diff --git a/README.md b/README.md new file mode 100644 index 0000000..ba34117 --- /dev/null +++ b/README.md @@ -0,0 +1,8 @@ +# sr.ht-nginx + +This is the nginx configuration files used by sr.ht in production. They are +designed to run on an Alpine Linux system using the official sourcehut Alpine +packages. You may use them on your own servers, though your mileage my vary. +Install the -nginx package (e.g. git.sr.ht-nginx) to pull in these files, then +edit `/etc/nginx/domains.conf` (and `/etc/nginx/nginx.conf`, if necessary) to +suit your particular installation. diff --git a/builds.sr.ht.conf b/builds.sr.ht.conf index f38cd28..dd16c85 100644 --- a/builds.sr.ht.conf +++ b/builds.sr.ht.conf @@ -1,70 +1,28 @@ server { - listen 80; - listen [::]:80; - server_name builds.sr.ht; - - location / { - return 302 https://$server_name$request_uri; - } - - location ^~ /.well-known { - root /var/www; - } + server_name $buildssrht; + include port80.conf; } server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name builds.sr.ht; + server_name $buildssrht; + include port443.conf; + + ssl_certificate /etc/ssl/uacme/$buildssrht/cert.pem; + ssl_certificate_key /etc/ssl/uacme/private/$buildssrht/key.pem; client_max_body_size 100M; - ssl_certificate /etc/ssl/uacme/builds.sr.ht/cert.pem; - ssl_certificate_key /etc/ssl/uacme/private/builds.sr.ht/key.pem; - - add_header X-Clacks-Overhead "GNU Terry Pratchett"; - add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'" always; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - # Fuck you, Google, I don't spy on my users - add_header Permissions-Policy interest-cohort=(); - - gzip on; - gzip_types text/css text/html; location / { proxy_pass http://127.0.0.1:5002; - } - - location /static { - root /usr/lib/python3.9/site-packages/buildsrht; - expires 30d; + include web.conf; } location /query { proxy_pass http://127.0.0.1:5102; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; - if ($request_method = 'OPTIONS') { - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; - add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; - add_header 'Access-Control-Max-Age' 1728000; - add_header 'Content-Type' 'text/plain; charset=utf-8'; - add_header 'Content-Length' 0; - return 204; - } - - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; - add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; - add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range'; + include graphql.conf; } - location ^~ /.well-known { - root /var/www; - } - - location = /robots.txt { - root /var/www; + location /static { + root /usr/lib/$python/site-packages/buildsrht; + expires 30d; } } diff --git a/dispatch.sr.ht.conf b/dispatch.sr.ht.conf index 0b98f39..341089c 100644 --- a/dispatch.sr.ht.conf +++ b/dispatch.sr.ht.conf @@ -1,47 +1,22 @@ server { - listen 80; - listen [::]:80; - server_name dispatch.sr.ht; - - location / { - return 302 https://$server_name$request_uri; - } - - location ^~ /.well-known { - root /var/www; - } + server_name $dispatchsrht; + include port80.conf; } server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name dispatch.sr.ht; - ssl_certificate /etc/ssl/uacme/dispatch.sr.ht/cert.pem; - ssl_certificate_key /etc/ssl/uacme/private/dispatch.sr.ht/key.pem; + server_name $dispatchsrht; + include port443.conf; - add_header X-Clacks-Overhead "GNU Terry Pratchett"; - add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self'" always; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - # Fuck you, Google, I don't spy on my users - add_header Permissions-Policy interest-cohort=(); - - gzip on; - gzip_types text/html text/css; + ssl_certificate /etc/ssl/uacme/$dispatchsrht/cert.pem; + ssl_certificate_key /etc/ssl/uacme/private/$dispatchsrht/key.pem; location / { proxy_pass http://127.0.0.1:5005; + include web.conf; } location /static { - root /usr/lib/python3.9/site-packages/dispatchsrht; + root /usr/lib/$python/site-packages/dispatchsrht; expires 30d; } - - location ^~ /.well-known { - root /var/www; - } - - location = /robots.txt { - root /var/www; - } } diff --git a/domains.conf b/domains.conf new file mode 100644 index 0000000..3bae7d6 --- /dev/null +++ b/domains.conf @@ -0,0 +1,14 @@ +# Update this file to configure the domain names for your sr.ht installation. +# Any services you have not set up may be left unchanged. +set $buildssrht = "builds.sr.ht"; +set $dispatchsrht = "dispatch.sr.ht"; +set $gitsrht = "git.sr.ht"; +set $hgsrht = "hg.sr.ht"; +set $hubsrht = "sr.ht"; +set $listssrht = "lists.sr.ht"; +set $mansrht = "man.sr.ht"; +set $metasrht = "meta.sr.ht"; +set $pastesrht = "paste.sr.ht"; +set $todosrht = "todo.sr.ht"; + +set $private_network = "173.195.146.128/25"; diff --git a/git.sr.ht.conf b/git.sr.ht.conf index 6d41b5d..2ed253c 100644 --- a/git.sr.ht.conf +++ b/git.sr.ht.conf @@ -1,51 +1,31 @@ server { - listen 80; - listen [::]:80; - server_name git.sr.ht; - - location / { - return 302 https://$server_name$request_uri; - } - - location ^~ /.well-known { - root /var/www; - } + server_name $gitsrht; + include port80.conf; } server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name git.sr.ht; + server_name $gitsrht; + include port443.conf; + + ssl_certificate /etc/ssl/uacme/$gitsrht/cert.pem; + ssl_certificate_key /etc/ssl/uacme/private/$gitsrht/key.pem; client_max_body_size 100M; - ssl_certificate /etc/ssl/uacme/git.sr.ht/cert.pem; - ssl_certificate_key /etc/ssl/uacme/private/git.sr.ht/key.pem; - - add_header X-Clacks-Overhead "GNU Terry Pratchett"; - add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self' 'unsafe-inline'" always; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - # Fuck you, Google, I don't spy on my users - add_header Permissions-Policy interest-cohort=(); - - gzip on; - gzip_types text/css text/html; location / { proxy_pass http://127.0.0.1:5001; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; + include web.conf; + } + + location /query { + proxy_pass http://127.0.0.1:5101; + include graphql.conf; } location /static { - root /usr/lib/python3.9/site-packages/gitsrht; + root /usr/lib/$python/site-packages/gitsrht; expires 30d; } - location ^~ /.well-known { - root /var/www; - } - location = /authorize { proxy_pass http://127.0.0.1:5001; proxy_pass_request_body off; @@ -64,30 +44,4 @@ server { include fastcgi_params; gzip off; } - - location /query { - proxy_pass http://127.0.0.1:5101; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; - if ($request_method = 'OPTIONS') { - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; - add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; - add_header 'Access-Control-Max-Age' 1728000; - add_header 'Content-Type' 'text/plain; charset=utf-8'; - add_header 'Content-Length' 0; - return 204; - } - - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; - add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; - add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range'; - } - - location = /robots.txt { - root /var/www; - } } diff --git a/graphql.conf b/graphql.conf new file mode 100644 index 0000000..0bb9ad5 --- /dev/null +++ b/graphql.conf @@ -0,0 +1,21 @@ +set_real_ip_from 127.0.0.1/16; +set_real_ip_from $private_network; +real_ip_header X-Forwarded-For; +real_ip_recursive on; +proxy_set_header Host $host; +proxy_set_header X-Forwarded-Proto https; + +if ($request_method = 'OPTIONS') { + add_header 'Access-Control-Allow-Origin' '*'; + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; + add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; + add_header 'Access-Control-Max-Age' 1728000; + add_header 'Content-Type' 'text/plain; charset=utf-8'; + add_header 'Content-Length' 0; + return 204; +} + +add_header 