Thorsten Schubert
762bf9ed8e
All checks were successful
continuous-integration/drone/push Build is passing
172 lines
4.5 KiB
Text
172 lines
4.5 KiB
Text
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
# Copyright © 2022 Thorsten Schubert <tschubert@bafh.org>
|
|
|
|
server {
|
|
listen 127.0.0.1:80;
|
|
listen [::1]:80;
|
|
server_name example.org;
|
|
|
|
root /srv/http/virtual/example.org/htdocs;
|
|
log_not_found off;
|
|
access_log off;
|
|
|
|
location /.well-known {
|
|
alias /srv/http/virtual/example.org/htdocs/.well-known;
|
|
try_files $uri =404;
|
|
}
|
|
|
|
location / {
|
|
return 301 https://$host$request_uri;
|
|
}
|
|
}
|
|
|
|
# download request?
|
|
map "$path_fragment:$dl_fragment" $map_dl_fragment {
|
|
default 0;
|
|
"~^dl:[\S]+$" 1;
|
|
}
|
|
|
|
# custom filename?
|
|
map "$path_fragment:$dl_fragment" $file_name {
|
|
"~^dl:$" "$file_fragment";
|
|
"~^dl:[\S]+$" "$dl_fragment";
|
|
}
|
|
|
|
map "$path_fragment" $map_mime {
|
|
default 0;
|
|
"~^(txt|log|patch|raw|diff|awk|sh)$" 'text/plain';
|
|
"~^(bin|dat)$" 'application/octet-stream';
|
|
"~^(ogg|opus)$" 'audio/vorbis';
|
|
"~^jpg$" 'image/jpg';
|
|
"~^gif$" 'image/gif';
|
|
"~^png$" 'image/png';
|
|
"~^pdf$" 'application/pdf';
|
|
"~^webp$" 'image/webp';
|
|
"~^svgz?$" 'image/svg+xml';
|
|
"~^json$" 'application/json';
|
|
"~^html?$" 'text/html';
|
|
"~^mp3$" 'audio/mpeg';
|
|
"~^aac$" 'audio/aac';
|
|
"~^mp4$" 'video/mp4';
|
|
"~^avi$" 'video/x-msvideo';
|
|
"~^mkv$" 'video/x-matroska';
|
|
"~^wav$" 'audio/x-wav';
|
|
"~^webm$" 'video/webm';
|
|
}
|
|
|
|
server {
|
|
listen 127.0.0.1:443 ssl http2;
|
|
listen [::1]:443 ssl http2;
|
|
server_name example.org;
|
|
|
|
ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem;
|
|
ssl_trusted_certificate /etc/letsencrypt/live/example.org/chain.pem;
|
|
|
|
log_not_found off;
|
|
error_log stderr notice;
|
|
rewrite_log off;
|
|
|
|
access_log /srv/http/virtual/example.org/logs/nginx/access.log;
|
|
root /srv/http/virtual/example.org/htdocs/root;
|
|
index index.html;
|
|
|
|
add_header Content-Security-Policy "default-src 'none'; frame-ancestors 'none'; block-all-mixed-content" always;
|
|
|
|
add_header Permissions-Policy interest-cohort=();
|
|
|
|
add_header Cross-Origin-Opener-Policy "same-origin" always;
|
|
add_header Cross-Origin-Embedder-Policy "require-corp" always;
|
|
|
|
# obsolete when client system time is correct
|
|
add_header Expect-CT "enforce, max-age=63072000" always;
|
|
|
|
# obsolete and replaced with strong Content-Security-Policy
|
|
add_header X-XSS-Protection "1; mode=block" always;
|
|
|
|
# sniffing increases user experience dramatically in this use case
|
|
#add_header X-Content-Type-Options "nosniff" always;
|
|
|
|
if ($http_user_agent ~* (google|archive|bing|yahoo|yandex|teoma|trident|baidu) ) {
|
|
return 403;
|
|
}
|
|
|
|
set $path_fragment '';
|
|
set $dl_fragment '';
|
|
|
|
# $request_uri is url encoded
|
|
if ($uri ~* "^\/([\w\d\-_.]{1,16}\.?)\/([\w\d\.]{1,16})(?:\/([^\/&?#]+))?\/?$)" {
|
|
set $file_fragment $1;
|
|
set $path_fragment $2;
|
|
set $dl_fragment $3;
|
|
rewrite "^/([^\/]*)/([^\/]{1,16})(?:/.*)?$" /$1 last;
|
|
}
|
|
|
|
location /.well-known {
|
|
default_type "text/plain";
|
|
alias /srv/http/virtual/example.org/htdocs/.well-known;
|
|
try_files $uri =404;
|
|
}
|
|
|
|
location = /robots.txt {
|
|
add_header Content-Type text/plain;
|
|
return 200 "User-agent: *\nDisallow: /\n";
|
|
|
|
}
|
|
|
|
location = / {}
|
|
|
|
location = /index.html {}
|
|
|
|
location ~ ^/.var/.*$ {
|
|
return 403;
|
|
}
|
|
|
|
# partial uploads
|
|
location ~ ^/\.__.*__\.__tmp__$ {
|
|
return 403;
|
|
}
|
|
|
|
location / {
|
|
root /srv/http/virtual/example.org/htdocs/paste;
|
|
|
|
etag off;
|
|
expires 1h;
|
|
disable_symlinks on;
|
|
autoindex off;
|
|
|
|
default_type 'text/plain';
|
|
|
|
include mime.types;
|
|
types {
|
|
text/plain md markdown;
|
|
text/plain css js xml;
|
|
text/plain sh bash zsh fish;
|
|
text/plain awk sed;
|
|
text/plain yaml yml;
|
|
text/plain pl py lua rb;
|
|
text/plain nim hs;
|
|
text/plain java kt;
|
|
text/plain c cpp cxx h hpp hxx;
|
|
text/plain go mod sum;
|
|
text/plain patch txt;
|
|
}
|
|
|
|
set $mtype $map_mime;
|
|
if ($mtype) {
|
|
more_set_headers "Content-Type: $mtype";
|
|
}
|
|
|
|
if ($path_fragment ~ '^(bin|dat)$') {
|
|
add_header Content-Disposition "attachment; filename=$file_fragment";
|
|
}
|
|
|
|
if ($map_dl_fragment) {
|
|
more_set_headers "Content-Type: application/octet-stream";
|
|
add_header Content-Disposition "attachment; filename=$file_name";
|
|
}
|
|
}
|
|
|
|
include globals/error_pages.conf;
|
|
}
|
|
|