fatchan
/
jschan
mirror of https://gitgud.io/fatchan/jschan.git
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity

force higher iq nginx configs, and improve readme about it

Browse Source
merge-requests/341/head
Thomas Lynch 3 years ago
parent cc1f0ed2e1
commit 9f7b4a6d9d
7 changed files with 63 additions and 814 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 25
      README.md
  2. 5
      configs/nginx/README.md
  3. 408
      configs/nginx/nginx.example
  4. 72
      configs/nginx/nginx_advanced.example
  5. 363
      configs/nginx/nginx_no_https.example
  6. 2
      configs/nginx/snippets/security_headers.conf
  7. 2
      configs/nginx/snippets/security_headers_nocache.conf

25
README.md
Unescape View File

@ -78,27 +78,26 @@ You may install Node.js yourself without nvm if you prefer.
**6. Configure nginx**
- Copy the nginx.example config to the sites-eavailable folder, and create a symlink from sites-available -> sites-enabled
- Copy the nginx example config and snippets, and create a symlink from sites-available -> sites-enabled
```bash
$ sudo cp configs/nginx/nginx.example /etc/nginx/sites-available/DOMAIN.COM
$ sudo ln -s /etc/nginx/sites-available/DOMAIN.COM /etc/nginx/sites-enabled/DOMAIN.COM
$ sudo cp configs/nginx/nginx.example /etc/nginx/sites-available/EXAMPLE.COM
$ sudo ln -s /etc/nginx/sites-available/EXAMPLE.COM /etc/nginx/sites-enabled/EXAMPLE.COM
$ sudo cp configs/nginx/snippets/* /etc/nginx/snippets
```
- If you have a .onion or .loki address, uncomment the block in /etc/nginx/sites-available/EXAMPLE.COM
Edit/replace the following in your nginx config:
- "domain.com" with your domain name
- "/path/to/jschan" with the path of your jschan root folder
- If using .onion, uncomment the .onion block, and replace the example address with your .onion
```bash
$ sudo editor /etc/nginx/sites-available/DOMAIN.COM
```
- "example.com" with your domain name
- "example.onion" or "example.loki" with your tor or lokinet address
`sed` can be used to automate this process:
```bash
$ sudo sed -i 's|/path/to/jschan|/path/to/your/install|g' /etc/nginx/sites-available/DOMAIN.COM
$ sudo sed -i 's/domain.com/your.domain.com/g' /etc/nginx/sites-available/DOMAIN.COM
$ sudo sed -i 's|/path/to/jschan|/path/to/your/install|g' /etc/nginx/sites-available/EXAMPLE.COM
$ sudo sed -i 's/example.com/your.example.com/g' /etc/nginx/sites-available/EXAMPLE.COM
```
- Make sure the sites enabled folder is included by `/etc/nginx/nginx.conf` (it is in debian nginx package)
- Make sure the sites enabled folder is included by `/etc/nginx/nginx.conf` (in debian nginx package this is already done)
- Use [certbot](https://certbot.eff.org/) to get a free https certificate.
- For post flags to work, [follow this guide](http://archive.is/2SMOb) to setup the [legacy GeoIP database](https://www.miyuru.lk/geoiplegacy) and add these directives to the http block in `/etc/nginx/nginx.conf`:
@ -111,8 +110,6 @@ If you plan on using hcaptcha or google recaptcha, you will need to modify the c
If you use cloudflare, please read [these](https://support.cloudflare.com/hc/en-us/articles/200170786-Restoring-original-visitor-IPs-Logging-visitor-IP-addresses-with-mod-cloudflare-) [articles](https://support.cloudflare.com/hc/en-us/articles/200168236-Configuring-Cloudflare-IP-Geolocation) to setup proper IP forwarding and geolocation headers. Similar steps would apply to other CDNs/reverse proxies.
Also included is an "nginx_advanced" config, and a snippets folder for advanced users who want to better organise and more easily customise the nginx configuration. It functions the same as the normal nginx.example, but you need to create the snippets folder in /etc/nginx/snippets, copy the example snippets, and edit them with your domain and installation path.
