load_module /usr/lib/nginx/modules/ngx_http_js_module.so; user http; worker_processes auto; error_log /var/log/nginx/error.log error; events { worker_connections 1024; multi_accept on; } http { sendfile on; tcp_nopush on; tcp_nodelay on; server_tokens off; http2 on; access_log /var/log/nginx/access.log; include mime.types; default_type application/octet-stream; types_hash_max_size 2048; types_hash_bucket_size 128; gzip on; gzip_vary on; gzip_comp_level 6; gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=pcache:32m max_size=20g; map $http_upgrade $connection_upgrade { default upgrade; '' close; } geo $dollar { default "$"; # DIRTY HACKS DONE CHEAP } js_import nginx.js; js_shared_dict_zone zone=auth_token_cache:32k timeout=5m evict; absolute_redirect off; # mozilla ssl settings via https://ssl-config.mozilla.org/ ssl_session_timeout 1d; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_protocols TLSv1.3; ssl_prefer_server_ciphers off; ssl_stapling on; ssl_stapling_verify on; resolver 127.0.0.53; # static sites server { listen 80 default_server; listen [::]:80 default_server; default_type text/plain; root /srv/web/$host; index index.html; } # https dummy server server { listen 443 quic reuseport default_server; listen [::]:443 quic reuseport default_server; listen 443 ssl reuseport default_server; listen [::]:443 ssl reuseport default_server; server_name _; ssl_certificate /etc/tls/mia.jetzt.crt; ssl_certificate_key /etc/tls/mia.jetzt.key; } %TERMINATE% # dissociate server { listen 80; listen [::]:80; server_name dissociate.mia.jetzt; location / { proxy_pass http://localhost:8001; %PROXY% } } # git server { listen 80; listen [::]:80; server_name git.mia.jetzt; root /usr/share/webapps/cgit; try_files $uri @cgit; set $required_scope root; location ~ /.+/(info/refs|git-upload-pack) { include fastcgi.conf; fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend; fastcgi_param GIT_PROJECT_ROOT /srv/git; fastcgi_pass unix:/run/fcgiwrap-git.sock; } location @cgit { include fastcgi.conf; fastcgi_param SCRIPT_FILENAME /usr/lib/cgit/cgit.cgi; fastcgi_param CGIT_CONFIG /etc/cgit/public; fastcgi_pass unix:/run/fcgiwrap-git.sock; } location /priv/ { %AUTH_CHECK% rewrite ^/priv/(.*) /$1 break; include fastcgi.conf; fastcgi_param SCRIPT_FILENAME /usr/lib/cgit/cgit.cgi; fastcgi_param CGIT_CONFIG /etc/cgit/private; fastcgi_pass unix:/run/fcgiwrap-git.sock; } %AUTH_LOCATIONS% } # search server { listen 80; listen [::]:80; server_name search.mia.jetzt; set $required_scope search; location / { %AUTH_CHECK% proxy_pass http://unix:/run/searxng.sock; } location /opensearch.xml { proxy_pass http://unix:/run/searxng.sock; } location /autocompleter { proxy_pass http://unix:/run/searxng.sock; } %AUTH_LOCATIONS% } # cat server { listen 80; listen [::]:80; server_name cat.mia.jetzt; location / { js_content nginx.cat; } } # outskirts server { listen 80; listen [::]:80; server_name outskirts.town; location / { proxy_pass http://localhost:6502; %PROXY% } } # outskirts akkoma-fe server { listen 80; listen [::]:80; server_name ak.outskirts.town; location / { root /usr/share/iceshrimp.net/akkoma-fe; index index.html; try_files $uri /index.html =404; } location ^~ /oauth/authorize { return 307 https://outskirts.town$request_uri; } location ~* ^/(api|oauth|nodeinfo)/ { proxy_pass http://localhost:6502; proxy_http_version 1.1; proxy_redirect off; proxy_set_header Host outskirts.town; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; } } # voicelevelproxy server { listen 80; listen [::]:80; server_name vlp.mia.jetzt; location / { proxy_pass http://localhost:6503; %PROXY% } } }