security/hakurei.app
security/hakurei.app
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 4 Wiki Activity
hakurei.app/nginx/nginx.conf
Daniel Micay fb1be51f68 rename grapheneos.css to main.css
2021-05-14 22:28:12 -04:00

357 lines
12 KiB
Nginx Configuration File
Raw Blame History

# nginx 1.20.x
load_module modules/ngx_http_brotli_static_module.so;
user nginx;
worker_processes auto;
worker_rlimit_nofile 16384;
pid /run/nginx.pid;
events {
worker_connections 4096;
}
http {
include mime.types;
default_type application/octet-stream;
charset utf-8;
sendfile on;
sendfile_max_chunk 512k;
tcp_nopush on;
keepalive_timeout 3m;
types_hash_max_size 4096;
server_tokens off;
msie_padding off;
client_max_body_size 1k;
client_body_buffer_size 1k;
client_header_buffer_size 1k;
large_client_header_buffers 4 4k;
http2_recv_buffer_size 128k;
client_body_timeout 30s;
client_header_timeout 30s;
send_timeout 30s;
http2_max_concurrent_streams 32;
limit_conn_status 429;
limit_conn_zone $binary_remote_addr zone=addr:10m;
limit_conn addr 256;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers on;
ssl_conf_command Options PrioritizeChaCha;
ssl_certificate /etc/letsencrypt/live/grapheneos.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/grapheneos.org/privkey.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
# maintained by nginx-rotate-session-ticket-keys in ramfs
ssl_session_ticket_key session-ticket-keys/4.key;
ssl_session_ticket_key session-ticket-keys/3.key;
ssl_session_ticket_key session-ticket-keys/2.key;
ssl_session_ticket_key session-ticket-keys/1.key;
ssl_buffer_size 4k;
ssl_trusted_certificate /etc/letsencrypt/live/grapheneos.org/chain.pem;
ssl_stapling on;
ssl_stapling_verify on;
# maintained by certbot-ocsp-fetcher
ssl_stapling_file ocsp-cache/grapheneos.org.der;
log_format main '$remote_addr - $remote_user [$time_local] '
'"$request_method $scheme://$host$request_uri $server_protocol" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
access_log /var/log/nginx/access.log main buffer=64k flush=1m;
error_log /var/log/nginx/error.log;
gzip_proxied any;
gzip_vary on;
if_modified_since before;
map $http_cookie $preload_resources {
"~*__Host-preload=1" "";
default "</main.css>; rel=preload; as=style, </fonts/roboto-v20-regular-latin.woff2>; rel=preload; as=font; crossorigin, </fonts/roboto-v20-bold-latin.woff2>; rel=preload; as=font; crossorigin, </mask-icon.svg>; rel=preload; as=image";
}
server {
listen 80 backlog=4096;
listen [::]:80 backlog=4096;
server_name grapheneos.org www.grapheneos.org grapheneos.app www.grapheneos.app grapheneos.com www.grapheneos.com grapheneos.info www.grapheneos.info grapheneos.ovh www.grapheneos.ovh grapheneos.page www.grapheneos.page vanadium.app www.vanadium.app;
root /var/empty;
# use $host to set up HSTS for redirect domains
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2 backlog=4096;
listen [::]:443 ssl http2 backlog=4096;
server_name www.grapheneos.org grapheneos.app www.grapheneos.app grapheneos.com www.grapheneos.com grapheneos.info www.grapheneos.info grapheneos.ovh www.grapheneos.ovh grapheneos.page www.grapheneos.page;
root /var/empty;
include snippets/security-headers.conf;
add_header Cross-Origin-Resource-Policy "same-origin" always;
return 301 https://grapheneos.org$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name vanadium.app www.vanadium.app;
root /var/empty;
include snippets/security-headers.conf;
add_header Cross-Origin-Resource-Policy "same-origin" always;
return 302 https://github.com/GrapheneOS/Vanadium;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name grapheneos.org;
root /srv/grapheneos.org;
error_page 403 =404 /404;
error_page 404 /404;
open_file_cache max=2048 inactive=1d;
open_file_cache_valid 1d;
include snippets/security-headers.conf;
add_header Cross-Origin-Resource-Policy "same-origin" always;
gzip_static on;
brotli_static on;
if ($request_uri ~ ^/(.*)\.html$) {
return 301 /$1;
}
if ($request_uri ~ (.*)//(.*)) {
return 301 $1/$2;
}
if ($request_uri ~ ^(.*)/index$) {
return 301 $1/;
}
# https://www.twipu.com/GrapheneOS doesn't handle links with fragments properly
if ($request_uri ~ "^/(.*)%3Ca%20href=$") {
return 301 https://grapheneos.org/$1;
}
location = /security.txt {
return 301 /.well-known/security.txt;
}
location = /graphene.png {
return 301 /logo.png;
}
location = /pdfviewer_privacy_policy {
return 301 /pdfviewer-privacy-policy;
}
location = /bitcoin_address.png {
return 301 /bitcoin-donation.png;
}
location = /bitcoin-address.png {
return 301 /bitcoin-donation.png;
}
# mangled backlinks to /install
location = /installMinimal {
return 301 /install/;
}
# mangled backlink to /faq
location = /fa {
return 301 /faq;
}
# mangled backlinks to /usage#updates
location = /updates {
return 301 /usage#updates;
}
location = /web-install {
return 301 /install/web;
}
