security/hakurei.app
security/hakurei.app
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 4 Wiki Activity
hakurei.app/nginx/nginx.conf
Daniel Micay 19876e35c9 switch to new session ticket keys location
2025-05-27 14:04:19 -04:00

485 lines
16 KiB
Nginx Configuration File
Raw Blame History

load_module modules/ngx_http_brotli_static_module.so;
error_log syslog:server=unix:/dev/log,nohostname;
# leave stderr open but minimize duplicate logging to it
error_log stderr emerg;
worker_processes auto;
worker_rlimit_nofile 32768;
worker_shutdown_timeout 1h;
events {
worker_connections 8192;
}
http {
root /var/empty;
include mime.types;
default_type application/octet-stream;
charset utf-8;
charset_types text/css text/javascript text/plain text/xml application/atom+xml;
sendfile on;
sendfile_max_chunk 256k;
tcp_nopush on;
keepalive_requests 256;
keepalive_timeout 0;
server_tokens off;
msie_padding off;
client_max_body_size 1k;
client_body_buffer_size 1k;
client_header_buffer_size 1k;
large_client_header_buffers 2 1k;
http2_chunk_size 4k;
reset_timedout_connection on;
client_body_timeout 15s;
client_header_timeout 15s;
send_timeout 30s;
max_ranges 1;
resolver [::1];
resolver_timeout 15s;
http2_max_concurrent_streams 16;
limit_conn_status 429;
limit_conn_zone $binary_remote_addr zone=http-limit:10m;
limit_conn http-limit 128;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers on;
ssl_conf_command Options PrioritizeChaCha;
ssl_certificate /etc/letsencrypt/live/grapheneos.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/grapheneos.org/privkey.pem;
# maintained by rotate-session-ticket-keys in noswap tmpfs
ssl_session_ticket_key /etc/session-ticket-keys/4.key;
ssl_session_ticket_key /etc/session-ticket-keys/3.key;
ssl_session_ticket_key /etc/session-ticket-keys/2.key;
ssl_session_ticket_key /etc/session-ticket-keys/1.key;
ssl_session_timeout 1d;
ssl_buffer_size 4k;
log_format main '$connection-$connection_requests $remote_addr $remote_user $ssl_session_reused $ssl_protocol $server_protocol '
'$host $request_method "$request_uri" $status $request_length $body_bytes_sent/$bytes_sent '
'$request_time $upstream_connect_time/$upstream_header_time/$upstream_response_time '
'$upstream_cache_status "$http_referer" "$http_user_agent"';
access_log syslog:server=unix:/dev/log,nohostname main;
log_subrequest on;
log_not_found off;
gzip_proxied any;
gzip_vary on;
if_modified_since before;
aio threads;
aio_write on;
map $uri $preload_resources_uri {
/articles/grapheneos-servers.html ", <[[path|/js/redirect.js]]>; rel=modulepreload; integrity=[[integrity|/js/redirect.js]]";
/build.html ", <[[path|/js/redirect.js]]>; rel=modulepreload; integrity=[[integrity|/js/redirect.js]]";
/faq.html ", <[[path|/js/redirect.js]]>; rel=modulepreload; integrity=[[integrity|/js/redirect.js]]";
/features.html ", <[[path|/js/redirect.js]]>; rel=modulepreload; integrity=[[integrity|/js/redirect.js]]";
/index.html ", <[[path|/pixel-7-pro.svg]]>; rel=preload; as=image; fetchpriority=high, <[[path|/js/redirect.js]]>; rel=modulepreload; integrity=[[integrity|/js/redirect.js]]";
/install/cli.html ", <[[path|/js/redirect.js]]>; rel=modulepreload; integrity=[[integrity|/js/redirect.js]]";
/install/index.html ", <[[path|/js/redirect.js]]>; rel=modulepreload; integrity=[[integrity|/js/redirect.js]]";
/install/web.html ", <[[path|/js/redirect.js]]>; rel=modulepreload; integrity=[[integrity|/js/redirect.js]]";
/releases.html ", <[[path|/js/redirect.js]]>; rel=modulepreload; integrity=[[integrity|/js/redirect.js]]";
/usage.html ", <[[path|/js/redirect.js]]>; rel=modulepreload; integrity=[[integrity|/js/redirect.js]]";
}
server {
listen 80 default_server backlog=4096 rcvbuf=2048 sndbuf=2048;
listen [::]:80 default_server backlog=4096 rcvbuf=2048 sndbuf=2048;
# https://trac.nginx.org/nginx/ticket/2012
location / {
return 404;
}
}
server {
listen 80;
listen [::]:80;
server_name grapheneos.org www.grapheneos.org grapheneos.app www.grapheneos.app grapheneos.ca www.grapheneos.ca grapheneos.com www.grapheneos.com grapheneos.dev www.grapheneos.dev grapheneos.foundation www.grapheneos.foundation grapheneos.info www.grapheneos.info grapheneos.net www.grapheneos.net grapheneos.ovh www.grapheneos.ovh grapheneos.page www.grapheneos.page vanadium.app www.vanadium.app;
location /.well-known/acme-challenge/ {
return 301 http://0.grapheneos.org$request_uri;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 80;