'Access-Control-Allow-Origin' '*'; +add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; +add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; +add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range'; diff --git a/hg.sr.ht.conf b/hg.sr.ht.conf index 354d610..1fe1319 100644 --- a/hg.sr.ht.conf +++ b/hg.sr.ht.conf @@ -1,47 +1,31 @@ server { - listen 80; - listen [::]:80; - server_name hg.sr.ht; - - location / { - return 302 https://$server_name$request_uri; - } - - location ^~ /.well-known { - root /var/www; - } + server_name $hgsrht; + include port80.conf; } server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name hg.sr.ht; + server_name $hgsrht; + include port443.conf; + + ssl_certificate /etc/ssl/uacme/$hgsrht/cert.pem; + ssl_certificate_key /etc/ssl/uacme/private/$hgsrht/key.pem; client_max_body_size 100M; - ssl_certificate /etc/ssl/uacme/hg.sr.ht/cert.pem; - ssl_certificate_key /etc/ssl/uacme/private/hg.sr.ht/key.pem; - - add_header X-Clacks-Overhead "GNU Terry Pratchett"; - add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self'" always; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - # Fuck you, Google, I don't spy on my users - add_header Permissions-Policy interest-cohort=(); - - gzip on; - gzip_types text/css; location / { proxy_pass http://127.0.0.1:5010; + include web.conf; + } + + location /query { + proxy_pass http://127.0.0.1:5110; + include graphql.conf; } location /static { - root /usr/lib/python3.9/site-packages/hgsrht; + root /usr/lib/$python/site-packages/hgsrht; expires 30d; } - location ^~ /.well-known { - root /var/www; - } - location = /authorize { proxy_pass http://127.0.0.1:5001; proxy_pass_request_body off; @@ -55,9 +39,4 @@ server { location ~ ^/[~^][a-z0-9_]+/[a-zA-Z0-9_.-]+/\.hg/bundles/.*$ { root /var/lib/mercurial; } - - location = /robots.txt { - root /var/www; - } } - diff --git a/hub.sr.ht.conf b/hub.sr.ht.conf index 9106274..4365232 100644 --- a/hub.sr.ht.conf +++ b/hub.sr.ht.conf @@ -1,89 +1,32 @@ server { - listen 80; - listen [::]:80; - server_name sr.ht; - - location / { - return 302 https://$server_name$request_uri; - } + server_name $hubsrht; + include port80.conf; + # Redirect for legacy.sr.ht location ~ ^/[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$ { return 302 https://l.sr.ht$request_uri; } - - location ^~ /.well-known { - root /var/www; - } } server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name sr.ht; - ssl_certificate /etc/ssl/uacme/sr.ht/cert.pem; - ssl_certificate_key /etc/ssl/uacme/private/sr.ht/key.pem; + server_name $hubsrht; + include port443.conf; - add_header X-Clacks-Overhead "GNU Terry Pratchett"; - add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self'" always; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - # Fuck you, Google, I don't spy on my users - add_header Permissions-Policy interest-cohort=(); - - gzip on; - gzip_types text/css text/html; + ssl_certificate /etc/ssl/uacme/$hubsrht/cert.pem; + ssl_certificate_key /etc/ssl/uacme/private/$hubsrht/key.pem; location / { proxy_pass http://127.0.0.1:5014; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; + include web.conf; } location /static { - root /usr/lib/python3.9/site-packages/hubsrht; + root /usr/lib/$python/site-packages/hubsrht; expires 30d; } + # Redirect for legacy.sr.ht location ~ ^/[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$ { return 302 https://l.sr.ht$request_uri; } - - location = /robots.txt { - root /var/www; - } -} - -server { - listen 80; - listen [::]:80; - server_name hub.sr.ht; - - location / { - return 302 https://sr.ht$request_uri; - } - - location ^~ /.well-known { - root /var/www; - } -} - -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name hub.sr.ht; - ssl_certificate /etc/ssl/uacme/sr.ht/cert.pem; - ssl_certificate_key /etc/ssl/uacme/private/sr.ht/key.pem; - - location / { - return 302 https://sr.ht$request_uri; - } - - location /webhooks { - proxy_pass