mirror of https://gitgud.io/fatchan/jschan.git
parent
cc1f0ed2e1
commit
9f7b4a6d9d
7 changed files with 63 additions and 814 deletions
@ -1,3 +1,2 @@ |
||||
`nginx.example` - Example nginx config with letsencrypt. You need to update with the path of installation, certificate paths, domain names, etc. |
||||
`nginx_no_https.example` - Same thing, without https. Can be used for testing and development. |
||||
`nginx_advanced.example` - An advanced example with both clearnet and tor, with snippets to reduce repitition for a cleaner config |
||||
`nginx.example` is your /etc/nginx/sites-available/example.com file |
||||
`snippets/*` goes in /etc/nginx/snippets/ |
||||
|
@ -1,72 +0,0 @@ |
||||
upstream chan { |
||||
server 127.0.0.1:7000; |
||||
} |
||||
|
||||
server { |
||||
|
||||
server_name www.xxxxxxxx.loki xxxxxxxx.loki; |
||||
|
||||
client_max_body_size 0; |
||||
#address may vary if this address is already used by something other than lokinet |
||||
listen 172.16.0.1:80; |
||||
|
||||
include /etc/nginx/snippets/security_headers.conf; |
||||
include /etc/nginx/snippets/error_pages.conf; |
||||
include /etc/nginx/snippets/jschan_loki_routes.conf; |
||||
include /etc/nginx/snippets/jschan_common_routes.conf; |
||||
|
||||
} |
||||
|
||||
server { |
||||
|
||||
server_name www.xxxxxxxx.onion xxxxxxxx.onion; |
||||
|
||||
client_max_body_size 0; |
||||
listen unix:/var/run/nginx-tor.sock; |
||||
allow "unix:"; |
||||
deny all; |
||||
|
||||
include /etc/nginx/snippets/security_headers.conf; |
||||
include /etc/nginx/snippets/error_pages.conf; |
||||
include /etc/nginx/snippets/jschan_tor_routes.conf; |
||||
include /etc/nginx/snippets/jschan_common_routes.conf; |
||||
|
||||
} |
||||
|
||||
server { |
||||
|
||||
server_name www.example.com example.com; |
||||
|
||||
client_max_body_size 0; |
||||
#header will tell tor users accessing clearnet endpoint to use onion service |
||||
add_header onion-location 'http://xxxxxxxxxxx.onion$request_uri'; |
||||
|
||||
include /etc/nginx/snippets/security_headers.conf; |
||||
include /etc/nginx/snippets/error_pages.conf; |
||||
include /etc/nginx/snippets/jschan_common_routes.conf; |
||||
include /etc/nginx/snippets/jschan_clearnet_routes.conf; |
||||
|
||||
listen [::]:443 ssl ipv6only=on; # managed by Certbot |
||||
listen 443 ssl; # managed by Certbot |
||||
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot |
||||
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot |
||||
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot |
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot |
||||
|
||||
} |
||||
|
||||
server { |
||||
if ($host = www.example.com) { |
||||
return 301 https://$host$request_uri; |
||||
} # managed by Certbot |
||||
|
||||
if ($host = example.com) { |
||||
return 301 https://$host$request_uri; |
||||
} # managed by Certbot |
||||
|
||||
server_name www.example.com example.com; |
||||
|
||||
listen 80; |
||||
listen [::]:80; |
||||
return 444; # managed by Certbot |
||||
} |
@ -1,363 +0,0 @@ |
||||
upstream chan { |
||||
server localhost:7000; |
||||
} |
||||
|
||||
server { |
||||
|
||||
server_name domain.com www.domain.com; |
||||
client_max_body_size 0; #limit handled by upstream for better errors |
||||
server_tokens off; |
||||
|
||||
add_header Cache-Control "public"; |
||||
add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com/embed/ https://www.bitchute.com/embed/; connect-src 'self' ws://domain.com/" always; |
||||
add_header Referrer-Policy "same-origin, strict-origin-when-cross-origin" always; |
||||
add_header X-Frame-Options "sameorigin" always; |
||||
add_header X-Content-Type-Options "nosniff" always; |
||||
add_header X-XSS-Protection "1; mode=block" always; |
||||
|
||||
error_page 404 /404.html; |
||||
error_page 500 /500.html; |
