Add basic configuration extracted from our running config

Cleaned of most stuff *from* our config, but a template is provided to help you get started.
This commit is contained in:
Lily Tsuru 2024-03-23 03:37:44 -04:00
parent 4a7ac04665
commit 35b09db127
13 changed files with 1755 additions and 1 deletions

View file

@ -9,6 +9,6 @@ $ git clone --recursive https://git.computernewb.com/nginx-cn
$ cd nginx-cn
$ ./build
# ./install
# ... (copy the base config from sources/nginx/conf into /opt/nginx/etc/nginx)
# ... (copy the base config from conf/ into /opt/nginx/etc/nginx and adjust/add to suit your configuration)
# profit?
```

30
conf/bits/no-ranges.conf Normal file
View file

@ -0,0 +1,30 @@
# no-ranges.conf
# Disables ranges and adds a simple lua block
# that will immediately fail requests.
# "max_ranges 0" doesn't seem to really work the way you'd expect
# which is kind of why I'm making this include..
# This will actually properly not allow ranged connections.
# Do the obligatory first
max_ranges 0;
# Add a Lua header filter that will explicitly 400
# any HTTP requests with the "Range" header; regardless of
# if they contain a valid range, set of ranges, or an invalid
# range.
#
# We also add the "Accept-Ranges" header here, because unlike
# nginx's native "add_header", it's not terminally broken and won't append
# a duplicate header in certain contexts... Don't ask how I had to find that out.
header_filter_by_lua_block {
local req_headers = ngx.req.get_headers();
ngx.header["Accept-Ranges"] = "none"
if req_headers["Range"] ~= nil then
ngx.log(ngx.ERR, "Request with ranges! Blocking")
return ngx.exit(400)
end
}

53
conf/bits/wsproxy_params Normal file
View file

@ -0,0 +1,53 @@
# wsproxy_params: Include file for configuring a location
# to proxy a upstream with WebSocket support.
# This file effectively makes WebSocket proxying 2 lines long.
proxy_http_version 1.1;
# ignore headers that could be used to alter how we handle
# none of our proxied servers do this, but
proxy_ignore_headers X-Accel-Redirect X-Accel-Buffering;
# No buffering or redirect
#proxy_buffering off;
proxy_redirect off;
# experiemnt: do use buffering and
# use smaller buffer sizes
proxy_buffering off;
#proxy_buffer_size 4k;
#proxy_buffers 8 4k;
#proxy_buffer_size 128k;
#proxy_buffers 100 128k;
#proxy_set_header Host $host:$server_port;
proxy_set_header Upgrade $http_upgrade;
# TODO: this might be problemeatic, change this to $http_connection, or
# the map in documentation.
proxy_set_header Connection $connection_upgrade;
# pass standard Websocket handshake headers
proxy_set_header Sec-WebSocket-Extensions $http_sec_websocket_extensions;
proxy_set_header Sec-WebSocket-Protocol $http_sec_websocket_protocol;
proxy_set_header Sec-WebSocket-Key $http_sec_websocket_key;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # CHANGE use second if your server will be under cloudflare
#proxy_set_header X-Forwarded-For $http_cf_connecting_ip;
# I'd readd this, but to be kinda brutally honest,
# this causes more issues than it really solves.
#proxy_read_timeout 36000s;
# hopefully this works?
proxy_connect_timeout 10s;
# Most of our stuff will disconnect you if you don't send anything in a reasonable
# time frame, so this should be okay.
#proxy_read_timeout 36000s;
#proxy_read_timeout 960s;
proxy_send_timeout 480s;

26
conf/fastcgi.conf Normal file
View file

@ -0,0 +1,26 @@
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;

25
conf/fastcgi_params Normal file
View file

@ -0,0 +1,25 @@
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;

109
conf/koi-utf Normal file
View file

