diff options
Diffstat (limited to 'code-host/nginx.conf')
-rw-r--r-- | code-host/nginx.conf | 386 |
1 files changed, 386 insertions, 0 deletions
diff --git a/code-host/nginx.conf b/code-host/nginx.conf new file mode 100644 index 0000000..9d61863 --- /dev/null +++ b/code-host/nginx.conf | |||
@@ -0,0 +1,386 @@ | |||
1 | daemon off; | ||
2 | user nginx; | ||
3 | worker_processes 1; | ||
4 | |||
5 | error_log /dev/stdout warn; | ||
6 | pid /var/run/nginx.pid; | ||
7 | |||
8 | events { | ||
9 | worker_connections 1024; | ||
10 | } | ||
11 | |||
12 | http { | ||
13 | types { | ||
14 | text/html html htm shtml; | ||
15 | text/css css; | ||
16 | text/xml xml; | ||
17 | image/gif gif; | ||
18 | image/jpeg jpeg jpg; | ||
19 | application/javascript js; | ||
20 | application/atom+xml atom; | ||
21 | application/rss+xml rss; | ||
22 | |||
23 | text/mathml mml; | ||
24 | text/plain txt; | ||
25 | text/vnd.sun.j2me.app-descriptor jad; | ||
26 | text/vnd.wap.wml wml; | ||
27 | text/x-component htc; | ||
28 | |||
29 | image/png png; | ||
30 | image/svg+xml svg svgz; | ||
31 | image/tiff tif tiff; | ||
32 | image/vnd.wap.wbmp wbmp; | ||
33 | image/webp webp; | ||
34 | image/x-icon ico; | ||
35 | image/x-jng jng; | ||
36 | image/x-ms-bmp bmp; | ||
37 | |||
38 | font/woff woff; | ||
39 | font/woff2 woff2; | ||
40 | |||
41 | application/java-archive jar war ear; | ||
42 | application/json json; | ||
43 | application/mac-binhex40 hqx; | ||
44 | application/msword doc; | ||
45 | application/pdf pdf; | ||
46 | application/postscript ps eps ai; | ||
47 | application/rtf rtf; | ||
48 | application/vnd.apple.mpegurl m3u8; | ||
49 | application/vnd.google-earth.kml+xml kml; | ||
50 | application/vnd.google-earth.kmz kmz; | ||
51 | application/vnd.ms-excel xls; | ||
52 | application/vnd.ms-fontobject eot; | ||
53 | application/vnd.ms-powerpoint ppt; | ||
54 | application/vnd.oasis.opendocument.graphics odg; | ||
55 | application/vnd.oasis.opendocument.presentation odp; | ||
56 | application/vnd.oasis.opendocument.spreadsheet ods; | ||
57 | application/vnd.oasis.opendocument.text odt; | ||
58 | application/vnd.openxmlformats-officedocument.presentationml.presentation | ||
59 | pptx; | ||
60 | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet | ||
61 | xlsx; | ||
62 | application/vnd.openxmlformats-officedocument.wordprocessingml.document | ||
63 | docx; | ||
64 | application/vnd.wap.wmlc wmlc; | ||
65 | application/x-7z-compressed 7z; | ||
66 | application/x-cocoa cco; | ||
67 | application/x-java-archive-diff jardiff; | ||
68 | application/x-java-jnlp-file jnlp; | ||
69 | application/x-makeself run; | ||
70 | application/x-perl pl pm; | ||
71 | application/x-pilot prc pdb; | ||
72 | application/x-rar-compressed rar; | ||
73 | application/x-redhat-package-manager rpm; | ||
74 | application/x-sea sea; | ||
75 | application/x-shockwave-flash swf; | ||
76 | application/x-stuffit sit; | ||
77 | application/x-tcl tcl tk; | ||
78 | application/x-x509-ca-cert der pem crt; | ||
79 | application/x-xpinstall xpi; | ||
80 | application/xhtml+xml xhtml; | ||
81 | application/xspf+xml xspf; | ||
