diff --git a/configs/nginx.conf b/configs/nginx.conf new file mode 100644 index 0000000..768da04 --- /dev/null +++ b/configs/nginx.conf @@ -0,0 +1,63 @@ +server { + listen 443 http2; + listen 127.0.0.1:8110; # I2P +# listen 8090; # Tor + listen [300:a98d:d6d0:8a08::f]:80; # Yggdrasil + + server_name arav.su www.arav.su arav.i2p moq7aejnf4xk5k2bkaltli3ftkhusy2mbrd3pj23nrca343ku2mgk4yd.onion; + + access_log /var/log/nginx/dwelling/dwelling.log main if=$nolog; + + ssl_certificate /etc/letsencrypt/live/arav.su/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/arav.su/privkey.pem; + + + add_header Content-Security-Policy "default-src 'none'; connect-src 'self'; script-src 'self'; style-src 'self'; img-src 'self'; media-src 'self'; object-src 'none'; frame-src 'none'; frame-ancestors 'none'; font-src 'self'; form-action 'self'"; + add_header X-Frame-Options "DENY"; + add_header X-Content-Type-Options "nosniff"; + add_header X-XSS-Protection "1; mode=block"; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + add_header Onion-Location "http://moq7aejnf4xk5k2bkaltli3ftkhusy2mbrd3pj23nrca343ku2mgk4yd.onion$request_uri"; + + + location / { + proxy_pass http://unix:/var/run/dwelling-home/sock; + proxy_buffering off; + + proxy_set_header X-Client-Timezone $gi2_location_tz; + proxy_set_header Host $host; + proxy_set_header Schema $scheme; + } + + + location /api/captcha/ { + limit_req zone=captcha_api nodelay; + } + + location /api/guestbook/ { + limit_req zone=captcha_api nodelay; + + allow 192.168.144.0/25; + deny all; + } + + + location ~ ^/~(.+?)(/.*)?$ { + alias /srv/http/pubs/$1/$2; + + autoindex on; + } + + + location ^~ /.well-known/ { + alias /srv/http/.well-known/; + } + + location ^~ /.well-known/openpgpkey { + alias /srv/http/.well-known/openpgpkey/; + + default_type application/octet-stream; + + add_header Access-Control-Allow-Origin * always; + } +}