application/octet-stream; # Logging # log_not_found on; # access_log /var/log/nginx/access.log; # error_log /var/log/nginx/error.log warn; keepalive_timeout 65; ssl_certificate /etc/letsencrypt/live/viyurz.fr/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/viyurz.fr/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/viyurz.fr/chain.pem; # modern configuration # ssl_protocols TLSv1.3; # intermediate configuration ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam ssl_dhparam /dhparam.txt; ssl_prefer_server_ciphers off; ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; ssl_session_tickets off; # HSTS (ngx_http_headers_module is required) add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; add_header X-Robots-Tag "noindex, nofollow" always; add_header Set-Cookie "Path=/; HttpOnly; Secure"; # OCSP stapling ssl_stapling on; ssl_stapling_verify on; resolver 185.12.64.12 [a01:4ff:ff00::add:2] [2a01:4ff:ff00::add:1]; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Client-Port $remote_port; proxy_set_header X-SSL-Cert $ssl_client_cert; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; proxy_set_header X-Forwarded-Scheme $scheme; # The `upstream` directives ensure that you have a http/1.1 connection # This enables the keepalive option and better performance # # Define the server IP and ports here. upstream vaultwarden-default { zone vaultwarden-default 64k; server localhost:8081; keepalive 2; } # Needed to support websocket connections # See: https://nginx.org/en/docs/http/websocket.html # Instead of "close" as stated in the above link we send an empty value. # Else all keepalive connections will not work. map $http_upgrade $connection_upgrade { default upgrade; '' ""; } # Redirect HTTP to HTTPS server { listen 80 default_server; listen [::]:80 default_server; http2 on; server_name _; return 308 https://$host$request_uri; } server { listen 443 ssl default_server; listen [::]:443 ssl default_server; http2 on; server_name _; server_name_in_redirect off; return 404; } server { listen 443 ssl; listen [::]:443 ssl; http2 on; # http3 on; # quic_retry on; # add_header Alt-Svc 'h3=":$server_port"; ma=86400'; # listen 443 quic reuseport; # listen [::]:443 quic reuseport; server_name nc.viyurz.fr; location / { proxy_pass http://localhost:11000; add_header Set-Cookie "Path=/; HttpOnly; Secure"; # Websocket proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Accept-Encoding ""; client_body_buffer_size 512k; proxy_read_timeout 86400s; client_max_body_size 0; } } server { listen 443 ssl; listen [::]:443 ssl; http2 on; server_name vw.viyurz.fr; location / { proxy_pass http://vaultwarden-default; # Websocket proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; client_max_body_size 525M; } } server { listen 443 ssl; listen [::]:443 ssl; http2 on; server_name searx.viyurz.fr; location ~ ^/(config|healthz|stats/errors|stats/checker) { proxy_pass http://localhost:8083; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; add_header Set-Cookie "Path=/; HttpOnly; Secure"; # Disable some features add_header Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()"; add_header Access-Control-Allow-Methods "GET, OPTIONS"; add_header Access-Control-Allow-Origin "*"; } location /static/ { proxy_pass http://localhost:8083; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; add_header Set-Cookie "Path=/; HttpOnly; Secure"; # Disable some features add_header Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()"; add_header Cache-Control "public, max-age=31536000"; } location /image_proxy { proxy_pass http://localhost:8083; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; add_header Set-Cookie "Path=/; HttpOnly; Secure"; # Disable some features add_header Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()"; add_header Content-Security-Policy "default-src 'none'; img-src 'self' data:"; } location / { proxy_pass http://localhost:8083; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; add_header Set-Cookie "Path=/; HttpOnly; Secure"; # Disable some features add_header Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()"; # add_header Cache-Control "no-cache, no-store"; # add_header Pragma "no-cache"; add_header Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"; } } server { listen 443 ssl; listen [::]:443 ssl; http2 on; server_name matrix.viyurz.fr; location ~ ^(/_matrix|/_synapse/client) { proxy_pass http://localhost:8008; # Nginx by default only allows file uploads up to 1M in size # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml client_max_body_size 50M; } } upstream stdisco.viyurz.fr { # Local IP address:port for discovery server server localhost:8443; } server { listen 443 ssl; listen [::]:443 ssl; http2 on; server_name stdisco.viyurz.fr; ssl_verify_client optional_no_ca; location / { proxy_pass http://stdisco.viyurz.fr; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; } } server { listen 443 ssl; listen [::]:443 ssl; http2 on; server_name www.viyurz.fr; location / { proxy_pass http://localhost:8082; } } server { listen 443 ssl; listen [::]:443 ssl; http2 on; server_name viyurz.fr; location /.well-known/matrix/server { default_type application/json; return 200 '{ "m.server": "matrix.viyurz.fr:443" }'; } location / { return 308 https://www.viyurz.fr$request_uri; } } }