82 | application/zip zip; | ||
83 | |||
84 | application/octet-stream bin exe dll; | ||
85 | application/octet-stream deb; | ||
86 | application/octet-stream dmg; | ||
87 | application/octet-stream iso img; | ||
88 | application/octet-stream msi msp msm; | ||
89 | |||
90 | audio/midi mid midi kar; | ||
91 | audio/mpeg mp3; | ||
92 | audio/ogg ogg; | ||
93 | audio/x-m4a m4a; | ||
94 | audio/x-realaudio ra; | ||
95 | |||
96 | video/3gpp 3gpp 3gp; | ||
97 | video/mp2t ts; | ||
98 | video/mp4 mp4; | ||
99 | video/mpeg mpeg mpg; | ||
100 | video/quicktime mov; | ||
101 | video/webm webm; | ||
102 | video/x-flv flv; | ||
103 | video/x-m4v m4v; | ||
104 | video/x-mng mng; | ||
105 | video/x-ms-asf asx asf; | ||
106 | video/x-ms-wmv wmv; | ||
107 | video/x-msvideo avi; | ||
108 | } | ||
109 | |||
110 | default_type application/octet-stream; | ||
111 | |||
112 | log_format combined_host '$host $remote_addr - $remote_user [$time_local] ' | ||
113 | '"$request" $status $body_bytes_sent ' | ||
114 | '"$http_referer" "$http_user_agent"'; | ||
115 | |||
116 | access_log /logs/default_server.log combined_host; | ||
117 | |||
118 | sendfile on; | ||
119 | tcp_nopush on; | ||
120 | server_tokens off; | ||
121 | |||
122 | keepalive_timeout 128; | ||
123 | |||
124 | # Try to avoid buffering requests to disk | ||
125 | client_body_buffer_size 1024k; | ||
126 | |||
127 | gzip on; | ||
128 | gzip_proxied any; | ||
129 | gzip_disable "msie6"; | ||
130 | gzip_types application/javascript application/rss+xml application/x-javascript application/xhtml+xml application/xml image/svg+xml image/x-icon text/css text/javascript text/plain text/xml; | ||
131 | |||
132 | ssl_session_cache shared:SSL:10m; | ||
133 | ssl_session_timeout 10m; | ||
134 | ssl_dhparam /srv/nginx-conf/ssl/dhparam.pem; | ||
135 | |||
136 | map $http_host $can_redirect { | ||
137 | hostnames; | ||
138 | |||
139 | default 0; | ||
140 | crute.me 1; | ||
141 | *.crute.me 1; | ||
142 | crute.us 1; | ||
143 | *.crute.us 1; | ||
144 | } | ||
145 | |||
146 | server { | ||
147 | listen *:80 default_server; | ||
148 | listen [::]:80 default_server; | ||
149 | |||
150 | access_log /logs/default_http_vhost.log combined_host; | ||
151 | |||
152 | location / { | ||
153 | if ($can_redirect) { | ||
154 | rewrite (.*) https://$http_host$1 permanent; | ||
155 | } | ||
156 | |||
157 | default_type text/plain; | ||
158 | return 404 "not found"; | ||
159 | } | ||
160 | } | ||
161 | |||
162 | # TODO: Consolidate these into one, they differ only by hostname and SSL cert | ||
163 | # This is like this because I'm not sure if redirects will work at all with | ||
164 | # git pulls and pretty much all repositories use code.crute.me not .us | ||
165 | |||
166 | geo $cgit_config { | ||
167 | default "/srv/code/etc/cgit-public.cfg"; | ||
168 | |||
169 | # Global V4 Internal Network | ||
170 | 172.16.0.0/16 "/srv/code/etc/cgit-private.cfg"; | ||
171 | # FKL1 V4 Internal network | ||
172 | 172.18.0.0/16 "/srv/code/etc/cgit-private.cfg"; | ||
173 | # SEA4 V4 Internal network | ||
174 | 172.19.0.0/16 "/srv/code/etc/cgit-private.cfg"; | ||