**7. Clone this repo, browse to the folder and set some things up**
```bash

5
configs/nginx/README.md
Unescape View File

@ -1,3 +1,2 @@
`nginx.example` - Example nginx config with letsencrypt. You need to update with the path of installation, certificate paths, domain names, etc.
`nginx_no_https.example` - Same thing, without https. Can be used for testing and development.
`nginx_advanced.example` - An advanced example with both clearnet and tor, with snippets to reduce repitition for a cleaner config
`nginx.example` is your /etc/nginx/sites-available/example.com file
`snippets/*` goes in /etc/nginx/snippets/

408
configs/nginx/nginx.example
Unescape View File

@ -1,379 +1,67 @@
upstream chan {
server localhost:7000;
server 127.0.0.1:7000;
}
server {
server_name domain.com www.domain.com;
client_max_body_size 0; #limit handled by upstream for better errors
server_tokens off;
add_header Cache-Control "public";
add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com/embed/ https://www.bitchute.com/embed/; connect-src 'self' wss://domain.com/" always;
add_header Referrer-Policy "same-origin, strict-origin-when-cross-origin" always;
add_header X-Frame-Options "sameorigin" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
error_page 404 /404.html;
error_page 500 /500.html;
error_page 502 /502.html;
error_page 503 /503.html;
error_page 504 /504.html;
location = /404.html {
root /path/to/jschan/static/html;
internal;
}
location = /500.html {
root /path/to/jschan/static/html;
internal;
}
location = /502.html {
root /path/to/jschan/static/html;
internal;
}
location = /503.html {
root /path/to/jschan/static/html;
internal;
}
location = /504.html {
root /path/to/jschan/static/html;
internal;
}
if ($request_uri ~ ^/(?!captcha|randombanner|forms|socket\.io)) {
rewrite ^([^.\?]*[^/])$ $1/ redirect;
rewrite ^(.+)/$ $1/index.html redirect;
}
location = /robots.txt {
access_log off;
add_header Content-Type text/plain;
return 200 "User-agent: *\nDisallow:\n";
}
location = / {
return 302 https://$host/index.html;
}
location /captcha {
access_log off;
root /path/to/jschan/static/captcha;
if ($cookie_captchaid) {
return 302 https://$host/captcha/$cookie_captchaid.jpg;
}
try_files /$cookie_captchaid.jpg @backend;
}
location / {
proxy_buffering off;
proxy_pass http://chan$request_uri;
proxy_http_version 1.1;
#websocket
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Country-Code $geoip_country_code;
}
location @backend {
proxy_buffering off;
proxy_pass http://chan$request_uri;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Country-Code $geoip_country_code;
proxy_set_header Connection '';
proxy_set_header Host $host;
}
location @backend-private {
#no cache control public
add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com/embed/ https://www.bitchute.com/embed/; connect-src 'self' wss://domain.com/" always;
add_header Referrer-Policy "same-origin, strict-origin-when-cross-origin" always;
add_header X-Frame-Options "sameorigin" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
proxy_buffering off;
proxy_pass http://chan$request_uri;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Country-Code $geoip_country_code;
proxy_set_header Connection '';
proxy_set_header Host $host;
}
# authed, no cache pages
location ~* ^/((\w+/manage/.*|globalmanage/(reports|bans|recent|boards|globallogs|news|accounts|settings))|account|create)\.(html|json)$ {
expires 0;
try_files /dev/null @backend-private;
}
# public html
location ~* \.html$ {
expires 0;
root /path/to/jschan/static/html;
try_files $uri @backend;
}
# public json
location ~* \.json$ {
expires 0;
root /path/to/jschan/static/json;
try_files $uri @backend;
}
# CSS
location ~* \.css$ {
access_log off;
expires 1d;
root /path/to/jschan/static;
try_files $uri =404;
}
# Scripts
location ~* \.js$ {