@ -0,0 +1,109 @@
# This map is not a full koi8-r <> utf8 map: it does not contain
# box-drawing and some other characters. Besides this map contains
# several koi8-u and Byelorussian letters which are not in koi8-r.
# If you need a full and standard map, use contrib/unicode2nginx/koi-utf
# map instead.
charset_map koi8-r utf-8 {
80 E282AC ; # euro
95 E280A2 ; # bullet
9A C2A0 ; # &nbsp;
9E C2B7 ; # &middot;
A3 D191 ; # small yo
A4 D194 ; # small Ukrainian ye
A6 D196 ; # small Ukrainian i
A7 D197 ; # small Ukrainian yi
AD D291 ; # small Ukrainian soft g
AE D19E ; # small Byelorussian short u
B0 C2B0 ; # &deg;
B3 D081 ; # capital YO
B4 D084 ; # capital Ukrainian YE
B6 D086 ; # capital Ukrainian I
B7 D087 ; # capital Ukrainian YI
B9 E28496 ; # numero sign
BD D290 ; # capital Ukrainian soft G
BE D18E ; # capital Byelorussian short U
BF C2A9 ; # (C)
C0 D18E ; # small yu
C1 D0B0 ; # small a
C2 D0B1 ; # small b
C3 D186 ; # small ts
C4 D0B4 ; # small d
C5 D0B5 ; # small ye
C6 D184 ; # small f
C7 D0B3 ; # small g
C8 D185 ; # small kh
C9 D0B8 ; # small i
CA D0B9 ; # small j
CB D0BA ; # small k
CC D0BB ; # small l
CD D0BC ; # small m
CE D0BD ; # small n
CF D0BE ; # small o
D0 D0BF ; # small p
D1 D18F ; # small ya
D2 D180 ; # small r
D3 D181 ; # small s
D4 D182 ; # small t
D5 D183 ; # small u
D6 D0B6 ; # small zh
D7 D0B2 ; # small v
D8 D18C ; # small soft sign
D9 D18B ; # small y
DA D0B7 ; # small z
DB D188 ; # small sh
DC D18D ; # small e
DD D189 ; # small shch
DE D187 ; # small ch
DF D18A ; # small hard sign
E0 D0AE ; # capital YU
E1 D090 ; # capital A
E2 D091 ; # capital B
E3 D0A6 ; # capital TS
E4 D094 ; # capital D
E5 D095 ; # capital YE
E6 D0A4 ; # capital F
E7 D093 ; # capital G
E8 D0A5 ; # capital KH
E9 D098 ; # capital I
EA D099 ; # capital J
EB D09A ; # capital K
EC D09B ; # capital L
ED D09C ; # capital M
EE D09D ; # capital N
EF D09E ; # capital O
F0 D09F ; # capital P
F1 D0AF ; # capital YA
F2 D0A0 ; # capital R
F3 D0A1 ; # capital S
F4 D0A2 ; # capital T
F5 D0A3 ; # capital U
F6 D096 ; # capital ZH
F7 D092 ; # capital V
F8 D0AC ; # capital soft sign
F9 D0AB ; # capital Y
FA D097 ; # capital Z
FB D0A8 ; # capital SH
FC D0AD ; # capital E
FD D0A9 ; # capital SHCH
FE D0A7 ; # capital CH
FF D0AA ; # capital hard sign
}

103
conf/koi-win Normal file
View file

@ -0,0 +1,103 @@
charset_map koi8-r windows-1251 {
80 88 ; # euro
95 95 ; # bullet
9A A0 ; # &nbsp;
9E B7 ; # &middot;
A3 B8 ; # small yo
A4 BA ; # small Ukrainian ye
A6 B3 ; # small Ukrainian i
A7 BF ; # small Ukrainian yi
AD B4 ; # small Ukrainian soft g
AE A2 ; # small Byelorussian short u
B0 B0 ; # &deg;
B3 A8 ; # capital YO
B4 AA ; # capital Ukrainian YE
B6 B2 ; # capital Ukrainian I
B7 AF ; # capital Ukrainian YI
B9 B9 ; # numero sign
BD A5 ; # capital Ukrainian soft G
BE A1 ; # capital Byelorussian short U
BF A9 ; # (C)
C0 FE ; # small yu
C1 E0 ; # small a
C2 E1 ; # small b
C3 F6 ; # small ts
C4 E4 ; # small d
C5 E5 ; # small ye
C6 F4 ; # small f
C7 E3 ; # small g
C8 F5 ; # small kh
C9 E8 ; # small i
CA E9 ; # small j
CB EA ; # small k
CC EB ; # small l
CD EC ; # small m
CE ED ; # small n
CF EE ; # small o
D0 EF ; # small p
D1 FF ; # small ya
D2 F0 ; # small r
D3 F1 ; # small s
D4 F2 ; # small t
D5 F3 ; # small u
D6 E6 ; # small zh
D7 E2 ; # small v
D8 FC ; # small soft sign
D9 FB ; # small y
DA E7 ; # small z
DB F8 ; # small sh