175 | # ORD1 V4 Internal network | ||
176 | 172.20.0.0/16 "/srv/code/etc/cgit-private.cfg"; | ||
177 | # Mobile V4 Internal network | ||
178 | 172.21.0.0/16 "/srv/code/etc/cgit-private.cfg"; | ||
179 | # PDX1 V6 Network | ||
180 | 2600:1f14:f39:e000::/56 "/srv/code/etc/cgit-private.cfg"; | ||
181 | # CMH1 V6 Network | ||
182 | 2600:1f16:33:500::/56 "/srv/code/etc/cgit-private.cfg"; | ||
183 | # SEA1 Internal V6 Network | ||
184 | 2602:0803:4070::/48 "/srv/code/etc/cgit-private.cfg"; | ||
185 | # SEA4 Internal V6 Network | ||
186 | 2602:0803:4072::/48 "/srv/code/etc/cgit-private.cfg"; | ||
187 | # SEA4 Remote Access VPN V6 Network | ||
188 | 2602:0803:4075::/48 "/srv/code/etc/cgit-private.cfg"; | ||
189 | # ORD1 Internal V6 Network | ||
190 | 2602:0803:4073::/48 "/srv/code/etc/cgit-private.cfg"; | ||
191 | # FKL1 Internal V6 Network | ||
192 | 2602:0803:4074::/48 "/srv/code/etc/cgit-private.cfg"; | ||
193 | # Mobile V6 Internal Network | ||
194 | 2602:0803:4076::/48 "/srv/code/etc/cgit-private.cfg"; | ||
195 | } | ||
196 | |||
197 | server { | ||
198 | listen *:443 ssl http2; | ||
199 | listen [::]:443 ssl http2; | ||
200 | |||
201 | server_name code.crute.me; | ||
202 | access_log /logs/code.crute.me.log combined_host; | ||
203 | |||
204 | ssl_protocols TLSv1.2 TLSv1.3; | ||
205 | ssl_prefer_server_ciphers on; | ||
206 | ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:AES256+EECDH:AES256+EDH:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES256-SHA:!aNULL"; | ||
207 | ssl_stapling on; | ||
208 | ssl_stapling_verify on; | ||
209 | resolver 8.8.4.4 8.8.8.8 valid=300s; | ||
210 | resolver_timeout 5s; | ||
211 | |||
212 | add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always; | ||
213 | add_header X-Frame-Options "SAMEORIGIN" always; | ||
214 | add_header X-Content-Type-Options "nosniff" always; | ||
215 | add_header X-Xss-Protection "1; mode=block" always; | ||
216 | add_header Referrer-Policy "same-origin" always; | ||
217 | |||
218 | ssl_certificate /srv/nginx-conf/ssl/letsencrypt_crute_me.pem; | ||
219 | ssl_certificate_key /srv/nginx-conf/ssl/letsencrypt_crute_me_key.pem; | ||
220 | |||
221 | add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src https://wiki.crute.me/ 'self';" always; | ||
222 | |||
223 | client_max_body_size 4G; | ||
224 | |||
225 | # This is somewhat ugly and naive because it doesn't allow more than host/user/repo and some | ||
226 | # repos exist at deeper paths than that. This should be fixed and moved out of nginx at some | ||
227 | # point it's just quick and easy to put it here. | ||
228 | location ~ ^/(?<user>[^/]*)/(?<repo>[^/]+)/?(?<subpath>.*)?$ { | ||
229 | if ($arg_go-get = "1") { | ||
230 | add_header Content-Type text/plain; | ||
231 | return 200 '<html><head> | ||
232 | <meta name="go-import" content="$host/$user/$repo git https://$host/$user/$repo"> | ||
233 | <meta name="go-source" content="$host/$user/$repo | ||
234 | https://$host/$user/$repo | ||
235 | https://$host/$user/$repo/tree{/dir} | ||
236 | https://$host/$user/$repo/tree{/dir}/{file}#n{line}"> | ||
237 | </head></html>'; | ||
238 | } | ||
