tcpasters/oci/rootfs/http/etc/nginx/nginx.conf

# vi: set ft=nginx ts=2 sw=2 sts=-1 sr noet si tw=0 fdm=manual:

# SPDX-License-Identifier: AGPL-3.0-or-later
# Copyright © 2022 Thorsten Schubert <tschubert@bafh.org>

worker_processes 1;

error_log stderr warn;
pid /tmp/nginx.pid;

load_module /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so;

events {
	worker_connections	1024;
}

http {
	proxy_temp_path /tmp/proxy_temp;
	client_body_temp_path /tmp/client_temp;
	fastcgi_temp_path /tmp/fastcgi_temp;
	uwsgi_temp_path /tmp/uwsgi_temp;
	scgi_temp_path /tmp/scgi_temp;

	include		/etc/nginx/mime.types;
	default_type	application/octet-stream;

	log_format	main	'$remote_addr - $remote_user [$time_local] "$request" '
		'$status $body_bytes_sent "$http_referer" '
		'"$http_user_agent" "$http_x_forwarded_for"';

	access_log off;
	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	reset_timedout_connection on;
	keepalive_timeout 65;

	open_file_cache max=1024 inactive=10s;
	open_file_cache_valid 120s;
	open_file_cache_min_uses 2;
	open_file_cache_errors on;

	#gzip  on;

	server_tokens	off;
	more_clear_headers 'Server';

	# download request?
	map "$path_fragment:$dl_fragment" $map_dl_fragment {
		default 0;
		"~^dl:[\S]+$" 1;
	}

	# custom filename?
	map "$path_fragment:$dl_fragment" $file_name {
		"~^dl:$" "$file_fragment";
		"~^dl:[\S]+$" "$dl_fragment";
	}

	map "$path_fragment" $map_mime {
		default 0;
		"~^(txt|log|patch|raw|diff|awk|sh)$" 'text/plain';
		"~^(bin|dat)$" 'application/octet-stream';
		"~^(ogg|opus)$" 'audio/vorbis';
		"~^avif$" 'image/avif';
		"~^jpg$" 'image/jpg';
		"~^gif$" 'image/gif';
		"~^png$" 'image/png';
		"~^pdf$" 'application/pdf';
		"~^webp$" 'image/webp';
		"~^svgz?$" 'image/svg+xml';
		"~^json$" 'application/json';
		"~^html?$" 'text/html';
		"~^mp3$" 'audio/mpeg';
		"~^aac$" 'audio/aac';
		"~^mp4$" 'video/mp4';
		"~^avi$" 'video/x-msvideo';
		"~^mkv$" 'video/x-matroska';
		"~^wav$" 'audio/x-wav';
		"~^webm$" 'video/webm';
	}

	server {
		listen 8080 default_server;
		server_name _;

		log_not_found off;
		error_log stderr notice;
		rewrite_log off;

		access_log off;
		root /usr/share/nginx/html;
		index index.html;

		add_header Content-Security-Policy "default-src 'none'; img-src 'self'; frame-ancestors 'none'; block-all-mixed-content" always;
		add_header Permissions-Policy interest-cohort=();
		add_header Cross-Origin-Opener-Policy "same-origin" always;
		add_header Cross-Origin-Embedder-Policy "require-corp" always;
		add_header Expect-CT "enforce, max-age=63072000" always;
		add_header X-XSS-Protection "1; mode=block" always;

		error_page 403 /403.html;                                                                                                                                                            
		error_page 404 /404.html;                                                                                                                                                            

		if ($http_user_agent ~* (google|archive|bing|yahoo|yandex|teoma|trident|baidu) ) {
			return 403;
		}

		set $path_fragment '';
		set $dl_fragment '';

		# $request_uri is url encoded
		if ($uri ~* "^\/([\w\d\-_.]{1,16}\.?)\/([\w\d\.]{1,16})(?:\/([^\/&?#]+))?\/?$)" {
			set $file_fragment $1;
			set $path_fragment $2;
			set $dl_fragment $3;
			rewrite "^/([^\/]*)/([^\/]{1,16})(?:/.*)?$" /$1 last;
		}

		location ~ "^/40(3|4).html$" {                                                                                                                                                       
      internal;                                                                                                                                                                    
      root /usr/share/nginx/error_pages;                                                                                                                                                 
      add_header Content-Security-Policy "default-src 'none'; style-src-elem 'unsafe-inline'; img-src 'self'; frame-ancestors 'none'; block-all-mixed-content" always;
		}

		location = /robots.txt {
			add_header Content-Type text/plain;
			return 200 "User-agent: *\nDisallow: /\n";
		}

		location /stub_status {
			stub_status on;
			allow 127.0.0.0/8;
			allow ::1/128;
			allow fe80::/10;
			deny all;
		}

		location = / {}

		location = /index.html {}

		location ~ ^/.var/.*$ {
			return 403;
		}

		location / {
			root /var/lib/pasted;

			etag off;
			expires 1h;
			disable_symlinks on;
			autoindex off;

			default_type 'text/plain';

			include /etc/nginx/mime.types;
			types {
				text/plain md markdown;
				text/plain css js xml;
				text/plain sh bash zsh fish;
				text/plain awk sed;
				text/plain yaml yml;
				text/plain pl py lua rb;
				text/plain nim hs;
				text/plain java kt;
				text/plain c cpp cxx h hpp hxx;
				text/plain go mod sum;
				text/plain patch txt;
			}

			set $mtype $map_mime;
			if ($mtype) {
				more_set_headers "Content-Type: $mtype";
			}

			if ($path_fragment ~ '^(bin|dat)$') {
				add_header Content-Disposition "attachment; filename=$file_fragment";
			}

			if ($map_dl_fragment) {
				more_set_headers "Content-Type: application/octet-stream";
				add_header Content-Disposition "attachment; filename=$file_name";
			}
		}
	}
}