DC FD ; # small e
DD F9 ; # small shch
DE F7 ; # small ch
DF FA ; # small hard sign
E0 DE ; # capital YU
E1 C0 ; # capital A
E2 C1 ; # capital B
E3 D6 ; # capital TS
E4 C4 ; # capital D
E5 C5 ; # capital YE
E6 D4 ; # capital F
E7 C3 ; # capital G
E8 D5 ; # capital KH
E9 C8 ; # capital I
EA C9 ; # capital J
EB CA ; # capital K
EC CB ; # capital L
ED CC ; # capital M
EE CD ; # capital N
EF CE ; # capital O
F0 CF ; # capital P
F1 DF ; # capital YA
F2 D0 ; # capital R
F3 D1 ; # capital S
F4 D2 ; # capital T
F5 D3 ; # capital U
F6 C6 ; # capital ZH
F7 C2 ; # capital V
F8 DC ; # capital soft sign
F9 DB ; # capital Y
FA C7 ; # capital Z
FB D8 ; # capital SH
FC DD ; # capital E
FD D9 ; # capital SHCH
FE D7 ; # capital CH
FF DA ; # capital hard sign
}

1080
conf/mime.types Normal file

File diff suppressed because it is too large Load diff

123
conf/nginx.conf Normal file
View file

@ -0,0 +1,123 @@
# nginx.conf
user http;
worker_processes 24; # CHANGE to fit your system
error_log /var/log/nginx/error.log;
pcre_jit on;
events {
worker_connections 4096;
use epoll;
multi_accept off;
accept_mutex off;
}
http {
# Lua path
lua_package_path "/opt/nginx/lib/lua/?.lua;;";
vhost_traffic_status_zone;
include mime.types;
default_type application/octet-stream;
# this is defined as a nicity here, and used by other files
map $http_upgrade $connection_upgrade {
default upgrade;
'' keep-alive;
}
log_format main '$remote_addr - $remote_user [$time_local] '
'"$server_name" "$request" $status $body_bytes_sent "$http_referer" '
'"$http_user_agent' ;
# CHANGE if you want to use systemd for journaling (probably not a bad idea), or some other syslogd (again, probably
# not the worst idea), uncomment out this
# access_log syslog:server=unix:/dev/log,facility=local7,tag=nginx,severity=info main;
access_log /var/log/nginx/access.log main;
server_tokens off;
#map_hash_bucket_size 128;
#map_hash_max_size 8192;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
# :(
keepalive_timeout 3605;
#keepalive_timeout 65;
#send_timeout 60;
send_timeout 3600;
reset_timedout_connection on;
types_hash_max_size 4096;
gzip on;
#gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 3;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_min_length 10240;
gzip_types
application/atom+xml
application/geo+json
application/javascript
application/x-javascript
application/json
application/ld+json
application/manifest+json
application/rdf+xml
application/rss+xml
application/xhtml+xml
application/xml
font/eot
font/otf
font/ttf
image/svg+xml
text/css
text/javascript
text/plain
text/xml;
server {
access_log /dev/null; # avoid spamming our access logs with accesses to this
# (do log errors though!)
listen 127.0.0.1:3950 bind reuseport;
location /status {
vhost_traffic_status_display;
vhost_traffic_status_display_format html;
}
}
# A dummy default server just to avoid any configuration mishaps.
# Also sets our bind and reuseport options for us :)
server {
server_name _;
listen (ipv4):80 bind reuseport default_server; # CHANGE like template.conf tells you to
listen [(ipv6)]:80 bind reuseport default_server;
# a nice message if anyone else see this
default_type 'text/plain';
location ^~ / {
content_by_lua_block {
ngx.say('You should not see this message (unless some infrastructure is screwing up and not passing a Host header). If you do yell loudly.')