239 | |||
240 | uwsgi_param QUERY_STRING $query_string; | ||
241 | uwsgi_param REQUEST_METHOD $request_method; | ||
242 | uwsgi_param CONTENT_TYPE $content_type; | ||
243 | uwsgi_param CONTENT_LENGTH $content_length; | ||
244 | |||
245 | uwsgi_param REQUEST_URI $request_uri; | ||
246 | uwsgi_param PATH_INFO $document_uri; | ||
247 | uwsgi_param DOCUMENT_ROOT $document_root; | ||
248 | uwsgi_param SERVER_PROTOCOL $server_protocol; | ||
249 | uwsgi_param REQUEST_SCHEME $scheme; | ||
250 | uwsgi_param HTTPS $https if_not_empty; | ||
251 | |||
252 | uwsgi_param REMOTE_ADDR $remote_addr; | ||
253 | uwsgi_param REMOTE_PORT $remote_port; | ||
254 | uwsgi_param SERVER_PORT $server_port; | ||
255 | uwsgi_param SERVER_NAME $server_name; | ||
256 | |||
257 | uwsgi_param HTTP_HOST $host; | ||
258 | uwsgi_param HTTP_X_FORWARDED_FOR $proxy_add_x_forwarded_for; | ||
259 | |||
260 | uwsgi_modifier1 9; | ||
261 | uwsgi_param CGIT_CONFIG $cgit_config; | ||
262 | uwsgi_pass uwsgi://127.0.0.1:9000; | ||
263 | } | ||
264 | |||
265 | location / { | ||
266 | uwsgi_param QUERY_STRING $query_string; | ||
267 | uwsgi_param REQUEST_METHOD $request_method; | ||
268 | uwsgi_param CONTENT_TYPE $content_type; | ||
269 | uwsgi_param CONTENT_LENGTH $content_length; | ||
270 | |||
271 | uwsgi_param REQUEST_URI $request_uri; | ||
272 | uwsgi_param PATH_INFO $document_uri; | ||
273 | uwsgi_param DOCUMENT_ROOT $document_root; | ||
274 | uwsgi_param SERVER_PROTOCOL $server_protocol; | ||
275 | uwsgi_param REQUEST_SCHEME $scheme; | ||
276 | uwsgi_param HTTPS $https if_not_empty; | ||
277 | |||
278 | uwsgi_param REMOTE_ADDR $remote_addr; | ||
279 | uwsgi_param REMOTE_PORT $remote_port; | ||
280 | uwsgi_param SERVER_PORT $server_port; | ||
281 | uwsgi_param SERVER_NAME $server_name; | ||
282 | |||
283 | uwsgi_param HTTP_HOST $host; | ||
284 | uwsgi_param HTTP_X_FORWARDED_FOR $proxy_add_x_forwarded_for; | ||
285 | |||
286 | uwsgi_modifier1 9; | ||
287 | uwsgi_param CGIT_CONFIG $cgit_config; | ||
288 | uwsgi_pass uwsgi://127.0.0.1:9000; | ||
289 | } | ||
290 | } | ||
291 | |||
292 | server { | ||
293 | listen *:443 ssl http2; | ||
294 | listen [::]:443 ssl http2; | ||
295 | |||
296 | server_name code.crute.us; | ||
297 | access_log /logs/code.crute.me.log combined_host; | ||
298 | |||
299 | ssl_protocols TLSv1.2 TLSv1.3; | ||
300 | ssl_prefer_server_ciphers on; | ||
301 | ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:AES256+EECDH:AES256+EDH:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES256-SHA:!aNULL"; | ||
302 | ssl_stapling on; | ||
303 | ssl_stapling_verify on; | ||
304 | resolver 8.8.4.4 8.8.8.8 valid=300s; | ||
305 | resolver_timeout 5s; | ||
306 | |||
307 | add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always; | ||
308 | add_header X-Frame-Options "SAMEORIGIN" always; | ||
309 | add_header X-Content-Type-Options "nosniff" always; | ||
310 | add_header X-Xss-Protection "1; mode=block" always; | ||
311 | add_header Referrer-Policy "same-origin" always; | ||
312 | |||
313 | ssl_certificate /srv/nginx-conf/ssl/letsencrypt_crute_us.pem; | ||