||||
error_page 502 /502.html; |
||||
error_page 503 /503.html; |
||||
error_page 504 /504.html; |
||||
location = /404.html { |
||||
root /path/to/jschan/static/html; |
||||
internal; |
||||
} |
||||
location = /500.html { |
||||
root /path/to/jschan/static/html; |
||||
internal; |
||||
} |
||||
location = /502.html { |
||||
root /path/to/jschan/static/html; |
||||
internal; |
||||
} |
||||
location = /503.html { |
||||
root /path/to/jschan/static/html; |
||||
internal; |
||||
} |
||||
location = /504.html { |
||||
root /path/to/jschan/static/html; |
||||
internal; |
||||
} |
||||
|
||||
if ($request_uri ~ ^/(?!captcha|randombanner|forms|socket\.io)) { |
||||
rewrite ^([^.\?]*[^/])$ $1/ redirect; |
||||
rewrite ^(.+)/$ $1/index.html redirect; |
||||
} |
||||
|
||||
location = /robots.txt { |
||||
access_log off; |
||||
add_header Content-Type text/plain; |
||||
return 200 "User-agent: *\nDisallow:\n"; |
||||
} |
||||
|
||||
location = /favicon.ico { |
||||
access_log off; |
||||
expires max; |
||||
root /path/to/jschan/static/file; |
||||
try_files $uri =404; |
||||
} |
||||
|
||||
location = / { |
||||
return 302 http://$host/index.html; |
||||
} |
||||
|
||||
location /captcha { |
||||
access_log off; |
||||
root /path/to/jschan/static/captcha; |
||||
if ($cookie_captchaid) { |
||||
return 302 http://$host/captcha/$cookie_captchaid.jpg; |
||||
} |
||||
try_files /$cookie_captchaid.jpg @backend; |
||||
} |
||||
|
||||
location / { |
||||
proxy_buffering off; |
||||
proxy_pass http://chan$request_uri; |
||||
proxy_http_version 1.1; |
||||
|
||||
#websocket |
||||
proxy_set_header Host $host; |
||||
proxy_set_header Upgrade $http_upgrade; |
||||
proxy_set_header Connection 'upgrade'; |
||||
proxy_cache_bypass $http_upgrade; |
||||
|
||||
proxy_set_header X-Forwarded-Proto http; |
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
||||
proxy_set_header X-Real-IP $remote_addr; |
||||
proxy_set_header X-Country-Code $geoip_country_code; |
||||
} |
||||
|
||||
location @backend { |
||||
proxy_buffering off; |
||||
proxy_pass http://chan$request_uri; |
||||
proxy_http_version 1.1; |
||||
proxy_set_header X-Forwarded-Proto http; |
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
||||
proxy_set_header X-Real-IP $remote_addr; |
||||
proxy_set_header X-Country-Code $geoip_country_code; |
||||
proxy_set_header Connection ''; |
||||
proxy_set_header Host $host; |
||||
} |
||||
|
||||
location @backend-private { |
||||
#no cache control public |
||||
add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com/embed/ https://www.bitchute.com/embed/; connect-src 'self' wss://domain.com/" always; |
||||
add_header Referrer-Policy "same-origin, strict-origin-when-cross-origin" always; |
||||
add_header X-Frame-Options "sameorigin" always; |
||||
add_header X-Content-Type-Options "nosniff" always; |
||||
add_header X-XSS-Protection "1; mode=block" always; |
||||
proxy_buffering off; |
||||
proxy_pass http://chan$request_uri; |
||||
proxy_http_version 1.1; |
||||
proxy_set_header X-Forwarded-Proto http; |
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
||||
proxy_set_header X-Real-IP $remote_addr; |
||||
proxy_set_header X-Country-Code $geoip_country_code; |
||||
proxy_set_header Connection ''; |
||||
proxy_set_header Host $host; |
||||
} |
||||
|
||||
# authed, no cache pages |
||||
location ~* ^/((\w+/manage/.*|globalmanage/(reports|bans|recent|boards|globallogs|news|accounts|settings))|account|create)\.(html|json)$ { |
||||
expires 0; |
||||
try_files /dev/null @backend-private; |
||||
} |
||||
|
||||
# public html |
||||
location ~* \.html$ { |
||||
expires 0; |
||||
root /path/to/jschan/static/html; |
||||
try_files $uri @backend; |
||||
} |
||||
|
||||
# public json |
||||
location ~* \.json$ { |
||||
expires 0; |
||||
