blob: 33e2ad909aec4dce886354d171a1360662390791 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
|
# vim:ft=nginx
user nginx;
worker_processes 1;
error_log /dev/stdout warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
log_format combined_host '$host $remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
access_log /logs/default_server.log combined_host;
sendfile on;
tcp_nopush on;
server_tokens off;
keepalive_timeout 128;
# Try to avoid buffering requests to disk This is about 4MB
client_body_buffer_size 4000k;
# Try to avoid buffering backend responses to disk This is about 4MB
proxy_buffers 1000 4k;
gzip on;
gzip_proxied any;
gzip_disable "msie6";
gzip_types
application/javascript
application/rss+xml
application/x-javascript
application/xhtml+xml
application/xml
image/svg+xml
image/x-icon
text/css
text/javascript
text/plain
text/xml;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_dhparam /srv/nginx-conf/ssl/dhparam.pem;
ssl_prefer_server_ciphers on;
#ssl_ecdh_curve secp521r1:secp384r1:X25519;
# These are possibly vulnerable to the ROBOT attack
# (https://robotattack.org) but are also important for backwards
# compatability for a few older, but still frequently used, Android
# variants. The use of ECDHE in these algorithms may mitigate the
# vulnerability but the conservative approach would be to disable them.
#
# !ECDHE-RSA-AES256-SHA:!ECDHE-RSA-AES256-SHA384:
#
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:AES256+EECDH:AES256+EDH:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES256-SHA:!aNULL";
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 5s;
map $http_host $can_redirect {
hostnames;
default 0;
crute.me 1;
*.crute.me 1;
crute.us 1;
*.crute.us 1;
*.pomonaconsulting.com 1;
pomonaconsulting.com 1;
*.pomonaconsulting.net 1;
pomonaconsulting.net 1;
leavenworthsnowmobilerentals.com 1;
*.leavenworthsnowmobilerentals.com 1;
lakewenatcheecabins.net 1;
*.lakewenatcheecabins.net 1;
59erdiner.com 1;
*.59erdiner.com 1;
as398223.net 1;
*.as398223.net 1;
frompythonimportpodcast.com 1;
*.frompythonimportpodcast.com 1;
}
server {
listen *:80 default_server;
listen [::]:80 default_server;
access_log /logs/default_http_vhost.log combined_host;
location / {
if ($can_redirect) {
rewrite (.*) https://$http_host$1 permanent;
}
default_type text/plain;
return 404 "not found";
}
}
server {
listen *:443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
access_log /logs/default_https_vhost.log combined_host;
include includes/hardened_ssl.conf;
include includes/hardened_headers.conf;
include includes/default_csp.conf;
ssl_certificate /srv/nginx-conf/ssl/letsencrypt_crute_me.pem;
ssl_certificate_key /srv/nginx-conf/ssl/letsencrypt_crute_me_key.pem;
location / {
default_type text/plain;
return 404 "not found";
}
}
include sites-enabled/*;
}
|