mirror of https://gitgud.io/fatchan/jschan.git
merge-requests/208/head
parent
2f9242bf89
commit
a04d62d29e
5 changed files with 190 additions and 17 deletions
@ -0,0 +1,3 @@ |
||||
`nginx.example` - Example nginx config with letsencrypt. You need to update with the path of installation, certificate paths, domain names, etc. |
||||
`nginx_no_https.example` - Same thing, without https. Can be used for testing and development. |
||||
`nginx_advanced.example` - An advanced example with both clearnet and tor, with snippets to reduce repitition for a cleaner config |
||||
@ -0,0 +1,56 @@ |
||||
upstream chan { |
||||
server 127.0.0.1:7000; |
||||
} |
||||
|
||||
server { |
||||
|
||||
server_name www.xxxxxxxx.onion xxxxxxxx.onion; |
||||
|
||||
client_max_body_size 0; |
||||
listen unix:/var/run/nginx-tor.sock; |
||||
allow "unix:"; |
||||
deny all; |
||||
|
||||
include /etc/nginx/snippets/security_headers.conf; |
||||
include /etc/nginx/snippets/error_pages.conf; |
||||
include /etc/nginx/snippets/jschan_routes_tor.conf; |
||||
|
||||
} |
||||
|
||||
server { |
||||
|
||||
server_name www.example.com example.com; |
||||
|
||||
client_max_body_size 0; |
||||
#header will tell tor users accessing clearnet endpoint to use onion service |
||||
add_header onion-location 'http://xxxxxxxxxxx.onion'; |
||||
|
||||
include /etc/nginx/snippets/security_headers.conf; |
||||
include /etc/nginx/snippets/error_pages.conf; |
||||
include /etc/nginx/snippets/jschan_routes.conf; |
||||
|
||||
listen [::]:443 ssl ipv6only=on; # managed by Certbot |
||||
listen 443 ssl; # managed by Certbot |
||||
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot |
||||
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot |
||||
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot |
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot |
||||
|
||||
} |
||||
|
||||
server { |
||||
if ($host = www.example.com) { |
||||
return 301 https://$host$request_uri; |
||||
} # managed by Certbot |
||||
|
||||
if ($host = example.com) { |
||||
return 301 https://$host$request_uri; |
||||
} # managed by Certbot |
||||
|
||||
server_name www.example.com example.com; |
||||
|
||||
listen 80; |
||||
listen [::]:80; |
||||
return 444; # managed by Certbot |
||||
|
||||
} |
||||
@ -0,0 +1,122 @@ |
||||
if ($request_uri ~ ^/(?!captcha|randombanner|forms|logout|socket\.io)) { |
||||
rewrite ^([^.\?]*[^/])$ $1/ redirect; |
||||
rewrite ^(.+)/$ $1/index.html redirect; |
||||
} |
||||
|
||||
location = /robots.txt { |
||||
access_log off; |
||||
add_header Content-Type text/plain; |
||||
return 200 "User-agent: *\nDisallow:\n"; |
||||
} |
||||
|
||||
location = /site.webmanifest { |
||||
access_log off; |
||||
expires max; |
||||
root /path/to/jschan/static/file; |
||||
try_files $uri =404; |
||||
} |
||||
|
||||
location = /browserconfig.xml { |
||||
access_log off; |
||||
expires max; |
||||
root /path/to/jschan/static/file; |
||||
try_files $uri =404; |
||||
} |
||||
|
||||
location = /favicon.ico { |
||||
access_log off; |
||||
expires max; |
||||
root /path/to/jschan/static/file; |
||||
try_files $uri =404; |
||||
} |
||||
|
||||
location = / { |
||||
return 302 http://$host/index.html; |
||||
} |
||||
|
||||
location /captcha { |
||||
root /path/to/jschan/static/captcha; |
||||
if ($cookie_captchaid) { |
||||
return 302 http://$host/captcha/$cookie_captchaid.jpg; |
||||
} |
||||
try_files /$cookie_captchaid.jpg @backend; |
||||
} |
||||
|
||||
location / { |
||||
proxy_buffering off; |
||||
proxy_pass http://chan$request_uri; |
||||
proxy_http_version 1.1; |
||||
|
||||
proxy_set_header Host $host; |
||||
proxy_set_header Upgrade $http_upgrade; |
||||
proxy_set_header Connection 'upgrade'; |
||||
proxy_cache_bypass $http_upgrade; |
||||
|
||||
proxy_set_header X-Forwarded-Proto http; |
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
||||
proxy_set_header X-Real-IP $remote_addr; |
||||
proxy_set_header X-Country-Code 'TOR'; |
||||
} |
||||
|
||||
location @backend { |
||||
proxy_buffering off; |
||||
proxy_pass http://chan$request_uri; |
||||
proxy_http_version 1.1; |
||||
proxy_set_header X-Forwarded-Proto http; |
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
||||
proxy_set_header X-Real-IP $remote_addr; |
||||
proxy_set_header X-Country-Code 'TOR'; |
||||
proxy_set_header Connection ''; |
||||
proxy_set_header Host $host; |
||||
} |
||||
|
||||
# HTML |
||||
location ~* \.html$ { |
||||
expires 0; |
||||
default_type text/html; #needed for cache control private in backend |
||||
root /path/to/jschan/static/html; |
||||
try_files $uri @backend; |
||||
} |
||||
|
||||
# JSON |
||||
location ~* \.json$ { |
||||
expires 0; |
||||
root /path/to/jschan/static/json; |
||||
try_files $uri @backend; |
||||
#json doesnt hit backend if it doesnt exist yet. |
||||
} |
||||
|
||||
# CSS |
||||
location ~* \.css$ { |
||||
access_log off; |
||||
expires 1w; |
||||
root /path/to/jschan/static; |
||||
try_files $uri =404; |
||||
} |
||||
|
||||
# Scripts |
||||
location ~* \.js$ { |
||||
expires 1w; |
||||
access_log off; |
||||
root /path/to/jschan/static; |
||||
try_files $uri =404; |
||||
} |
||||
|
||||
# Files (image, video, audio, other) |
||||
location ~* \.(png|jpg|jpeg|webmanifest|apng|bmp|webp|pjpeg|jfif|gif|mp4|webm|mov|mkv|svg|mp3|ogg|wav|opus)$ { |
||||
access_log off; |
||||
expires max; |
||||
root /path/to/jschan/static; |
||||
try_files $uri =404; |
||||
} |
||||
|
||||
# inline in browser so even HTML filetypes can be offered and will present a "save" dialog box |
||||
location ~* \.(txt|bin)$ { |
||||
access_log off; |
||||
expires max; |
||||
add_header Cache-Control "public"; |
||||
add_header X-Content-Type-Options "nosniff" always; |
||||
add_header Content-Disposition "attachment"; |
||||
root /path/to/jschan/static; |
||||
try_files $uri =404; |
||||
} |
||||
Loading…
Reference in new issue