http://127.0.0.1:5014; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; - } } diff --git a/lists.sr.ht.conf b/lists.sr.ht.conf index 5663a9b..2c17315 100644 --- a/lists.sr.ht.conf +++ b/lists.sr.ht.conf @@ -1,73 +1,27 @@ server { - listen 80; - listen [::]:80; - server_name lists.sr.ht; - - location / { - return 302 https://$server_name$request_uri; - } - - location ^~ /.well-known { - root /var/www; - } + server_name $listssrht; + include port80.conf; } server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name lists.sr.ht; - ssl_certificate /etc/ssl/uacme/lists.sr.ht/cert.pem; - ssl_certificate_key /etc/ssl/uacme/private/lists.sr.ht/key.pem; + server_name $listssrht; + include port443.conf; - add_header X-Clacks-Overhead "GNU Terry Pratchett"; - add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'"; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - # Fuck you, Google, I don't spy on my users - add_header Permissions-Policy interest-cohort=(); - - gzip on; - gzip_types text/html text/css; + ssl_certificate /etc/ssl/uacme/$listssrht/cert.pem; + ssl_certificate_key /etc/ssl/uacme/private/$listssrht/key.pem; location / { proxy_pass http://127.0.0.1:5006; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; + include web.conf; } location /query { proxy_pass http://127.0.0.1:5106; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; - if ($request_method = 'OPTIONS') { - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; - add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; - add_header 'Access-Control-Max-Age' 1728000; - add_header 'Content-Type' 'text/plain; charset=utf-8'; - add_header 'Content-Length' 0; - return 204; - } - - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; - add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; - add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range'; + include graphql.conf; } location /static { - root /usr/lib/python3.9/site-packages/listssrht; + root /usr/lib/$python/site-packages/listssrht; expires 30d; } - - location ^~ /.well-known { - root /var/www; - } - - location = /robots.txt { - root /var/www; - } } diff --git a/man.sr.ht.conf b/man.sr.ht.conf index 63e55e9..6aa0350 100644 --- a/man.sr.ht.conf +++ b/man.sr.ht.conf @@ -1,63 +1,23 @@ server { - listen 80; - listen [::]:80; - server_name man.sr.ht; - - location / { - return 302 https://$server_name$request_uri; - } - - location ^~ /.well-known { - root /var/www; - } + server_name $mansrht; + include port80.conf; } server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name man.sr.ht; + server_name $mansrht; + include port443.conf; + + ssl_certificate /etc/ssl/uacme/$mansrht/cert.pem; + ssl_certificate_key /etc/ssl/uacme/private/$mansrht/key.pem; client_max_body_size 100M; - ssl_certificate /etc/ssl/uacme/man.sr.ht/cert.pem; - ssl_certificate_key /etc/ssl/uacme/private/man.sr.ht/key.pem; - - add_header X-Clacks-Overhead "GNU Terry Pratchett"; - add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self'" always; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - # Fuck you, Google, I don't spy on my users - add_header Permissions-Policy interest-cohort=(); - - gzip on; - gzip_types text/css text/html; location / { proxy_pass http://127.0.0.1:5004; + include web.conf; } location /static { - root /usr/lib/python3.9/site-packages/mansrht; + root /usr/lib/$python/site-packages/mansrht; expires 30d; } - - location ^~ /.well-known { - root /var/www; - } - - location ~ ^(.*)/(.*)/objects/([0-9a-f]+/[0-9a-f]+|pack/pack-[0-9a-f]+.(pack|idx)).*$ { - root /var/lib/man; - } - - location ~ ^(.*)/(.*)/(HEAD|info/refs|objects/info/.*|git-upload-pack).