commit b5b55be1a6a72e167d979afdc7fbf5e0109af1a6 Author: Daniel Micay Date: Mon May 24 13:52:50 2021 -0400 add nginx configuration diff --git a/nginx/mime.types b/nginx/mime.types new file mode 100644 index 0000000..2961256 --- /dev/null +++ b/nginx/mime.types @@ -0,0 +1,97 @@ + +types { + text/html html htm shtml; + text/css css; + text/xml xml; + image/gif gif; + image/jpeg jpeg jpg; + application/javascript js; + application/atom+xml atom; + application/rss+xml rss; + + text/mathml mml; + text/plain txt; + text/vnd.sun.j2me.app-descriptor jad; + text/vnd.wap.wml wml; + text/x-component htc; + + image/png png; + image/svg+xml svg svgz; + image/tiff tif tiff; + image/vnd.wap.wbmp wbmp; + image/webp webp; + image/x-icon ico; + image/x-jng jng; + image/x-ms-bmp bmp; + + font/woff woff; + font/woff2 woff2; + + application/java-archive jar war ear; + application/json json; + application/mac-binhex40 hqx; + application/msword doc; + application/pdf pdf; + application/postscript ps eps ai; + application/rtf rtf; + application/vnd.apple.mpegurl m3u8; + application/vnd.google-earth.kml+xml kml; + application/vnd.google-earth.kmz kmz; + application/vnd.ms-excel xls; + application/vnd.ms-fontobject eot; + application/vnd.ms-powerpoint ppt; + application/vnd.oasis.opendocument.graphics odg; + application/vnd.oasis.opendocument.presentation odp; + application/vnd.oasis.opendocument.spreadsheet ods; + application/vnd.oasis.opendocument.text odt; + application/vnd.openxmlformats-officedocument.presentationml.presentation + pptx; + application/vnd.openxmlformats-officedocument.spreadsheetml.sheet + xlsx; + application/vnd.openxmlformats-officedocument.wordprocessingml.document + docx; + application/vnd.wap.wmlc wmlc; + application/x-7z-compressed 7z; + application/x-cocoa cco; + application/x-java-archive-diff jardiff; + application/x-java-jnlp-file jnlp; + application/x-makeself run; + application/x-perl pl pm; + application/x-pilot prc pdb; + application/x-rar-compressed rar; + application/x-redhat-package-manager rpm; + application/x-sea sea; + application/x-shockwave-flash swf; + application/x-stuffit sit; + application/x-tcl tcl tk; + application/x-x509-ca-cert der pem crt; + application/x-xpinstall xpi; + application/xhtml+xml xhtml; + application/xspf+xml xspf; + application/zip zip; + + application/octet-stream bin exe dll; + application/octet-stream deb; + application/octet-stream dmg; + application/octet-stream iso img; + application/octet-stream msi msp msm; + + audio/midi mid midi kar; + audio/mpeg mp3; + audio/ogg ogg; + audio/x-m4a m4a; + audio/x-realaudio ra; + + video/3gpp 3gpp 3gp; + video/mp2t ts; + video/mp4 mp4; + video/mpeg mpeg mpg; + video/quicktime mov; + video/webm webm; + video/x-flv flv; + video/x-m4v m4v; + video/x-mng mng; + video/x-ms-asf asx asf; + video/x-ms-wmv wmv; + video/x-msvideo avi; +} diff --git a/nginx/nginx.conf b/nginx/nginx.conf new file mode 100644 index 0000000..37f76e3 --- /dev/null +++ b/nginx/nginx.conf @@ -0,0 +1,124 @@ +# nginx 1.20.x + +load_module modules/ngx_http_brotli_static_module.so; + +worker_processes auto; +worker_rlimit_nofile 16384; + +events { + worker_connections 4096; +} + +http { + include mime.types; + default_type application/octet-stream; + + charset utf-8; + + sendfile on; + sendfile_max_chunk 512k; + tcp_nopush on; + keepalive_timeout 3m; + server_tokens off; + msie_padding off; + + client_max_body_size 1k; + client_body_buffer_size 1k; + client_header_buffer_size 1k; + large_client_header_buffers 4 4k; + http2_recv_buffer_size 128k; + + client_body_timeout 30s; + client_header_timeout 30s; + send_timeout 30s; + + http2_max_concurrent_streams 32; + limit_conn_status 429; + limit_conn_zone $binary_remote_addr zone=addr:10m; + limit_conn addr 256; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256; + ssl_prefer_server_ciphers on; + ssl_conf_command Options PrioritizeChaCha; + + ssl_certificate /etc/letsencrypt/live/matrix.grapheneos.org/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/matrix.grapheneos.org/privkey.pem; + + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 1d; + # maintained by nginx-rotate-session-ticket-keys in ramfs + ssl_session_ticket_key session-ticket-keys/4.key; + ssl_session_ticket_key session-ticket-keys/3.key; + ssl_session_ticket_key session-ticket-keys/2.key; + ssl_session_ticket_key session-ticket-keys/1.key; + ssl_buffer_size 4k; + + ssl_trusted_certificate /etc/letsencrypt/live/matrix.grapheneos.org/chain.pem; + ssl_stapling on; + ssl_stapling_verify on; + # maintained by certbot-ocsp-fetcher + ssl_stapling_file ocsp-cache/matrix.grapheneos.org.der; + + log_format main '$remote_addr - $remote_user [$time_local] ' + '"$request_method $scheme://$host$request_uri $server_protocol" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent"'; + access_log /var/log/nginx/access.log main buffer=64k flush=1m; + error_log /var/log/nginx/error.log; + log_not_found off; + + upstream backend { + server [::1]:8008 fail_timeout=1s; + } + + server { + listen 80 backlog=4096; + listen [::]:80 backlog=4096; + server_name matrix.grapheneos.org; + + root /var/empty; + + return 301 https://matrix.grapheneos.org$request_uri; + } + + server { + listen 443 ssl http2 backlog=4096; + listen [::]:443 ssl http2 backlog=4096; + server_name matrix.grapheneos.org; + + root /var/empty; + + include snippets/security-headers.conf; + + location = / { + return 301 https://grapheneos.org/articles/grapheneos-servers#matrix.grapheneos.org; + } + + location ~* ^(\/_matrix|\/_synapse\/client) { + include snippets/security-headers.conf; + add_header X-Robots-Tag "none"; + + proxy_pass http://backend; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + + client_max_body_size 50m; + client_body_buffer_size 16k; + } + + location / { + return 404; + } + } + + server { + listen 127.0.0.1:81; + listen [::1]:81; + + location /nginx_status { + stub_status; + access_log off; + } + } +} diff --git a/nginx/snippets/security-headers.conf b/nginx/snippets/security-headers.conf new file mode 100644 index 0000000..5901fa2 --- /dev/null +++ b/nginx/snippets/security-headers.conf @@ -0,0 +1,3 @@ +add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; +add_header X-Content-Type-Options "nosniff" always; +add_header Expect-CT "enforce, max-age=63072000" always;