expires 1d;
access_log off;
root /path/to/jschan/static;
try_files $uri =404;
}
# Files (image, video, audio, other)
location ~* \.(png|jpg|jpeg|bmp|webmanifest|xml|ico|gif|apng|webp|jfif|pjpeg|mkv|mp4|webm|mov|svg|flac|mp3|ogg|wav|opus)$ {
access_log off;
expires max;
root /path/to/jschan/static;
try_files $uri =404;
}
# uncomment for lokinet snapp
#server {
# server_name www.example.loki example.loki;
# client_max_body_size 0;
#
# #address may vary if this address is already used by something other than lokinet
# listen 172.16.0.1:80;
#
# include /etc/nginx/snippets/security_headers.conf;
# include /etc/nginx/snippets/error_pages.conf;
# include /etc/nginx/snippets/jschan_common_routes.conf;
# include /etc/nginx/snippets/jschan_loki_routes.conf;
#}
# "Other" Files for custom type uploads, uses content-disposition to prevent rendering
# inline in browser and will present a "save" dialog box. make sure these file
# extensions match for mimes defined in global settings
# location ~* \.(txt)$ {
# access_log off;
# expires max;
# add_header Cache-Control "public";
# add_header X-Content-Type-Options "nosniff" always;
# add_header Content-Disposition "attachment";
# root /path/to/jschan/static;
# try_files $uri =404;
# }
# uncomment for .onion tor hidden service
#server {
# server_name www.example.onion example.onion;
# client_max_body_size 0;
#
# listen unix:/var/run/nginx-tor.sock;
# allow "unix:";
# deny all;
#
# include /etc/nginx/snippets/security_headers.conf;
# include /etc/nginx/snippets/error_pages.conf;
# include /etc/nginx/snippets/jschan_common_routes.conf;
# include /etc/nginx/snippets/jschan_tor_routes.conf;
#}
listen 443 ssl http2; # managed by Certbot
listen [::]:443 ssl http2; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem; # managed by Certbot
server {
server_name www.example.com example.com;
client_max_body_size 0;
#uncomment if you have a .onion
#add_header onion-location 'http://example.onion$request_uri';
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
include /etc/nginx/snippets/security_headers.conf;
include /etc/nginx/snippets/error_pages.conf;
include /etc/nginx/snippets/jschan_clearnet_routes.conf;
include /etc/nginx/snippets/jschan_common_routes.conf;
}
server {
listen 80;
listen [::]:80;
server_name domain.com www.domain.com;
if ($host = www.domain.com) {
if ($host = www.example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = domain.com) {
if ($host = example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
return 444; # managed by Certbot
server_name www.example.com example.com;
listen 80;
listen [::]:80;
return 444; # managed by Certbot
}
##OPTIONAL, tor config
#server {
#
# server_name zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz.onion;
# client_max_body_size 0; #limit handled by upstream for better errors
# server_tokens off;
#
# add_header Cache-Control "public";
# add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'" always;
# add_header Referrer-Policy "same-origin" always;
# add_header X-Frame-Options "sameorigin" always;
# add_header X-Content-Type-Options "nosniff" always;
# add_header X-XSS-Protection "1; mode=block" always;
#
# error_page 404 /404.html;
# error_page 500 /500.html;
# error_page 502 /502.html;
# error_page 503 /503.html;
# error_page 504 /504.html;
# location = /404.html {
# root /path/to/jschan/static/html;
# internal;
# }
# location = /500.html {
# root /path/to/jschan/static/html;
# internal;
# }
# location = /502.html {
# root /path/to/jschan/static/html;
# internal;
# }
# location = /503.html {
# root /path/to/jschan/static/html;
# internal;
# }
# location = /504.html {
# root /path/to/jschan/static/html;
# internal;
# }
#
# if ($request_uri ~ ^/(?!captcha|randombanner|forms|socket\.io)) {
# rewrite ^([^.\?]*[^/])$ $1/ redirect;
# rewrite ^(.