*$ { - root /var/lib/man; - fastcgi_pass unix:/run/fcgiwrap/fcgiwrap.sock; - fastcgi_param SCRIPT_FILENAME /usr/libexec/git-core/git-http-backend; - fastcgi_param PATH_INFO $uri; - fastcgi_param GIT_PROJECT_ROOT $document_root; - fastcgi_param GIT_HTTP_EXPORT_ALL ""; - include fastcgi_params; - gzip off; - } - - location = /robots.txt { - root /var/www; - } } diff --git a/meta.sr.ht.conf b/meta.sr.ht.conf index f1c961f..da3ee0c 100644 --- a/meta.sr.ht.conf +++ b/meta.sr.ht.conf @@ -1,77 +1,27 @@ server { - listen 80; - listen [::]:80; - server_name meta.sr.ht; - - location / { - return 302 https://$server_name$request_uri; - } - - location ^~ /.well-known { - root /var/www; - } - - location = /robots.txt { - root /var/www; - } + server_name $metasrht; + include port80.conf; } server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name meta.sr.ht; - ssl_certificate /etc/ssl/uacme/meta.sr.ht/cert.pem; - ssl_certificate_key /etc/ssl/uacme/private/meta.sr.ht/key.pem; + server_name $metasrht; + include port443.conf; - add_header X-Clacks-Overhead "GNU Terry Pratchett"; - add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline' *.stripe.com *.stripe.network; frame-src *.stripe.com *.stripe.network" always; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - # Fuck you, Google, I don't spy on my users - add_header Permissions-Policy interest-cohort=(); - - gzip on; - gzip_types text/css text/html; + ssl_certificate /etc/ssl/uacme/$metasrht/cert.pem; + ssl_certificate_key /etc/ssl/uacme/private/$metasrht/key.pem; location / { proxy_pass http://127.0.0.1:5000; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; - } - - location /static { - root /usr/lib/python3.9/site-packages/metasrht; - expires 30d; - } - - location ^~ /.well-known { - root /var/www; + include web.conf; } location /query { proxy_pass http://127.0.0.1:5100; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; - if ($request_method = 'OPTIONS') { - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; - add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; - add_header 'Access-Control-Max-Age' 1728000; - add_header 'Content-Type' 'text/plain; charset=utf-8'; - add_header 'Content-Length' 0; - return 204; - } - - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; - add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; - add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range'; + include graphql.conf; } - location = /robots.txt { - root /var/www; + location /static { + root /usr/lib/$python/site-packages/metasrht; + expires 30d; } } diff --git a/nginx.conf b/nginx.conf new file mode 100644 index 0000000..fa5666a --- /dev/null +++ b/nginx.conf @@ -0,0 +1,35 @@ +user nginx; +worker_processes auto; +pcre_jit on; +error_log /var/log/nginx/error.log warn; +include /etc/nginx/modules/*.conf; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + server_tokens off; + client_max_body_size 1m; + sendfile on; + tcp_nopush on; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:2m; + ssl_session_timeout 1h; + ssl_session_tickets off; + gzip_vary on; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + set $python = "python3.9"; + include domains.conf; + include /etc/nginx/http.d/*.conf; +} diff --git a/paste.sr.ht.conf b/paste.sr.ht.conf index 28516fa..eaa63e2 100644 --- a/paste.sr.ht.conf +++ b/paste.sr.ht.conf @@ -1,48 +1,23 @@ server { - listen 80; - listen [::]:80; - server_name paste.sr.ht pasta.sr.ht; - - location / { - return 302 https://$server_name$request_uri; - } - - location ^~ /.well-known { - root /var/www; - } + server_name $pastesrht pasta.sr.ht; + include port80.conf; } server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name paste.sr.ht pasta.sr.ht; + server_name $pastesrht pasta.sr.ht; + include port443.conf; + + ssl_certificate /etc/ssl/uacme/$pastesrht/cert.pem; + ssl_certificate_key /etc/ssl/uacme/private/$pastesrht/key.pem; client_max_body_size 10M; - ssl_certificate /etc/ssl/uacme/paste.sr.ht/cert.pem; - ssl_certificate_key /etc/ssl/uacme/private/paste.sr.ht/key.pem; - - add_header X-Clacks-Overhead "GNU Terry Pratchett"; - add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self' 