listen [::]:80;
server_name 0.grapheneos.org;
location /.well-known/acme-challenge/ {
root /srv/certbot;
}
location / {
return 301 https://grapheneos.org$request_uri;
}
}
server {
listen 443 default_server ssl backlog=4096;
listen [::]:443 default_server ssl backlog=4096;
http2 on;
ssl_reject_handshake on;
# https://trac.nginx.org/nginx/ticket/2012
location / {
return 404;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name www.grapheneos.org grapheneos.app www.grapheneos.app grapheneos.ca www.grapheneos.ca grapheneos.com www.grapheneos.com grapheneos.dev www.grapheneos.dev grapheneos.foundation www.grapheneos.foundation grapheneos.info www.grapheneos.info grapheneos.net www.grapheneos.net grapheneos.ovh www.grapheneos.ovh grapheneos.page www.grapheneos.page;
keepalive_timeout 3m;
include snippets/security-headers.conf;
add_header Cross-Origin-Resource-Policy "same-origin" always;
# https://trac.nginx.org/nginx/ticket/2012
location / {
return 301 https://grapheneos.org$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name www.vanadium.app;
keepalive_timeout 3m;
include snippets/security-headers.conf;
add_header Cross-Origin-Resource-Policy "same-origin" always;
# https://trac.nginx.org/nginx/ticket/2012
location / {
return 301 https://vanadium.app$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name vanadium.app;
keepalive_timeout 3m;
include snippets/security-headers.conf;
add_header Cross-Origin-Resource-Policy "same-origin" always;
location = / {
include snippets/security-headers.conf;
add_header Cache-Control "public, max-age=2592000";
return 301 https://grapheneos.org/features#vanadium;
}
location / {
return 404;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name grapheneos.org;
include root_grapheneos.org.conf;
error_page 403 =404 /404;
error_page 404 /404;
keepalive_timeout 3m;
open_file_cache max=2048 inactive=1d;
open_file_cache_valid 1d;
include snippets/security-headers.conf;
add_header Cross-Origin-Resource-Policy "same-origin" always;
gzip_static on;
brotli_static on;
if ($request_uri ~ ^[^?]*//) {
rewrite ^(.*)$ $1 permanent;
}
location = /, {
return 301 /;
}
location = /security.txt {
return 301 /.well-known/security.txt;
}
location = /bitcoin-address.png {
return 301 /donate-bitcoin.png;
}
location = /bitcoin-donation.png {
return 301 /donate-bitcoin.png;
}
location = /monero-donation.png {
return 301 /donate-monero.png;
}
location = /pdfviewer_privacy_policy {
return 301 /pdfviewer-privacy-policy;
}
# mangled backlinks to /install
location = /installMinimal {
return 301 /install/;
}
# mangled backlink to /faq
location = /fa {
return 301 /faq;
}
location = /FAQ {
return 301 /faq;
}
# mangled backlinks to /usage#updates
location = /updates {
return 301 /usage#updates;
}
location = /web-install {
return 301 /install/web;
}
location = /install-web {
return 301 /install/web;
}
location = /cli/install {
return 301 /install/cli;
}
location = /web/install {
return 301 /install/web;
}
location = /generate_204 {
return 301 /faq#default-connections;
}
# redirect away from the old SVG favicon location
location = /mask-icon.svg {
return 301 /favicon.svg;
}
location = "/legal/Micay_ Copperhead_ Statement of Defendant and Counterclaim.pdf" {
return 301 /history/copperheados;
}
location = /discord {
include snippets/security-headers.conf;
add_header Cache-Control "public, max-age=86400";
return 301 https://discord.com/invite/grapheneos;
}
location = /code-of-conduct {
include snippets/security-headers.conf;
add_header Cache-Control "public, max-age=86400";
return 301 https://discuss.grapheneos.org/d/11-grapheneos-code-of-conduct;
}
location = /UBL {
return 301 /faq#bootloader-locking-setup;
}
location = /ubl {
return 301 /faq#bootloader-locking-setup;
}
location = /404 {
internal;
include snippets/security-headers.conf;
add_header Cross-Origin-Resource-Policy "same-origin" always;
include snippets/preload.conf;
try_files $uri.html =404;
}
location = /allowed_signers {}
location = /allowed_signers.sig {}
location = /allowed_signers.asc {}
location = /manifest.webmanifest {
include snippets/security-headers.conf;
add_header Cross-Origin-Resource-Policy "same-origin" always;
add_header Cache-Control "public, max-age=604800";
}
location = /favicon.ico {
if ($http_accept ~ "image/svg\+xml") {
rewrite ^ /favicon.svg last;
}
include snippets/security-headers.conf;