+)/$ $1/index.html redirect;
# }
#
# location = /robots.txt {
# access_log off;
# add_header Content-Type text/plain;
# return 200 "User-agent: *\nDisallow:\n";
# }
#
# location = /favicon.ico {
# access_log off;
# expires max;
# root /path/to/jschan/static/file;
# try_files $uri =404;
# }
#
# location = / {
# return 302 http://$host/index.html;
# }
#
# location /captcha {
# access_log off;
# root /path/to/jschan/static/captcha;
# if ($cookie_captchaid) {
# return 302 http://$host/captcha/$cookie_captchaid.jpg;
# }
# try_files /$cookie_captchaid.jpg @backend;
# }
#
# location / {
# proxy_buffering off;
# proxy_pass http://chan$request_uri;
# proxy_http_version 1.1;
#
# #websocket
# proxy_set_header Host $host;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection 'upgrade';
# proxy_cache_bypass $http_upgrade;
#
# proxy_set_header X-Forwarded-Proto http;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Country-Code 'TOR';
# }
#
# location @backend {
# proxy_buffering off;
# proxy_pass http://chan$request_uri;
# proxy_http_version 1.1;
# proxy_set_header X-Forwarded-Proto http;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Country-Code 'TOR';
# proxy_set_header Connection '';
# proxy_set_header Host $host;
# }
#
# location @backend-private {
# #no cache control public
# add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com/embed/ https://www.bitchute.com/embed/; connect-src 'self' wss://domain.com/" always;
# add_header Referrer-Policy "same-origin, strict-origin-when-cross-origin" always;
# add_header X-Frame-Options "sameorigin" always;
# add_header X-Content-Type-Options "nosniff" always;
# add_header X-XSS-Protection "1; mode=block" always;
# proxy_buffering off;
# proxy_pass http://chan$request_uri;
# proxy_http_version 1.1;
# proxy_set_header X-Forwarded-Proto http;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Country-Code 'TOR';
# proxy_set_header Connection '';
# proxy_set_header Host $host;
# }
#
# # authed, no cache pages
# location ~* ^/((\w+/manage/.*|globalmanage/(reports|bans|recent|boards|globallogs|news|accounts|settings))|account|create)\.(html|json)$ {
# expires 0;
# try_files /dev/null @backend-private;
# }
#
# # HTML
# location ~* \.html$ {
# expires 0;
# root /path/to/jschan/static/html;
# try_files $uri @backend;
# }
#
# # JSON
# location ~* \.json$ {
# expires 0;
# root /path/to/jschan/static/json;
# try_files $uri @backend;
# #json doesnt hit backend if it doesnt exist yet.
# }
#
# # CSS
# location ~* \.css$ {
# access_log off;
# expires 1d;
# root /path/to/jschan/static;
# try_files $uri =404;
# }
#
# # Scripts
# location ~* \.js$ {
# expires 1d;
# access_log off;
# root /path/to/jschan/static;
# try_files $uri =404;
# }
#
# # Files (image, video, audio, other)
# location ~* \.(png|jpg|jpeg|webmanifest|xml|ico|bmp|gif|apng|webp|jfif|pjpeg|mkv|mp4|webm|mov|svg|flac|mp3|ogg|wav|opus)$ {
# access_log off;
# expires max;
# root /path/to/jschan/static;
# try_files $uri =404;
# }
#
# # "Other" Files for custom type uploads, uses content-disposition to prevent rendering
# # inline in browser and will present a "save" dialog box. make sure these file
# # extensions match for mimes defined in global settings
# location ~* \.(txt)$ {
# access_log off;
# expires max;
# add_header Cache-Control "public";
# add_header X-Content-Type-Options "nosniff" always;
# add_header Content-Disposition "attachment";
# root /path/to/jschan/static;
# try_files $uri =404;
# }
#
# listen 127.0.0.1:80;
# listen [::1]:80;
#
#}

72
configs/nginx/nginx_advanced.example
Unescape View File

@ -1,72 +0,0 @@
upstream chan {
server 127.0.0.1:7000;
}
server {
server_name www.xxxxxxxx.loki xxxxxxxx.loki;
client_max_body_size 0;
#address may vary if this address is already used by something other than lokinet