root /path/to/jschan/static/json; |
||||
try_files $uri @backend; |
||||
} |
||||
|
||||
# CSS |
||||
location ~* \.css$ { |
||||
access_log off; |
||||
expires 1d; |
||||
root /path/to/jschan/static; |
||||
try_files $uri =404; |
||||
} |
||||
|
||||
# Scripts |
||||
location ~* \.js$ { |
||||
expires 1d; |
||||
access_log off; |
||||
root /path/to/jschan/static; |
||||
try_files $uri =404; |
||||
} |
||||
|
||||
# Files (image, video, audio, other) |
||||
location ~* \.(png|jpg|jpeg|bmp|webmanifest|xml|ico|gif|apng|webp|pjpeg|jfif|mkv|mp4|webm|mov|svg|flac|mp3|ogg|wav|opus)$ { |
||||
access_log off; |
||||
expires max; |
||||
root /path/to/jschan/static; |
||||
try_files $uri =404; |
||||
} |
||||
|
||||
# "Other" Files for custom type uploads, uses content-disposition to prevent rendering |
||||
# inline in browser and will present a "save" dialog box. make sure these file |
||||
# extensions match for mimes defined in global settings |
||||
# location ~* \.(txt)$ { |
||||
# access_log off; |
||||
# expires max; |
||||
# add_header Cache-Control "public"; |
||||
# add_header X-Content-Type-Options "nosniff" always; |
||||
# add_header Content-Disposition "attachment"; |
||||
# root /path/to/jschan/static; |
||||
# try_files $uri =404; |
||||
# } |
||||
|
||||
listen 80; |
||||
listen [::]:80; |
||||
|
||||
} |
||||
|
||||
##OPTIONAL, tor config |
||||
#server { |
||||
# |
||||
# server_name zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz.onion; |
||||
# client_max_body_size 0; #limit handled by upstream for better errors |
||||
# server_tokens off; |
||||
# |
||||
# error_page 404 /404.html; |
||||
# error_page 500 /500.html; |
||||
# error_page 502 /502.html; |
||||
# error_page 503 /503.html; |
||||
# error_page 504 /504.html; |
||||
# location = /404.html { |
||||
# root /path/to/jschan/static/html; |
||||
# internal; |
||||
# } |
||||
# location = /500.html { |
||||
# root /path/to/jschan/static/html; |
||||
# internal; |
||||
# } |
||||
# location = /502.html { |
||||
# root /path/to/jschan/static/html; |
||||
# internal; |
||||
# } |
||||
# location = /503.html { |
||||
# root /path/to/jschan/static/html; |
||||
# internal; |
||||
# } |
||||
# location = /504.html { |
||||
# root /path/to/jschan/static/html; |
||||
# internal; |
||||
# } |
||||
# |
||||
# add_header Cache-Control "public"; |
||||
# add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'" always; |
||||
# add_header Referrer-Policy "same-origin" always; |
||||
# add_header X-Frame-Options "sameorigin" always; |
||||
# add_header X-Content-Type-Options "nosniff" always; |
||||
# add_header X-XSS-Protection "1; mode=block" always; |
||||
# |
||||
# if ($request_uri ~ ^/(?!captcha|randombanner|forms|socket\.io)) { |
||||
# rewrite ^([^.\?]*[^/])$ $1/ redirect; |
||||
# rewrite ^(.+)/$ $1/index.html redirect; |
||||
# } |
||||
# |
||||
# location = /robots.txt { |
||||
# access_log off; |
||||
# add_header Content-Type text/plain; |
||||
# return 200 "User-agent: *\nDisallow:\n"; |
||||
# } |
||||
# |
||||
# location = /favicon.ico { |
||||
# access_log off; |
||||
# expires max; |
||||
# root /path/to/jschan/static/file; |
||||
# try_files $uri =404; |
||||
# } |
||||
# |
||||
# location = / { |
||||
# return 302 http://$host/index.html; |
||||
# } |
||||
# |
||||
# location /captcha { |
||||
# access_log off; |
||||
# root /path/to/jschan/static/captcha; |
||||
# if ($cookie_captchaid) { |
||||
# return 302 http://$host/captcha/$cookie_captchaid.jpg; |
||||
# } |
||||
# try_files /$cookie_captchaid.jpg @backend; |
||||
# } |
||||
# |
||||
# location / { |
||||
# proxy_buffering off; |
||||
# proxy_pass http://chan$request_uri; |
||||
# proxy_http_version 1.1; |
||||
# |
||||
# #websocket |
||||
# proxy_set_header Host $host; |
||||
# proxy_set_header Upgrade $http_upgrade; |
||||