location = /install-web {
return 301 /install/web;
}
location = /cli/install {
return 301 /install/cli;
}
location = /web/install {
return 301 /install/web;
}
location = /LICENSE {
return 301 /LICENSE.txt;
}
location = /generate_204 {
return 301 /faq#default-connections;
}
location = /404 {
internal;
include snippets/security-headers.conf;
add_header Cross-Origin-Resource-Policy "same-origin" always;
include snippets/preload.conf;
try_files $uri.html =404;
}
location = /favicon.ico {
include snippets/security-headers.conf;
# avoid breaking image hotlinking such as https://github.com/TryGhost/Ghost/issues/12880
add_header Cross-Origin-Resource-Policy "cross-origin" always;
add_header Cache-Control "public, max-age=604800";
}
# broken link (now fixed) on https://noagendaphone.com/ with UTF-8 replacement character
location ~ "^/\xEF\xBF\xBC$" {
return 301 /;
}
location ~ "\.webmanifest$" {
include snippets/security-headers.conf;
add_header Cross-Origin-Resource-Policy "same-origin" always;
add_header Cache-Control "public, max-age=604800";
}
location ~ "\.(css|js|map|mjs)$" {
include snippets/security-headers.conf;
add_header Cross-Origin-Resource-Policy "same-origin" always;
add_header Cache-Control "public, max-age=31536000, immutable";
}
location ~ "\.svg$" {
include snippets/security-headers.conf;
# avoid breaking image hotlinking such as https://github.com/TryGhost/Ghost/issues/12880
add_header Cross-Origin-Resource-Policy "cross-origin" always;
add_header Cache-Control "public, max-age=31536000";
}
location ~ "\.woff2$" {
include snippets/security-headers.conf;
add_header Cross-Origin-Resource-Policy "same-origin" always;
add_header Cache-Control "public, max-age=31536000, immutable";
gzip_static off;
brotli_static off;
}
location ~ "\.png$" {
include snippets/security-headers.conf;
# avoid breaking image hotlinking such as https://github.com/TryGhost/Ghost/issues/12880
add_header Cross-Origin-Resource-Policy "cross-origin" always;
add_header Cache-Control "public, max-age=31536000";
gzip_static off;
brotli_static off;
}
location ~ "\.(atom|pdf)$" {
include snippets/security-headers.conf;
# Chromium PDF range requests use wrong origin: https://bugs.chromium.org/p/chromium/issues/detail?id=1074261
# Thunderbird uses wrong origin for feeds: https://bugzilla.mozilla.org/show_bug.cgi?id=1698755
add_header Cross-Origin-Resource-Policy "cross-origin" always;
add_header Cache-Control "public, max-age=1800";
}
location ~ "\.(json|txt|xml)$" {
include snippets/security-headers.conf;
add_header Cross-Origin-Resource-Policy "same-origin" always;
add_header Cache-Control "public, max-age=1800";
}
location ~ "\.(br|gz)$" {
internal;
}
location ~ "/$" {
include snippets/security-headers.conf;
add_header Cross-Origin-Resource-Policy "same-origin" always;
add_header Cache-Control "public, no-cache";
include snippets/preload.conf;
try_files ${uri}index.html @noslash;
}
# redirect /path/ to /path if /path.html exists
location @noslash {
rewrite ^(.*)/$ $1;
if (-f $request_filename.html) {
rewrite ^(.*) $1 permanent;
}
return 404;
}
location = /install/web {
include snippets/security-headers-base.conf;
add_header Content-Security-Policy "default-src 'none'; child-src 'self'; connect-src 'self' https://releases.grapheneos.org/; font-src 'self'; img-src 'self'; manifest-src 'self'; script-src 'self'; style-src 'self'; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'" always;
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), clipboard-write=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), sync-xhr=(), xr-spatial-tracking=()" always;
add_header Cross-Origin-Resource-Policy "same-origin" always;
add_header Cache-Control "public, no-cache";
include snippets/preload.conf;
try_files $uri.html =404;
}
location / {
include snippets/security-headers.conf;
add_header Cross-Origin-Resource-Policy "same-origin" always;
add_header Cache-Control "public, no-cache";
include snippets/preload.conf;
try_files $uri.html $uri/ =404;
}
}
server {
listen 80;
listen [::]:80;
server_name mta-sts.grapheneos.org mta-sts.mail.grapheneos.org mta-sts.grapheneos.app mta-sts.grapheneos.com mta-sts.grapheneos.info mta-sts.grapheneos.ovh mta-sts.grapheneos.page mta-sts.vanadium.app;
root /var/empty;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name mta-sts.grapheneos.org mta-sts.mail.grapheneos.org mta-sts.grapheneos.app mta-sts.grapheneos.com mta-sts.grapheneos.info mta-sts.grapheneos.ovh mta-sts.grapheneos.page mta-sts.vanadium.app;
root /srv/mta-sts;
include snippets/security-headers.conf;
add_header Cross-Origin-Resource-Policy "same-origin" always;
location = / {
return 301 https://grapheneos.org/articles/grapheneos-servers;
}
}
server {
listen 127.0.0.1:81;
listen [::1]:81;
location /nginx_status {
stub_status;
access_log off;
}
}
}
Reference in New Issue View Git Blame Copy Permalink