From 68b323b8d55c4a1828dcd09bf86a2d9531461965 Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Sat, 14 Nov 2020 03:58:21 -0500 Subject: [PATCH] add full nginx configuration --- nginx/nginx.conf | 175 ++++++++++++++++++++++++++++++++++++++++++++++ nginx/server.conf | 145 -------------------------------------- 2 files changed, 175 insertions(+), 145 deletions(-) create mode 100644 nginx/nginx.conf delete mode 100644 nginx/server.conf diff --git a/nginx/nginx.conf b/nginx/nginx.conf new file mode 100644 index 00000000..eb3d6fe6 --- /dev/null +++ b/nginx/nginx.conf @@ -0,0 +1,175 @@ +user www-data; +worker_processes auto; +pid /run/nginx.pid; + +events { + worker_connections 768; +} + +http { + include mime.types; + default_type application/octet-stream; + + charset utf-8; + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + server_tokens off; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + gzip on; + gzip_vary on; + + server { + listen 80; + listen [::]:80; + server_name www.grapheneos.org grapheneos.org; + + root /var/empty; + + return 301 https://grapheneos.org$request_uri; + } + + server { + include /etc/nginx/snippets/https.conf; + server_name www.grapheneos.org; + + root /var/empty; + + include /etc/nginx/snippets/security-headers.conf; + + return 301 https://grapheneos.org$request_uri; + } + + server { + include /etc/nginx/snippets/https.conf; + server_name grapheneos.org; + + root /var/www/html; + error_page 403 =404 /404.html; + error_page 404 /404.html; + + include /etc/nginx/snippets/security-headers.conf; + gzip_static on; + gzip off; + + if ($request_uri ~ ^/(.*)\.html$) { + return 301 /$1; + } + + location = /security.txt { + return 301 /.well-known/security.txt; + } + + location = /graphene.png { + return 301 /logo.png; + } + + location = /pdfviewer_privacy_policy { + return 301 /pdfviewer-privacy-policy; + } + + location = /safari_pinned_tab_icon.svg { + return 301 /mask-icon.svg; + } + + location = /safari-pinned-tab-icon.svg { + return 301 /mask-icon.svg; + } + + location = /bitcoin_address.png { + return 301 /bitcoin-donation.png; + } + + location = /bitcoin-address.png { + return 301 /bitcoin-donation.png; + } + + # mangled backlinks to /install + location = /installMinimal { + return 301 /install; + } + + location = /LICENSE { + default_type text/plain; + } + + location = /404 { + internal; + http2_push /grapheneos.css?20; + } + + location = /404.html { + internal; + http2_push /grapheneos.css?20; + } + + location ~ "^(.*)/index$" { + return 301 $1/; + } + + location ~ "\.(ico|webmanifest)$" { + include /etc/nginx/snippets/security-headers.conf; + add_header Cache-Control "public, max-age=604800"; + } + + location ~ "\.(css|js|svg)$" { + include /etc/nginx/snippets/security-headers.conf; + add_header Cache-Control "public, max-age=31536000"; + } + + location ~ "\.(png|woff2)$" { + include /etc/nginx/snippets/security-headers.conf; + add_header Cache-Control "public, max-age=31536000"; + gzip_static off; + } + + location ~ "\.(json|pdf|txt|xml)$" { + include /etc/nginx/snippets/security-headers.conf; + add_header Cache-Control "public, max-age=1800"; + } + + # https://www.twipu.com/GrapheneOS doesn't handle links with fragments properly + location ~ "^/(.*)