}
}
}
# include all enabled sites
include sites/*;
}

17
conf/scgi_params Normal file
View file

@ -0,0 +1,17 @@
scgi_param REQUEST_METHOD $request_method;
scgi_param REQUEST_URI $request_uri;
scgi_param QUERY_STRING $query_string;
scgi_param CONTENT_TYPE $content_type;
scgi_param DOCUMENT_URI $document_uri;
scgi_param DOCUMENT_ROOT $document_root;
scgi_param SCGI 1;
scgi_param SERVER_PROTOCOL $server_protocol;
scgi_param REQUEST_SCHEME $scheme;
scgi_param HTTPS $https if_not_empty;
scgi_param REMOTE_ADDR $remote_addr;
scgi_param REMOTE_PORT $remote_port;
scgi_param SERVER_PORT $server_port;
scgi_param SERVER_NAME $server_name;

45
conf/template.conf Normal file
View file

@ -0,0 +1,45 @@
# template for your own domain
# this defines ratelimit parameters.
# You can remove this if you don't want ratelimiting but it's a very good idea
# and will heavily limit the effectiveness of attacks so it's probably best to leave it in place.
limit_req_zone $binary_remote_addr zone=reqlimit_yourdomain:10m rate=20r/s; # CHANGE
# an example upstream for reverse proxying
#upstream myservice {
# server 127.0.0.1:3002;
#}
server {
server_name yourdomain.net; # CHANGE
root /srv/http/yourdomain.net; # CHANGE
# TODO SSL
listen (ipv4):80; # CHANGE to your ipv4 address if using ipv4
listen [(ipv6)]:80; # CHANGE to your ipv6 address if you want ipv6,
# or comment/remove if you don't have ipv6
# (likewise, for ipv4 if you don't want ipv4)
index index.php index.html; # CHANGE if not using php
#autoindex on; # CHANGE if you want to use fancyindex, comment out the next line,
#fancyindex on; # CHANGE or just comment out the line above if you only want
limit_req zone=reqlimit_yourdomain burst=20 delay=8; # CHANGE zone=
limit_req_status 429;
# Example of doing reverse proxying
#location ^~ /myapi {
# include bits/wsproxy_params;
# proxy_pass http://myservice/;
#}
# CHANGE comment or remove this if your domain doesn't use php
location ~ \.php$ {
include fastcgi.conf;
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
}
}

17
conf/uwsgi_params Normal file
View file

@ -0,0 +1,17 @@
uwsgi_param QUERY_STRING $query_string;
uwsgi_param REQUEST_METHOD $request_method;
uwsgi_param CONTENT_TYPE $content_type;
uwsgi_param CONTENT_LENGTH $content_length;
uwsgi_param REQUEST_URI $request_uri;
uwsgi_param PATH_INFO $document_uri;
uwsgi_param DOCUMENT_ROOT $document_root;
uwsgi_param SERVER_PROTOCOL $server_protocol;
uwsgi_param REQUEST_SCHEME $scheme;
uwsgi_param HTTPS $https if_not_empty;
uwsgi_param REMOTE_ADDR $remote_addr;
uwsgi_param REMOTE_PORT $remote_port;
uwsgi_param SERVER_PORT $server_port;
uwsgi_param SERVER_NAME $server_name;

126
conf/win-utf Normal file
View file

