diff --git a/configs/nginx/nginx_advanced.example b/configs/nginx/nginx_advanced.example index d5d589dd..e5e86f0a 100644 --- a/configs/nginx/nginx_advanced.example +++ b/configs/nginx/nginx_advanced.example @@ -2,6 +2,21 @@ upstream chan { server 127.0.0.1:7000; } +server { + + server_name www.xxxxxxxx.loki xxxxxxxx.loki; + + client_max_body_size 0; + #address may vary if this address is already used by something other than lokinet + listen 172.16.0.1:80; + + include /etc/nginx/snippets/security_headers.conf; + include /etc/nginx/snippets/error_pages.conf; + include /etc/nginx/snippets/jschan_loki_routes.conf; + include /etc/nginx/snippets/jschan_common_routes.conf; + +} + server { server_name www.xxxxxxxx.onion xxxxxxxx.onion; @@ -13,7 +28,8 @@ server { include /etc/nginx/snippets/security_headers.conf; include /etc/nginx/snippets/error_pages.conf; - include /etc/nginx/snippets/jschan_routes_tor.conf; + include /etc/nginx/snippets/jschan_tor_routes.conf; + include /etc/nginx/snippets/jschan_common_routes.conf; } @@ -27,7 +43,8 @@ server { include /etc/nginx/snippets/security_headers.conf; include /etc/nginx/snippets/error_pages.conf; - include /etc/nginx/snippets/jschan_routes.conf; + include /etc/nginx/snippets/jschan_common_routes.conf; + include /etc/nginx/snippets/jschan_clearnet_routes.conf; listen [::]:443 ssl ipv6only=on; # managed by Certbot listen 443 ssl; # managed by Certbot @@ -52,5 +69,4 @@ server { listen 80; listen [::]:80; return 444; # managed by Certbot - } diff --git a/configs/nginx/snippets/jschan_clearnet_routes.conf b/configs/nginx/snippets/jschan_clearnet_routes.conf new file mode 100644 index 00000000..7958c39a --- /dev/null +++ b/configs/nginx/snippets/jschan_clearnet_routes.conf @@ -0,0 +1,27 @@ +location / { + proxy_buffering off; + proxy_pass http://chan$request_uri; + proxy_http_version 1.1; + + proxy_set_header Host $host; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_cache_bypass $http_upgrade; + + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Country-Code $geoip_country_code; +} + +location @backend { + proxy_buffering off; + proxy_pass http://chan$request_uri; + proxy_http_version 1.1; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Country-Code $geoip_country_code; + proxy_set_header Connection ''; + proxy_set_header Host $host; +} diff --git a/configs/nginx/snippets/jschan_routes_tor.conf b/configs/nginx/snippets/jschan_common_routes.conf similarity index 68% rename from configs/nginx/snippets/jschan_routes_tor.conf rename to configs/nginx/snippets/jschan_common_routes.conf index 44b0a985..eb14bc0d 100644 --- a/configs/nginx/snippets/jschan_routes_tor.conf +++ b/configs/nginx/snippets/jschan_common_routes.conf @@ -31,45 +31,17 @@ location = /favicon.ico { } location = / { - return 302 http://$host/index.html; + return 302 $scheme://$host/index.html; } location /captcha { root /path/to/jschan/static/captcha; if ($cookie_captchaid) { - return 302 http://$host/captcha/$cookie_captchaid.jpg; + return 302 $scheme://$host/captcha/$cookie_captchaid.jpg; } try_files /$cookie_captchaid.jpg @backend; } -location / { - proxy_buffering off; - proxy_pass http://chan$request_uri; - proxy_http_version 1.1; - - proxy_set_header Host $host; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection 'upgrade'; - proxy_cache_bypass $http_upgrade; - - proxy_set_header X-Forwarded-Proto http; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Country-Code 'TOR'; -} - -location @backend { - proxy_buffering off; - proxy_pass http://chan$request_uri; - proxy_http_version 1.1; - proxy_set_header X-Forwarded-Proto http; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Country-Code 'TOR'; - proxy_set_header Connection ''; - proxy_set_header Host $host; -} - # HTML location ~* \.html$ { expires 0; diff --git a/configs/nginx/snippets/jschan_loki_routes.conf b/configs/nginx/snippets/jschan_loki_routes.conf new file mode 100644 index 00000000..9d7bdeb1 --- /dev/null +++ b/configs/nginx/snippets/jschan_loki_routes.conf @@ -0,0 +1,27 @@ +location / { + proxy_buffering off; + proxy_pass http://chan$request_uri; + proxy_http_version 1.1; + + proxy_set_header Host $host; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_cache_bypass $http_upgrade; + + proxy_set_header X-Forwarded-Proto http; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Country-Code 'LOKI'; +} + +location @backend { + proxy_buffering off; + proxy_pass http://chan$request_uri; + proxy_http_version 1.1; + proxy_set_header X-Forwarded-Proto http; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Country-Code 'LOKI'; + proxy_set_header Connection ''; + proxy_set_header Host $host; +} diff --git a/configs/nginx/snippets/jschan_routes.conf b/configs/nginx/snippets/jschan_routes.conf deleted file mode 100644 index 29537a26..00000000 --- a/configs/nginx/snippets/jschan_routes.conf +++ /dev/null @@ -1,122 +0,0 @@ -if ($request_uri ~ ^/(?!captcha|randombanner|forms|logout|socket\.io)) { - rewrite ^([^.\?]*[^/])$ $1/ redirect; - rewrite ^(.+)/$ $1/index.html redirect; -} - -location = /robots.txt { - access_log off; - add_header Content-Type text/plain; - return 200 "User-agent: *\nDisallow:\n"; -} - -location = /site.webmanifest { - access_log off; - expires max; - root /path/to/jschan/static/file; - try_files $uri =404; -} - -location = /browserconfig.xml { - access_log off; - expires max; - root /path/to/jschan/static/file; - try_files $uri =404; -} - -location = /favicon.ico { - access_log off; - expires max; - root /path/to/jschan/static/file; - try_files $uri =404; -} - -location = / { - return 302 https://$host/index.html; -} - -location /captcha { - root /path/to/jschan/static/captcha; - if ($cookie_captchaid) { - return 302 https://$host/captcha/$cookie_captchaid.jpg; - } - try_files /$cookie_captchaid.jpg @backend; -} - -location / { - proxy_buffering off; - proxy_pass http://chan$request_uri; - proxy_http_version 1.1; - - proxy_set_header Host $host; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection 'upgrade'; - proxy_cache_bypass $http_upgrade; - - proxy_set_header X-Forwarded-Proto https; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Country-Code $geoip_country_code; -} - -location @backend { - proxy_buffering off; - proxy_pass http://chan$request_uri; - proxy_http_version 1.1; - proxy_set_header X-Forwarded-Proto https; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Country-Code $geoip_country_code; - proxy_set_header Connection ''; - proxy_set_header Host $host; -} - -# HTML -location ~* \.html$ { - expires 0; - default_type text/html; #needed for cache control private in backend - root /path/to/jschan/static/html; - try_files $uri @backend; -} - -# JSON -location ~* \.json$ { - expires 0; - root /path/to/jschan/static/json; - try_files $uri @backend; - #json doesnt hit backend if it doesnt exist yet. -} - -# CSS -location ~* \.css$ { - access_log off; - expires 1w; - root /path/to/jschan/static; - try_files $uri =404; -} - -# Scripts -location ~* \.js$ { - expires 1w; - access_log off; - root /path/to/jschan/static; - try_files $uri =404; -} - -# Files (image, video, audio, other) -location ~* \.(png|jpg|jpeg|webmanifest|apng|bmp|webp|pjpeg|jfif|gif|mp4|webm|mov|mkv|svg|flac|mp3|ogg|wav|opus)$ { - access_log off; - expires max; - root /path/to/jschan/static; - try_files $uri =404; -} - -# inline in browser so even HTML filetypes can be offered and will present a "save" dialog box -location ~* \.(txt|bin)$ { - access_log off; - expires max; - add_header Cache-Control "public"; - add_header X-Content-Type-Options "nosniff" always; - add_header Content-Disposition "attachment"; - root /path/to/jschan/static; - try_files $uri =404; -} diff --git a/configs/nginx/snippets/jschan_tor_routes.conf b/configs/nginx/snippets/jschan_tor_routes.conf new file mode 100644 index 00000000..59544e33 --- /dev/null +++ b/configs/nginx/snippets/jschan_tor_routes.conf @@ -0,0 +1,27 @@ +location / { + proxy_buffering off; + proxy_pass http://chan$request_uri; + proxy_http_version 1.1; + + proxy_set_header Host $host; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_cache_bypass $http_upgrade; + + proxy_set_header X-Forwarded-Proto http; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Country-Code 'TOR'; +} + +location @backend { + proxy_buffering off; + proxy_pass http://chan$request_uri; + proxy_http_version 1.1; + proxy_set_header X-Forwarded-Proto http; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Country-Code 'TOR'; + proxy_set_header Connection ''; + proxy_set_header Host $host; +}