add full nginx configuration

This commit is contained in:
Daniel Micay 2020-11-14 03:58:21 -05:00
parent 1594f0dce4
commit 68b323b8d5
2 changed files with 175 additions and 145 deletions

175
nginx/nginx.conf Normal file
View File

@ -0,0 +1,175 @@
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 768;
}
http {
include mime.types;
default_type application/octet-stream;
charset utf-8;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
gzip on;
gzip_vary on;
server {
listen 80;
listen [::]:80;
server_name www.grapheneos.org grapheneos.org;
root /var/empty;
return 301 https://grapheneos.org$request_uri;
}
server {
include /etc/nginx/snippets/https.conf;
server_name www.grapheneos.org;
root /var/empty;
include /etc/nginx/snippets/security-headers.conf;
return 301 https://grapheneos.org$request_uri;
}
server {
include /etc/nginx/snippets/https.conf;
server_name grapheneos.org;
root /var/www/html;
error_page 403 =404 /404.html;
error_page 404 /404.html;
include /etc/nginx/snippets/security-headers.conf;
gzip_static on;
gzip off;
if ($request_uri ~ ^/(.*)\.html$) {
return 301 /$1;
}
location = /security.txt {
return 301 /.well-known/security.txt;
}
location = /graphene.png {
return 301 /logo.png;
}
location = /pdfviewer_privacy_policy {
return 301 /pdfviewer-privacy-policy;
}
location = /safari_pinned_tab_icon.svg {
return 301 /mask-icon.svg;
}
location = /safari-pinned-tab-icon.svg {
return 301 /mask-icon.svg;
}
location = /bitcoin_address.png {
return 301 /bitcoin-donation.png;
}
location = /bitcoin-address.png {
return 301 /bitcoin-donation.png;
}
# mangled backlinks to /install
location = /installMinimal {
return 301 /install;
}
location = /LICENSE {
default_type text/plain;
}
location = /404 {
internal;
http2_push /grapheneos.css?20;
}
location = /404.html {
internal;
http2_push /grapheneos.css?20;
}
location ~ "^(.*)/index$" {
return 301 $1/;
}
location ~ "\.(ico|webmanifest)$" {
include /etc/nginx/snippets/security-headers.conf;
add_header Cache-Control "public, max-age=604800";
}
location ~ "\.(css|js|svg)$" {
include /etc/nginx/snippets/security-headers.conf;
add_header Cache-Control "public, max-age=31536000";
}
location ~ "\.(png|woff2)$" {
include /etc/nginx/snippets/security-headers.conf;
add_header Cache-Control "public, max-age=31536000";
gzip_static off;
}
location ~ "\.(json|pdf|txt|xml)$" {
include /etc/nginx/snippets/security-headers.conf;
add_header Cache-Control "public, max-age=1800";
}
# https://www.twipu.com/GrapheneOS doesn't handle links with fragments properly
location ~ "^/(.*)<a href=$" {
return 301 https://grapheneos.org/$1;
}
location ~ "\.(br|gz)" {
internal;
}
location / {
include /etc/nginx/snippets/security-headers.conf;
add_header Cache-Control "public, max-age=1800";
try_files $uri $uri.html $uri/ =404;
http2_push /grapheneos.css?20;
}
}
server {
listen 80;
listen [::]:80;
server_name mta-sts.grapheneos.org mta-sts.mail.grapheneos.org;
root /var/empty;
return 301 https://mta-sts.grapheneos.org$request_uri;
}
server {
include /etc/nginx/snippets/https.conf;
server_name mta-sts.grapheneos.org mta-sts.mail.grapheneos.org;
root /var/www/mta-sts;
include /etc/nginx/snippets/security-headers.conf;
}
}

View File

@ -1,145 +0,0 @@
server {
listen 80;
listen [::]:80;
server_name www.grapheneos.org grapheneos.org;
root /var/empty;
return 301 https://grapheneos.org$request_uri;
}
server {
include /etc/nginx/snippets/https.conf;
server_name www.grapheneos.org;
root /var/empty;
include /etc/nginx/snippets/security-headers.conf;
return 301 https://grapheneos.org$request_uri;
}
server {
include /etc/nginx/snippets/https.conf;
server_name grapheneos.org;
root /var/www/html;
error_page 403 =404 /404.html;
error_page 404 /404.html;
charset utf-8;
include /etc/nginx/snippets/security-headers.conf;
gzip_static on;
gzip off;
if ($request_uri ~ ^/(.*)\.html$) {
return 301 /$1;
}
location = /security.txt {
return 301 /.well-known/security.txt;
}
location = /graphene.png {
return 301 /logo.png;
}
location = /pdfviewer_privacy_policy {
return 301 /pdfviewer-privacy-policy;
}
location = /safari_pinned_tab_icon.svg {
return 301 /mask-icon.svg;
}
location = /safari-pinned-tab-icon.svg {
return 301 /mask-icon.svg;
}
location = /bitcoin_address.png {
return 301 /bitcoin-donation.png;
}
location = /bitcoin-address.png {
return 301 /bitcoin-donation.png;
}
# mangled backlinks to /install
location = /installMinimal {
return 301 /install;
}
location = /LICENSE {
default_type text/plain;
}
location = /404 {
internal;
http2_push /grapheneos.css?20;
}
location = /404.html {
internal;
http2_push /grapheneos.css?20;
}
location ~ "^(.*)/index$" {
return 301 $1/;
}
location ~ "\.(ico|webmanifest)$" {
include /etc/nginx/snippets/security-headers.conf;
add_header Cache-Control "public, max-age=604800";
}
location ~ "\.(css|js|svg)$" {
include /etc/nginx/snippets/security-headers.conf;
add_header Cache-Control "public, max-age=31536000";
}
location ~ "\.(png|woff2)$" {
include /etc/nginx/snippets/security-headers.conf;
add_header Cache-Control "public, max-age=31536000";
gzip_static off;
}
location ~ "\.(json|pdf|txt|xml)$" {
include /etc/nginx/snippets/security-headers.conf;
add_header Cache-Control "public, max-age=1800";
}
# https://www.twipu.com/GrapheneOS doesn't handle links with fragments properly
location ~ "^/(.*)<a href=$" {
return 301 https://grapheneos.org/$1;
}
location ~ "\.(br|gz)" {
internal;
}
location / {
include /etc/nginx/snippets/security-headers.conf;
add_header Cache-Control "public, max-age=1800";
try_files $uri $uri.html $uri/ =404;
http2_push /grapheneos.css?20;
}
}
server {
listen 80;
listen [::]:80;
server_name mta-sts.grapheneos.org mta-sts.mail.grapheneos.org;
root /var/empty;
return 301 https://mta-sts.grapheneos.org$request_uri;
}
server {
include /etc/nginx/snippets/https.conf;
server_name mta-sts.grapheneos.org mta-sts.mail.grapheneos.org;
root /var/www/mta-sts;
include /etc/nginx/snippets/security-headers.conf;
}