listen 172.16.0.1:80;
include /etc/nginx/snippets/security_headers.conf;
include /etc/nginx/snippets/error_pages.conf;
include /etc/nginx/snippets/jschan_loki_routes.conf;
include /etc/nginx/snippets/jschan_common_routes.conf;
}
server {
server_name www.xxxxxxxx.onion xxxxxxxx.onion;
client_max_body_size 0;
listen unix:/var/run/nginx-tor.sock;
allow "unix:";
deny all;
include /etc/nginx/snippets/security_headers.conf;
include /etc/nginx/snippets/error_pages.conf;
include /etc/nginx/snippets/jschan_tor_routes.conf;
include /etc/nginx/snippets/jschan_common_routes.conf;
}
server {
server_name www.example.com example.com;
client_max_body_size 0;
#header will tell tor users accessing clearnet endpoint to use onion service
add_header onion-location 'http://xxxxxxxxxxx.onion$request_uri';
include /etc/nginx/snippets/security_headers.conf;
include /etc/nginx/snippets/error_pages.conf;
include /etc/nginx/snippets/jschan_common_routes.conf;
include /etc/nginx/snippets/jschan_clearnet_routes.conf;
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = www.example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name www.example.com example.com;
listen 80;
listen [::]:80;
return 444; # managed by Certbot
}

363
configs/nginx/nginx_no_https.example
Unescape View File

@ -1,363 +0,0 @@
upstream chan {
server localhost:7000;
}
server {
server_name domain.com www.domain.com;
client_max_body_size 0; #limit handled by upstream for better errors
server_tokens off;
add_header Cache-Control "public";
add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com/embed/ https://www.bitchute.com/embed/; connect-src 'self' ws://domain.com/" always;
add_header Referrer-Policy "same-origin, strict-origin-when-cross-origin" always;
add_header X-Frame-Options "sameorigin" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
error_page 404 /404.html;
error_page 500 /500.html;
error_page 502 /502.html;
error_page 503 /503.html;
error_page 504 /504.html;
location = /404.html {
root /path/to/jschan/static/html;
internal;
}
location = /500.html {
root /path/to/jschan/static/html;
internal;
}
location = /502.html {
root /path/to/jschan/static/html;
internal;
}
location = /503.html {
root /path/to/jschan/static/html;
internal;
}
location = /504.html {
root /path/to/jschan/static/html;
internal;
}
if ($request_uri ~ ^/(?!captcha|randombanner|forms|socket\.io)) {
rewrite ^([^.\?]*[^/])$ $1/ redirect;
rewrite ^(.+)/$ $1/index.html redirect;
}
location = /robots.txt {
access_log off;
add_header Content-Type text/plain;
return 200 "User-agent: *\nDisallow:\n";
}
location = /favicon.ico {
access_log off;
expires max;
root /path/to/jschan/static/file;
try_files $uri =404;
}
location = / {
return 302 http://$host/index.html;
}
location /captcha {
access_log off;
root /path/to/jschan/static/captcha;
if ($cookie_captchaid) {
return 302 http://$host/captcha/$cookie_captchaid.jpg;
}
try_files /$cookie_captchaid.jpg @backend;
}
location / {
proxy_buffering off;
proxy_pass http://chan$request_uri;
proxy_http_version 1.1;
#websocket
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Forwarded-Proto http;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Country-Code $geoip_country_code;
}
location @backend {
proxy_buffering off;
proxy_pass http://chan$request_uri;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-Proto http;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Country-Code $geoip_country_code;
proxy_set_header Connection '';
proxy_set_header Host $host;
}
location @backend-private {
#no cache control public
add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com/embed/ https://www.bitchute.com/embed/; connect-src 'self' wss://domain.com/" always;
add_header Referrer-Policy "same-origin, strict-origin-when-cross-origin" always;
