security/hakurei.app
security/hakurei.app
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 4 Wiki Activity
6,082 Commits 2 Branches 4 Tags
Commit Graph

302 Commits

Author SHA1 Message Date
Daniel Micay
6fbd66ddfa use 301 redirect with 1 day caching for Discord 
There are scenarios where we may have to change the URL so the default
301 behavior is inappropriate but this will work fine.
 2023-12-25 10:56:27 -05:00
Daniel Micay
02a97dd883 use long form Discord link 
https://discord.gg/grapheneos is a 301 redirect to
https://discord.com/invite/grapheneos so it makes sense to use the long
form to avoid a redirect.
 2023-12-24 02:32:57 -05:00
Daniel Micay
bbe5e44924 use custom invite link for Discord 2023-12-21 12:17:18 -05:00
Daniel Micay
82a514a5e3 add discord redirect 2023-11-22 20:36:43 -05:00
Daniel Micay
c748d7e960 simplify nginx configuration deployment 2023-07-15 17:56:13 -04:00
smdyv
4430036ea2 Change string markings for replacements 2023-07-13 16:08:16 -04:00
Daniel Micay
fafee3dcbc drop legacy block-all-mixed-content 2023-07-11 11:23:57 -04:00
Daniel Micay
bfdffb6751 block WebRTC in Content Security Policy 2023-07-10 23:04:29 -04:00
Daniel Micay
74b26bbba5 use new OCSP cache path 2023-07-09 18:34:22 -04:00
Daniel Micay
7bf9b26716 drop legacy info on APEX components 2023-06-27 22:49:40 -04:00
Daniel Micay
8972cabb0f move mta-sts to mail server 2023-06-21 14:57:31 -04:00
Daniel Micay
0982a9df80 move mta-sts.mail.grapheneos.org to mail server 2023-06-21 13:52:02 -04:00
Daniel Micay
a93b9da909 remove obsolete redirect 2023-06-06 14:10:39 -04:00
Daniel Micay
1775719fb3 avoid configuration warning with nginx 1.24.0 2023-05-23 18:02:49 -04:00
Daniel Micay
acdae9b362 add missing include for Matrix server delegation 2023-05-13 16:41:28 -04:00
Daniel Micay
6251dc371d consistent whitespace style 2023-05-05 14:45:11 -04:00
Daniel Micay
8f2b158041 drop configuration to clear legacy push cookie 2023-03-24 18:46:50 -04:00
Daniel Micay
bab21cb7c4 improve HTTP request logging 
* add $upstream_cache_status
* add '-$connection_requests' after $connection
* enable subrequest logging

$connection_requests makes it much easier to see connection reuse in the
logs and also helps to understand subrequests.
 2023-03-09 11:00:51 -05:00
Daniel Micay
84219d55fe add upstream timing to http log format 2023-03-07 14:17:51 -05:00
Daniel Micay
ea521a790b enable minimal stderr logging 2023-03-07 10:56:36 -05:00
Daniel Micay
c82d81e018 ssl_reject_handshake is working as intended 2023-03-07 10:32:56 -05:00
Daniel Micay
8649a94b53 update Roboto fonts 2023-03-06 11:41:01 -05:00
Daniel Micay
31e0ab3807 work around unreliable ssl_reject_handshake 2023-03-06 10:58:56 -05:00
Daniel Micay
365d7ecfd0 avoid double logging for nginx error log 2023-03-06 00:52:05 -05:00
Daniel Micay
89ab32dbe3 disable keepalive for stub HTTP service 2023-02-27 02:41:28 -05:00
Daniel Micay
563a5bf330 use consistent configuration style 2023-02-26 10:48:55 -05:00
Daniel Micay
50e3e2355f disable keepalive for MTA-STS 2023-02-24 17:37:26 -05:00
Daniel Micay
bccb2250ae add back request method to log format 2023-02-19 22:40:14 -05:00
Daniel Micay
c137947453 set baseline nginx root directory in http block 2023-02-19 11:52:54 -05:00
Daniel Micay
3ab9e97549 work around nginx keepalive configuration bug 
https://trac.nginx.org/nginx/ticket/2012
 2023-02-18 12:31:03 -05:00
Daniel Micay
7aad49766b reject connections to invalid names 2023-02-18 08:55:32 -05:00
Daniel Micay
dc894526df entirely disable access log for status socket 2023-02-18 08:16:20 -05:00
Daniel Micay
907757043b disable multipart range requests 2023-02-14 10:14:02 -05:00
Daniel Micay
f672e046fd improve naming for http limit conn zone 2023-02-11 04:25:11 -05:00
Daniel Micay
7fcd8bf9a8 move error_log configuration to top level 2023-02-11 04:05:33 -05:00
Daniel Micay
30b5aafe32 add request time to log format 2023-02-10 08:28:02 -05:00
Daniel Micay
b903dd72ac switch to improved custom log format 
This switches to a fully custom log format instead of using a variant of
the standard combined format since we don't use any tools requiring the
logs to be a standard format. This provides a cleaner format, allows us
to freely add new fields and gets rid of legacy/redundant fields.

The redundant timestamp already provided as the syslog timestamp is
dropped along with the legacy identd field always set to a dash.

This adds the connection serial number for identifying requests coming
from the same connection. TLS version is added as a replacement for our
previous addition of the URI scheme. This also adds the total request
length and total bytes sent to the client instead of only the body bytes
sent.
 2023-02-10 08:04:25 -05:00
Daniel Micay
1bc589d45f drop HTTP/2 Push support since Chromium dropped it 
This only improves performance for the initial page load by sending
resources that are almost always needed before the client receives the
preload headers and fetches them. It can degrade performance in some
edge cases such as clients with web fonts disabled or if the session
cookie is cleared without the cache being cleared. Clients can cancel
the push transfers once they start receiving them, but it's wasteful.

Safari and Firefox still support this feature but are likely to follow
the lead of Chromium and drop support for it. Few websites are going to
bother with it without Chromium support and usage is already dropping.
 2023-02-10 03:56:20 -05:00
Daniel Micay
3b4c47b51b reduce client body / header timeouts to 15s 2023-02-09 18:42:15 -05:00
Daniel Micay
5260801290 reduce sendfile max chunk to 256k 2023-02-09 17:51:01 -05:00
Daniel Micay
76cc4ae336 avoid unnecessary ACME challenge redirects 2023-02-09 10:12:20 -05:00
Daniel Micay
763c17a058 unify HTTP redirect server blocks 2023-02-09 09:50:08 -05:00
Daniel Micay
3909151fc8 use default HTTP/2 input buffer size 2023-02-09 05:13:03 -05:00
Daniel Micay
3bb002fcd1 simplify nginx status path 2023-01-31 21:50:35 -05:00
Daniel Micay
608fbfba6c rebase onto current nginx mime.types 2023-01-17 13:57:55 -05:00
Daniel Micay
6280211cc5 SSH commit signing will be used going forward 2023-01-05 02:04:19 -05:00
Daniel Micay
fb5b72e121 add empty traffic-advice configuration 2022-12-15 12:16:08 -05:00
Daniel Micay
d656b32161 update Permissions-Policy for web installer 2022-11-01 18:15:51 -04:00
smdyv
12ee1c8293 Update device image 
This is a vectorized image of the Pixel 7 Pro, and saves 98 % of the
byte length of the previously used image.
 2022-10-18 15:03:06 -04:00
Daniel Micay
f0a151b35e increase resolver timeout 2022-10-12 16:32:31 -04:00