314 | ssl_certificate_key /srv/nginx-conf/ssl/letsencrypt_crute_us_key.pem; | ||
315 | |||
316 | add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src https://wiki.crute.me/ 'self';" always; | ||
317 | |||
318 | client_max_body_size 4G; | ||
319 | |||
320 | # This is somewhat ugly and naive because it doesn't allow more than host/user/repo and some | ||
321 | # repos exist at deeper paths than that. This should be fixed and moved out of nginx at some | ||
322 | # point it's just quick and easy to put it here. | ||
323 | location ~ ^/(?<user>[^/]*)/(?<repo>[^/]+)/?(?<subpath>.*)?$ { | ||
324 | if ($arg_go-get = "1") { | ||
325 | add_header Content-Type text/plain; | ||
326 | return 200 '<html><head> | ||
327 | <meta name="go-import" content="$host/$user/$repo git https://$host/$user/$repo"> | ||
328 | <meta name="go-source" content="$host/$user/$repo | ||
329 | https://$host/$user/$repo | ||
330 | https://$host/$user/$repo/tree{/dir} | ||
331 | https://$host/$user/$repo/tree{/dir}/{file}#n{line}"> | ||
332 | </head></html>'; | ||
333 | } | ||
334 | |||
335 | uwsgi_param QUERY_STRING $query_string; | ||
336 | uwsgi_param REQUEST_METHOD $request_method; | ||
337 | uwsgi_param CONTENT_TYPE $content_type; | ||
338 | uwsgi_param CONTENT_LENGTH $content_length; | ||
339 | |||
340 | uwsgi_param REQUEST_URI $request_uri; | ||
341 | uwsgi_param PATH_INFO $document_uri; | ||
342 | uwsgi_param DOCUMENT_ROOT $document_root; | ||
343 | uwsgi_param SERVER_PROTOCOL $server_protocol; | ||
344 | uwsgi_param REQUEST_SCHEME $scheme; | ||
345 | uwsgi_param HTTPS $https if_not_empty; | ||
346 | |||
347 | uwsgi_param REMOTE_ADDR $remote_addr; | ||
348 | uwsgi_param REMOTE_PORT $remote_port; | ||
349 | uwsgi_param SERVER_PORT $server_port; | ||
350 | uwsgi_param SERVER_NAME $server_name; | ||
351 | |||
352 | uwsgi_param HTTP_HOST $host; | ||
353 | uwsgi_param HTTP_X_FORWARDED_FOR $proxy_add_x_forwarded_for; | ||
354 | |||
355 | uwsgi_modifier1 9; | ||
356 | uwsgi_param CGIT_CONFIG $cgit_config; | ||
357 | uwsgi_pass uwsgi://127.0.0.1:9000; | ||
358 | } | ||
359 | |||
360 | location / { | ||
361 | uwsgi_param QUERY_STRING $query_string; | ||
362 | uwsgi_param REQUEST_METHOD $request_method; | ||
363 | uwsgi_param CONTENT_TYPE $content_type; | ||
364 | uwsgi_param CONTENT_LENGTH $content_length; | ||
365 | |||
366 | uwsgi_param REQUEST_URI $request_uri; | ||
367 | uwsgi_param PATH_INFO $document_uri; | ||
368 | uwsgi_param DOCUMENT_ROOT $document_root; | ||
369 | uwsgi_param SERVER_PROTOCOL $server_protocol; | ||
370 | uwsgi_param REQUEST_SCHEME $scheme; | ||
371 | uwsgi_param HTTPS $https if_not_empty; | ||
372 | |||
373 | uwsgi_param REMOTE_ADDR $remote_addr; | ||
374 | uwsgi_param REMOTE_PORT $remote_port; | ||
375 | uwsgi_param SERVER_PORT $server_port; | ||
376 | uwsgi_param SERVER_NAME $server_name; | ||
377 | |||
378 | uwsgi_param HTTP_HOST $host; | ||
379 | uwsgi_param HTTP_X_FORWARDED_FOR $proxy_add_x_forwarded_for; | ||
380 | |||
381 | uwsgi_modifier1 9; | ||
382 | uwsgi_param CGIT_CONFIG $cgit_config; | ||
383 | uwsgi_pass uwsgi://127.0.0.1:9000; | ||
384 | } | ||
385 | } | ||
386 | } | ||