add_header X-Frame-Options "sameorigin" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
proxy_buffering off;
proxy_pass http://chan$request_uri;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-Proto http;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Country-Code $geoip_country_code;
proxy_set_header Connection '';
proxy_set_header Host $host;
}
# authed, no cache pages
location ~* ^/((\w+/manage/.*|globalmanage/(reports|bans|recent|boards|globallogs|news|accounts|settings))|account|create)\.(html|json)$ {
expires 0;
try_files /dev/null @backend-private;
}
# public html
location ~* \.html$ {
expires 0;
root /path/to/jschan/static/html;
try_files $uri @backend;
}
# public json
location ~* \.json$ {
expires 0;
root /path/to/jschan/static/json;
try_files $uri @backend;
}
# CSS
location ~* \.css$ {
access_log off;
expires 1d;
root /path/to/jschan/static;
try_files $uri =404;
}
# Scripts
location ~* \.js$ {
expires 1d;
access_log off;
root /path/to/jschan/static;
try_files $uri =404;
}
# Files (image, video, audio, other)
location ~* \.(png|jpg|jpeg|bmp|webmanifest|xml|ico|gif|apng|webp|pjpeg|jfif|mkv|mp4|webm|mov|svg|flac|mp3|ogg|wav|opus)$ {
access_log off;
expires max;
root /path/to/jschan/static;
try_files $uri =404;
}
# "Other" Files for custom type uploads, uses content-disposition to prevent rendering
# inline in browser and will present a "save" dialog box. make sure these file
# extensions match for mimes defined in global settings
# location ~* \.(txt)$ {
# access_log off;
# expires max;
# add_header Cache-Control "public";
# add_header X-Content-Type-Options "nosniff" always;
# add_header Content-Disposition "attachment";
# root /path/to/jschan/static;
# try_files $uri =404;
# }
listen 80;
listen [::]:80;
}
##OPTIONAL, tor config
#server {
#
# server_name zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz.onion;
# client_max_body_size 0; #limit handled by upstream for better errors
# server_tokens off;
#
# error_page 404 /404.html;
# error_page 500 /500.html;
# error_page 502 /502.html;
# error_page 503 /503.html;
# error_page 504 /504.html;
# location = /404.html {
# root /path/to/jschan/static/html;
# internal;
# }
# location = /500.html {
# root /path/to/jschan/static/html;
# internal;
# }
# location = /502.html {
# root /path/to/jschan/static/html;
# internal;
# }
# location = /503.html {
# root /path/to/jschan/static/html;
# internal;
# }
# location = /504.html {
# root /path/to/jschan/static/html;
# internal;
# }
#
# add_header Cache-Control "public";
# add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'" always;
# add_header Referrer-Policy "same-origin" always;
# add_header X-Frame-Options "sameorigin" always;
# add_header X-Content-Type-Options "nosniff" always;
# add_header X-XSS-Protection "1; mode=block" always;
#
# if ($request_uri ~ ^/(?!captcha|randombanner|forms|socket\.io)) {
# rewrite ^([^.\?]*[^/])$ $1/ redirect;
# rewrite ^(.+)/$ $1/index.html redirect;
# }
#
# location = /robots.txt {
# access_log off;
# add_header Content-Type text/plain;
# return 200 "User-agent: *\nDisallow:\n";
# }
#
# location = /favicon.ico {
# access_log off;
# expires max;
# root /path/to/jschan/static/file;
# try_files $uri =404;
# }
#
# location = / {
# return 302 http://$host/index.html;
# }
#
# location /captcha {
# access_log off;
# root /path/to/jschan/static/captcha;
# if ($cookie_captchaid) {
# return 302 http://$host/captcha/$cookie_captchaid.jpg;
# }
# try_files /$cookie_captchaid.jpg @backend;
# }
#
# location / {
# proxy_buffering off;
# proxy_pass http://chan$request_uri;
# proxy_http_version 1.1;
#
# #websocket
# proxy_set_header Host $host;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection 'upgrade';
# proxy_cache_bypass $http_upgrade;
#
# proxy_set_header X-Forwarded-Proto http;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Country-Code 