@ -0,0 +1,126 @@
# This map is not a full windows-1251 <> utf8 map: it does not
# contain Serbian and Macedonian letters. If you need a full map,
# use contrib/unicode2nginx/win-utf map instead.
charset_map windows-1251 utf-8 {
82 E2809A ; # single low-9 quotation mark
84 E2809E ; # double low-9 quotation mark
85 E280A6 ; # ellipsis
86 E280A0 ; # dagger
87 E280A1 ; # double dagger
88 E282AC ; # euro
89 E280B0 ; # per mille
91 E28098 ; # left single quotation mark
92 E28099 ; # right single quotation mark
93 E2809C ; # left double quotation mark
94 E2809D ; # right double quotation mark
95 E280A2 ; # bullet
96 E28093 ; # en dash
97 E28094 ; # em dash
99 E284A2 ; # trade mark sign
A0 C2A0 ; # &nbsp;
A1 D18E ; # capital Byelorussian short U
A2 D19E ; # small Byelorussian short u
A4 C2A4 ; # currency sign
A5 D290 ; # capital Ukrainian soft G
A6 C2A6 ; # borken bar
A7 C2A7 ; # section sign
A8 D081 ; # capital YO
A9 C2A9 ; # (C)
AA D084 ; # capital Ukrainian YE
AB C2AB ; # left-pointing double angle quotation mark
AC C2AC ; # not sign
AD C2AD ; # soft hypen
AE C2AE ; # (R)
AF D087 ; # capital Ukrainian YI
B0 C2B0 ; # &deg;
B1 C2B1 ; # plus-minus sign
B2 D086 ; # capital Ukrainian I
B3 D196 ; # small Ukrainian i
B4 D291 ; # small Ukrainian soft g
B5 C2B5 ; # micro sign
B6 C2B6 ; # pilcrow sign
B7 C2B7 ; # &middot;
B8 D191 ; # small yo
B9 E28496 ; # numero sign
BA D194 ; # small Ukrainian ye
BB C2BB ; # right-pointing double angle quotation mark
BF D197 ; # small Ukrainian yi
C0 D090 ; # capital A
C1 D091 ; # capital B
C2 D092 ; # capital V
C3 D093 ; # capital G
C4 D094 ; # capital D
C5 D095 ; # capital YE
C6 D096 ; # capital ZH
C7 D097 ; # capital Z
C8 D098 ; # capital I
C9 D099 ; # capital J
CA D09A ; # capital K
CB D09B ; # capital L
CC D09C ; # capital M
CD D09D ; # capital N
CE D09E ; # capital O
CF D09F ; # capital P
D0 D0A0 ; # capital R
D1 D0A1 ; # capital S
D2 D0A2 ; # capital T
D3 D0A3 ; # capital U
D4 D0A4 ; # capital F
D5 D0A5 ; # capital KH
D6 D0A6 ; # capital TS
D7 D0A7 ; # capital CH
D8 D0A8 ; # capital SH
D9 D0A9 ; # capital SHCH
DA D0AA ; # capital hard sign
DB D0AB ; # capital Y
DC D0AC ; # capital soft sign
DD D0AD ; # capital E
DE D0AE ; # capital YU
DF D0AF ; # capital YA
E0 D0B0 ; # small a
E1 D0B1 ; # small b
E2 D0B2 ; # small v
E3 D0B3 ; # small g
E4 D0B4 ; # small d
E5 D0B5 ; # small ye
E6 D0B6 ; # small zh
E7 D0B7 ; # small z
E8 D0B8 ; # small i
E9 D0B9 ; # small j
EA D0BA ; # small k
EB D0BB ; # small l
EC D0BC ; # small m
ED D0BD ; # small n
EE D0BE ; # small o
EF D0BF ; # small p
F0 D180 ; # small r
F1 D181 ; # small s
F2 D182 ; # small t
F3 D183 ; # small u
F4 D184 ; # small f
F5 D185 ; # small kh
F6 D186 ; # small ts
F7 D187 ; # small ch
F8 D188 ; # small sh
F9 D189 ; # small shch
FA D18A ; # small hard sign
FB D18B ; # small y
FC D18C ; # small soft sign
FD D18D ; # small e
FE D18E ; # small yu
FF D18F ; # small ya
}