'unsafe-inline'" always; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - # Fuck you, Google, I don't spy on my users - add_header Permissions-Policy interest-cohort=(); - - gzip on; - gzip_types text/css text/html; location / { proxy_pass http://127.0.0.1:5011; + include web.conf; } location /static { - root /usr/lib/python3.9/site-packages/pastesrht; + root /usr/lib/$python/site-packages/pastesrht; expires 30d; } - - location ^~ /.well-known { - root /var/www; - } - - location = /robots.txt { - root /var/www; - } } diff --git a/port443.conf b/port443.conf new file mode 100644 index 0000000..00371d5 --- /dev/null +++ b/port443.conf @@ -0,0 +1,19 @@ +listen 443 ssl http2; +listen [::]:443 ssl http2; + +add_header X-Clacks-Overhead "GNU Terry Pratchett"; +add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline' *.stripe.com *.stripe.network; frame-src *.stripe.com *.stripe.network" always; +add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; +# Fuck you, Google, I don't spy on my users +add_header Permissions-Policy interest-cohort=(); + +gzip on; +gzip_types text/css text/html; + +location ^~ /.well-known { + root /var/www; +} + +location = /robots.txt { + root /var/www; +} diff --git a/port80.conf b/port80.conf new file mode 100644 index 0000000..dc575d4 --- /dev/null +++ b/port80.conf @@ -0,0 +1,14 @@ +listen 80; +listen [::]:80; + +location / { + return 302 https://$server_name$request_uri; +} + +location ^~ /.well-known { + root /var/www; +} + +location = /robots.txt { + root /var/www; +} diff --git a/todo.sr.ht.conf b/todo.sr.ht.conf index 0d8cd51..fcf4636 100644 --- a/todo.sr.ht.conf +++ b/todo.sr.ht.conf @@ -1,70 +1,28 @@ server { - listen 80; - listen [::]:80; - server_name todo.sr.ht; - - location / { - return 302 https://$server_name$request_uri; - } - - location ^~ /.well-known { - root /var/www; - } + server_name $todosrht; + include port80.conf; } server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name todo.sr.ht; + server_name $todosrht; + include port443.conf; + + ssl_certificate /etc/ssl/uacme/$todosrht/cert.pem; + ssl_certificate_key /etc/ssl/uacme/private/$todosrht/key.pem; client_max_body_size 100M; - ssl_certificate /etc/ssl/uacme/todo.sr.ht/cert.pem; - ssl_certificate_key /etc/ssl/uacme/private/todo.sr.ht/key.pem; - - add_header X-Clacks-Overhead "GNU Terry Pratchett"; - add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self'" always; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - # Fuck you, Google, I don't spy on my users - add_header Permissions-Policy interest-cohort=(); - - gzip on; - gzip_types text/css text/html; location / { proxy_pass http://127.0.0.1:5003; + include web.conf; } location /query { proxy_pass http://127.0.0.1:5103; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; - if ($request_method = 'OPTIONS') { - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; - add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; - add_header 'Access-Control-Max-Age' 1728000; - add_header 'Content-Type' 'text/plain; charset=utf-8'; - add_header 'Content-Length' 0; - return 204; - } - - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; - add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; - add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range'; + include graphql.conf; } location /static { - root /usr/lib/python3.9/site-packages/todosrht; + root /usr/lib/$python/site-packages/todosrht; expires 30d; } - - location ^~ /.well-known { - root /var/www; - } - - location = /robots.txt { - root /var/www; - } } diff --git a/web.conf b/web.conf new file mode 100644 index 0000000..a2913f6 --- /dev/null +++ b/web.conf @@ -0,0 +1,6 @@ +set_real_ip_from 127.0.0.1/16; +set_real_ip_from 173.195.146.128/25; +real_ip_header X-Forwarded-For; +real_ip_recursive on; +proxy_set_header Host $host; +proxy_set_header X-Forwarded-Proto https;