# proxy_set_header Connection 'upgrade'; |
||||
# proxy_cache_bypass $http_upgrade; |
||||
# |
||||
# proxy_set_header X-Forwarded-Proto http; |
||||
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
||||
# proxy_set_header X-Real-IP $remote_addr; |
||||
# proxy_set_header X-Country-Code 'TOR'; |
||||
# } |
||||
# |
||||
# location @backend { |
||||
# proxy_buffering off; |
||||
# proxy_pass http://chan$request_uri; |
||||
# proxy_http_version 1.1; |
||||
# proxy_set_header X-Forwarded-Proto http; |
||||
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
||||
# proxy_set_header X-Real-IP $remote_addr; |
||||
# proxy_set_header X-Country-Code 'TOR'; |
||||
# proxy_set_header Connection ''; |
||||
# proxy_set_header Host $host; |
||||
# } |
||||
# |
||||
# location @backend-private { |
||||
# #no cache control public |
||||
# add_header Content-Security-Policy "default-src 'self'; img-src 'self' blob:; object-src 'self' blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com/embed/ https://www.bitchute.com/embed/; connect-src 'self' wss://domain.com/" always; |
||||
# add_header Referrer-Policy "same-origin, strict-origin-when-cross-origin" always; |
||||
# add_header X-Frame-Options "sameorigin" always; |
||||
# add_header X-Content-Type-Options "nosniff" always; |
||||
# add_header X-XSS-Protection "1; mode=block" always; |
||||
# proxy_buffering off; |
||||
# proxy_pass http://chan$request_uri; |
||||
# proxy_http_version 1.1; |
||||
# proxy_set_header X-Forwarded-Proto http; |
||||
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
||||
# proxy_set_header X-Real-IP $remote_addr; |
||||
# proxy_set_header X-Country-Code 'TOR'; |
||||
# proxy_set_header Connection ''; |
||||
# proxy_set_header Host $host; |
||||
# } |
||||
# |
||||
# # authed, no cache pages |
||||
# location ~* ^/((\w+/manage/.*|globalmanage/(reports|bans|recent|boards|globallogs|news|accounts|settings))|account|create)\.(html|json)$ { |
||||
# expires 0; |
||||
# try_files /dev/null @backend-private; |
||||
# } |
||||
# |
||||
# # HTML |
||||
# location ~* \.html$ { |
||||
# expires 0; |
||||
# root /path/to/jschan/static/html; |
||||
# try_files $uri @backend; |
||||
# } |
||||
# |
||||
# # JSON |
||||
# location ~* \.json$ { |
||||
# expires 0; |
||||
# root /path/to/jschan/static/json; |
||||
# try_files $uri @backend; |
||||
# #json doesnt hit backend if it doesnt exist yet. |
||||
# } |
||||
# |
||||
# # CSS |
||||
# location ~* \.css$ { |
||||
# access_log off; |
||||
# expires 1d; |
||||
# root /path/to/jschan/static; |
||||
# try_files $uri =404; |
||||
# } |
||||
# |
||||
# # Scripts |
||||
# location ~* \.js$ { |
||||
# expires 1d; |
||||
# access_log off; |
||||
# root /path/to/jschan/static; |
||||
# try_files $uri =404; |
||||
# } |
||||
# |
||||
# # Files (image, video, audio, other) |
||||
# location ~* \.(png|jpg|jpeg|bmp|webmanifest|xml|ico|gif|apng|webp|jfif|pjpeg|mkv|mp4|webm|mov|svg|flac|mp3|ogg|wav|opus)$ { |
||||
# access_log off; |
||||
# expires max; |
||||
# root /path/to/jschan/static; |
||||
# try_files $uri =404; |
||||
# } |
||||
# |
||||
# # "Other" Files for custom type uploads, uses content-disposition to prevent rendering |
||||
# # inline in browser and will present a "save" dialog box. make sure these file |
||||
# # extensions match for mimes defined in global settings |
||||
# location ~* \.(txt)$ { |
||||
# access_log off; |
||||
# expires max; |
||||
# add_header Cache-Control "public"; |
||||
# add_header X-Content-Type-Options "nosniff" always; |
||||
# add_header Content-Disposition "attachment"; |
||||
# root /path/to/jschan/static; |
||||
# try_files $uri =404; |
||||
# } |
||||
# |
||||
# listen 127.0.0.1:80; |
||||
# listen [::1]:80; |
||||
# |
||||
#} |
Loading…
Reference in new issue