# avoid breaking image hotlinking such as https://github.com/TryGhost/Ghost/issues/12880
add_header Cross-Origin-Resource-Policy "cross-origin" always;
add_header Cache-Control "public, max-age=604800";
}
location = /favicon.svg {
include snippets/security-headers.conf;
# avoid breaking image hotlinking such as https://github.com/TryGhost/Ghost/issues/12880
add_header Cross-Origin-Resource-Policy "cross-origin" always;
add_header Cache-Control "public, max-age=604800";
}
location = /bimi.svg {
include snippets/security-headers.conf;
# allow https://bimigroup.org/bimi-generator/ to hotlink the image
add_header Cross-Origin-Resource-Policy "cross-origin" always;
add_header Cache-Control "public, max-age=604800";
}
location = /.well-known/matrix/client {
include snippets/security-headers.conf;
add_header Cross-Origin-Resource-Policy "cross-origin" always;
add_header Access-Control-Allow-Origin "*";
add_header Cache-Control "public, max-age=172800";
default_type application/json;
}
location = /.well-known/matrix/server {
include snippets/security-headers.conf;
add_header Cache-Control "public, max-age=172800";
default_type application/json;
}
location = /.well-known/traffic-advice {
default_type application/trafficadvice+json;
}
location = /install/web {
if ($request_uri ~ \?) {
rewrite ^(.*)$ $1? permanent;
}
include snippets/security-headers-base.conf;
add_header Content-Security-Policy "default-src 'none'; child-src 'self'; connect-src 'self' https://releases.grapheneos.org/; font-src 'self'; img-src 'self'; manifest-src 'self'; script-src 'self'; style-src 'self'; webrtc 'block'; form-action 'none'; frame-ancestors 'none'; base-uri 'none'" always;
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), clipboard-write=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(self), serial=(), speaker-selection=(), sync-xhr=(), xr-spatial-tracking=()" always;
add_header Cross-Origin-Resource-Policy "same-origin" always;
add_header Cache-Control "public, no-cache";
include snippets/preload.conf;
try_files $uri.html =404;
}
location ^~ /fonts/ {
include snippets/security-headers.conf;
add_header Cross-Origin-Resource-Policy "same-origin" always;
add_header Cache-Control "public, max-age=31536000, immutable";
gzip_static off;
brotli_static off;
}
location ~ "/$" {
if ($request_uri ~ \?) {
rewrite ^(.*)$ $1? permanent;
}
include snippets/security-headers.conf;
add_header Cross-Origin-Resource-Policy "same-origin" always;
add_header Cache-Control "public, no-cache";
include snippets/preload.conf;
try_files ${uri}index.html @noslash;
}
# redirect /path/ to /path if /path.html exists
location @noslash {
rewrite ^(.*)/$ $1;
if (-f $request_filename.html) {
rewrite ^(.*) $1 permanent;
}
return 404;
}
location ~ "\.(?:css|js|map|mjs)$" {
include snippets/security-headers-base.conf;
add_header Cross-Origin-Resource-Policy "same-origin" always;
add_header Cache-Control "public, max-age=31536000, immutable";
}
location ~ "\.svg$" {
include snippets/security-headers.conf;
add_header Cross-Origin-Resource-Policy "same-origin" always;
add_header Cache-Control "public, max-age=31536000, immutable";
}
location ~ "\.png$" {
include snippets/security-headers.conf;
# avoid breaking image hotlinking such as https://github.com/TryGhost/Ghost/issues/12880
add_header Cross-Origin-Resource-Policy "cross-origin" always;
add_header Cache-Control "public, max-age=31536000";
gzip_static off;
brotli_static off;
}
location ~ "\.atom$" {
include snippets/security-headers.conf;
# Thunderbird uses wrong origin for feeds: https://bugzilla.mozilla.org/show_bug.cgi?id=1698755
add_header Cross-Origin-Resource-Policy "cross-origin" always;
add_header Cache-Control "public, max-age=1800";
}
location ~ "\.(?:json|txt|xml)$" {
include snippets/security-headers.conf;
add_header Cross-Origin-Resource-Policy "same-origin" always;
add_header Cache-Control "public, max-age=1800";
}
location ~ "/index|\.(?:br|gz|html)$" {
internal;
}
location / {
if ($request_uri ~ \?) {
rewrite ^(.*)$ $1? permanent;
}
include snippets/security-headers.conf;
add_header Cross-Origin-Resource-Policy "same-origin" always;
add_header Cache-Control "public, no-cache";
include snippets/preload.conf;
try_files $uri.html $uri/ =404;
}
}
server {
listen unix:/run/nginx/status.sock;
access_log off;
location = / {
stub_status;
}
location / {
return 404;
}
}
}
Reference in New Issue View Git Blame Copy Permalink