'TOR';
# }
#
# location @backend {
# proxy_buffering off;
# proxy_pass http://chan$request_uri;
# proxy_http_version 1.1;
# proxy_set_header X-Forwarded-Proto http;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Country-Code 'TOR';
# proxy_set_header Connection '';
# proxy_set_header Host $host;
# }
#
# location @backend-private {
# #no cache control public
# add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com/embed/ https://www.bitchute.com/embed/; connect-src 'self' wss://domain.com/" always;
# add_header Referrer-Policy "same-origin, strict-origin-when-cross-origin" always;
# add_header X-Frame-Options "sameorigin" always;
# add_header X-Content-Type-Options "nosniff" always;
# add_header X-XSS-Protection "1; mode=block" always;
# proxy_buffering off;
# proxy_pass http://chan$request_uri;
# proxy_http_version 1.1;
# proxy_set_header X-Forwarded-Proto http;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Country-Code 'TOR';
# proxy_set_header Connection '';
# proxy_set_header Host $host;
# }
#
# # authed, no cache pages
# location ~* ^/((\w+/manage/.*|globalmanage/(reports|bans|recent|boards|globallogs|news|accounts|settings))|account|create)\.(html|json)$ {
# expires 0;
# try_files /dev/null @backend-private;
# }
#
# # HTML
# location ~* \.html$ {
# expires 0;
# root /path/to/jschan/static/html;
# try_files $uri @backend;
# }
#
# # JSON
# location ~* \.json$ {
# expires 0;
# root /path/to/jschan/static/json;
# try_files $uri @backend;
# #json doesnt hit backend if it doesnt exist yet.
# }
#
# # CSS
# location ~* \.css$ {
# access_log off;
# expires 1d;
# root /path/to/jschan/static;
# try_files $uri =404;
# }
#
# # Scripts
# location ~* \.js$ {
# expires 1d;
# access_log off;
# root /path/to/jschan/static;
# try_files $uri =404;
# }
#
# # Files (image, video, audio, other)
# location ~* \.(png|jpg|jpeg|bmp|webmanifest|xml|ico|gif|apng|webp|jfif|pjpeg|mkv|mp4|webm|mov|svg|flac|mp3|ogg|wav|opus)$ {
# access_log off;
# expires max;
# root /path/to/jschan/static;
# try_files $uri =404;
# }
#
# # "Other" Files for custom type uploads, uses content-disposition to prevent rendering
# # inline in browser and will present a "save" dialog box. make sure these file
# # extensions match for mimes defined in global settings
# location ~* \.(txt)$ {
# access_log off;
# expires max;
# add_header Cache-Control "public";
# add_header X-Content-Type-Options "nosniff" always;
# add_header Content-Disposition "attachment";
# root /path/to/jschan/static;
# try_files $uri =404;
# }
#
# listen 127.0.0.1:80;
# listen [::1]:80;
#
#}

2
configs/nginx/snippets/security_headers.conf
Unescape View File

@ -1,5 +1,5 @@
add_header Cache-Control "public";
add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com/embed/ https://www.bitchute.com/embed/; connect-src 'self' wss://domain.com/" always;
add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com/embed/ https://www.bitchute.com/embed/; connect-src 'self' wss://example.com/" always;
add_header Referrer-Policy "same-origin, strict-origin-when-cross-origin" always;
add_header X-Frame-Options "sameorigin" always;
add_header X-Content-Type-Options "nosniff" always;

2
configs/nginx/snippets/security_headers_nocache.conf
Unescape View File

@ -1,4 +1,4 @@
add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com/embed/ https://www.bitchute.com/embed/; connect-src 'self' wss://domain.com/" always;
add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com/embed/ https://www.bitchute.com/embed/; connect-src 'self' wss://example.com/" always;
add_header Referrer-Policy "same-origin, strict-origin-when-cross-origin" always;
add_header X-Frame-Options "sameorigin" always;
add_header X-Content-Type-Options "nosniff" always;

Write Preview
Loading…
Cancel
Save