vps/nginx-rp/nginx.conf
2023-11-28 14:01:43 +00:00

263 lines
7.7 KiB
Nginx Configuration File
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

worker_processes auto;
worker_cpu_affinity auto;
worker_rlimit_nofile 2048;
events {
worker_connections 1024;
}
http {
charset utf-8;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
gzip off;
# Hide NGINX version in error messages.
server_tokens off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Logging
# log_not_found on;
# access_log /var/log/nginx/access.log;
# error_log /var/log/nginx/error.log warn;
keepalive_timeout 65;
ssl_certificate /etc/letsencrypt/live/viyurz.fr/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/viyurz.fr/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/viyurz.fr/chain.pem;
# modern configuration
# ssl_protocols TLSv1.3;
# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
ssl_dhparam /dhparam.txt;
ssl_prefer_server_ciphers off;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
# HSTS (ngx_http_headers_module is required)
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header Set-Cookie "Path=/; HttpOnly; Secure";
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 185.12.64.12 [a01:4ff:ff00::add:2] [2a01:4ff:ff00::add:1];
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Scheme $scheme;
# The `upstream` directives ensure that you have a http/1.1 connection
# This enables the keepalive option and better performance
#
# Define the server IP and ports here.
upstream vaultwarden-default {
zone vaultwarden-default 64k;
server localhost:8081;
keepalive 2;
}
# Needed to support websocket connections
# See: https://nginx.org/en/docs/http/websocket.html
# Instead of "close" as stated in the above link we send an empty value.
# Else all keepalive connections will not work.
map $http_upgrade $connection_upgrade {
default upgrade;
'' "";
}
# Redirect HTTP to HTTPS
server {
listen 80 default_server;
listen [::]:80 default_server;
http2 on;
server_name _;
return 308 https://$host$request_uri;
}
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
http2 on;
server_name _;
server_name_in_redirect off;
return 404;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
# http3 on;
# quic_retry on;
# add_header Alt-Svc 'h3=":$server_port"; ma=86400';
# listen 443 quic reuseport;
# listen [::]:443 quic reuseport;
server_name nc.viyurz.fr;
location / {
proxy_pass http://localhost:11000;
add_header Set-Cookie "Path=/; HttpOnly; Secure";
# Websocket
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Accept-Encoding "";
client_body_buffer_size 512k;
proxy_read_timeout 86400s;
client_max_body_size 0;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name vw.viyurz.fr;
location / {
proxy_pass http://vaultwarden-default;
# Websocket
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
client_max_body_size 525M;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name sx.viyurz.fr;
location ~ ^/(config|healthz|stats/errors|stats/checker) {
proxy_pass http://localhost:8083;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header Set-Cookie "Path=/; HttpOnly; Secure";
# Disable some features
add_header Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()";
add_header Access-Control-Allow-Methods "GET, OPTIONS";
add_header Access-Control-Allow-Origin "*";
}
location /static/ {
proxy_pass http://localhost:8083;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header Set-Cookie "Path=/; HttpOnly; Secure";
# Disable some features
add_header Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()";
add_header Cache-Control "public, max-age=31536000";
}
location /image_proxy {
proxy_pass http://localhost:8083;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header Set-Cookie "Path=/; HttpOnly; Secure";
# Disable some features
add_header Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()";
add_header Content-Security-Policy "default-src 'none'; img-src 'self' data:";
}
location / {
proxy_pass http://localhost:8083;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header Set-Cookie "Path=/; HttpOnly; Secure";
# Disable some features
add_header Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()";
# add_header Cache-Control "no-cache, no-store";
# add_header Pragma "no-cache";
add_header Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com";
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name matrix.viyurz.fr;
location ~ ^(/_matrix|/_synapse/client) {
proxy_pass http://localhost:8008;
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size 50M;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name www.viyurz.fr;
location / {
proxy_pass http://localhost:8082;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name viyurz.fr;
location /.well-known/matrix/server {
default_type application/json;
return 200 '{ "m.server": "matrix.viyurz.fr:443" }';
}
location / {
return 308 https://www.viyurz.fr$request_uri;
}
}
}