v-thomp4 · May 28, 2015 03:34
diff --git a/gistfile1.txt b/gistfile1.txt
 # user  web web;
 worker_processes auto;

 pid /var/run/nginx.pid;

 events {
  worker_connections 8192;
  multi_accept on;
 }

 http {
  include mime.types;
  default_type application/octet-stream;
  sendfile on;
  tcp_nopush on;
  tcp_nodelay on;
  reset_timedout_connection on;
  server_tokens off;
  charset utf-8;
  server_names_hash_bucket_size 64;
  server_names_hash_max_size 10000000;
  map_hash_bucket_size 64;
  map_hash_max_size 10000000;
  types_hash_max_size 10000000;
  keepalive_requests 1024;

  log_format neocities '$time_iso8601\t$subdomain\t$bytes_sent\t$request_uri\t$remote_addr\t$http_referer';

  root /etc/nginx/error_pages;
  error_page 404 /not_found.html;

  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
  ssl_prefer_server_ciphers on;
  ssl_dhparam /etc/nginx/certs/dhparam.pem;
  ssl_session_cache shared:SSL:10m;
  ssl_stapling on;
  ssl_stapling_verify on;

  access_log off;
  error_log /var/log/nginx/error.log;

  gzip on;
  gzip_disable "msie6";
  gzip_min_length 10240;
  # gzip_vary on;
  # gzip_proxied any;
  gzip_comp_level 6;
  # gzip_buffers 16 8k;
  # gzip_http_version 1.1;
  gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml application/vnd.ms-fontobject application/x-font-ttf font/opentype;

  proxy_cache_path /tmp/neocities_proxy_cache levels=1:2 keys_zone=sitecache:256m inactive=15d max_size=10G;
  proxy_temp_path /tmp/neocities_proxy_cache_temp 1 2;

  # ANTI DDOS
  # http://www.codestance.com/tutorials-archive/nginx-tuning-for-best-performance-255
  # https://rtcamp.com/tutorials/nginx/fail2ban/

  # Whitelist for DDoS protection
  map $remote_addr $rt_filtered_ip {
    default $binary_remote_addr;
    127.0.0.1 "";
  }

  #limit_req_zone $rt_filtered_ip zone=req_limit:50m rate=15r/s;
  #limit_conn req_limit 10;
  #limit_req zone=req_limit burst=70 nodelay;
  #limit_req_status 444;
  client_body_buffer_size  128k;
  client_header_buffer_size 1m;
  client_max_body_size 1m;
  large_client_header_buffers 4 256k;
  client_body_timeout   12;
  client_header_timeout 12;
  keepalive_timeout 15;
  send_timeout 10;

  resolver 8.8.8.8 valid=1h;

  include /etc/nginx/neocities-upstream.conf;

  map $http_host $subdomain {
    hostnames;
    include map.txt;
  }

  # Neocities SSL

  server {
    listen 443 default_server ssl sndbuf=32k;
    server_name *.neocities.org;
    ssl_certificate certs/neocities.org.crt;
    ssl_certificate_key certs/neocities.org.key;

    location / {
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-Proto https;
      proxy_http_version 1.1;
      proxy_set_header Host $http_host;
      proxy_pass http://unix:/var/run/nginx.sock:$request_uri;
    }
  }

  # Neocities Sites

  server {
    listen 80 default_server sndbuf=32K;
    listen unix:/var/run/nginx.sock;
    access_log off;
    error_log /var/log/nginx/error.log;
    log_not_found off;

    if ($http_host ~ ^(.+)\.neocities\.org$) { set $subdomain $1; }

    set_real_ip_from unix:;

    proxy_intercept_errors on;
 #    proxy_cache sitecache;
 #    proxy_cache_valid 200 15d;
 #    proxy_cache_valid 403 404 10m;
 #    proxy_cache_key $subdomain$uri;
 #    proxy_cache_bypass $http_cache_purge;
    proxy_http_version 1.1;
    proxy_set_header Connection "";
    add_header X-Cached $upstream_cache_status;

    recursive_error_pages on;

 #    location ~.*\.(gif|jpg|png)$ {
 #      valid_referers none blocked $http_host *.neocities.org;
 #    }

    location @site_not_found {
      rewrite ^(/.*) /not_found.html last;
    }

    location @global_not_found {
      root /etc/nginx/error_pages;
      try_files /not_found.html =404;
      break;
    }

    location /not_found.html {
      internal;
      error_page 404 @global_not_found;
      proxy_pass https://neocities-upstream/$subdomain$uri;
      break;
    }

    location @cache_purge_miss {
      return 404 'miss';
    }

    location ~ /:cache/purge(/.*) {
      error_page 404 = @cache_purge_miss;
      proxy_cache_purge sitecache $subdomain$1;
      break;
    }

    set $original_scheme 'http';

    if ($http_x_forwarded_proto = 'https') {
      set $original_scheme 'https';
    }

    location / {
      if ($subdomain = '') {
        return 404;
      }

      # sub_filter </html> $surfinject;

      error_page 404 @site_not_found;
      access_log /var/log/nginx/neocities-sites.log neocities;
      proxy_redirect https://neocities-upstream/$subdomain $original_scheme://$http_host;
      proxy_pass https://neocities-upstream/$subdomain$uri$is_args$args;
      break;
    }
  }

  # SSL custom domains
  #include /etc/nginx/sslsites/sslsites.conf;
 }
	# user web web;
	worker_processes auto;

	pid /var/run/nginx.pid;

	events {
	worker_connections 8192;
	multi_accept on;
	}

	http {
	include mime.types;
	default_type application/octet-stream;
	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	reset_timedout_connection on;
	server_tokens off;
	charset utf-8;
	server_names_hash_bucket_size 64;
	server_names_hash_max_size 10000000;
	map_hash_bucket_size 64;
	map_hash_max_size 10000000;
	types_hash_max_size 10000000;
	keepalive_requests 1024;

	log_format neocities '$time_iso8601\t$subdomain\t$bytes_sent\t$request_uri\t$remote_addr\t$http_referer';

	root /etc/nginx/error_pages;
	error_page 404 /not_found.html;

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
	ssl_prefer_server_ciphers on;
	ssl_dhparam /etc/nginx/certs/dhparam.pem;
	ssl_session_cache shared:SSL:10m;
	ssl_stapling on;
	ssl_stapling_verify on;

	access_log off;
	error_log /var/log/nginx/error.log;

	gzip on;
	gzip_disable "msie6";
	gzip_min_length 10240;
	# gzip_vary on;
	# gzip_proxied any;
	gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml application/vnd.ms-fontobject application/x-font-ttf font/opentype;

	proxy_cache_path /tmp/neocities_proxy_cache levels=1:2 keys_zone=sitecache:256m inactive=15d max_size=10G;
	proxy_temp_path /tmp/neocities_proxy_cache_temp 1 2;

	# ANTI DDOS
	# http://www.codestance.com/tutorials-archive/nginx-tuning-for-best-performance-255
	# https://rtcamp.com/tutorials/nginx/fail2ban/

	# Whitelist for DDoS protection
	map $remote_addr $rt_filtered_ip {
	default $binary_remote_addr;
	127.0.0.1 "";
	}

	#limit_req_zone $rt_filtered_ip zone=req_limit:50m rate=15r/s;
	#limit_conn req_limit 10;
	#limit_req zone=req_limit burst=70 nodelay;
	#limit_req_status 444;
	client_body_buffer_size 128k;
	client_header_buffer_size 1m;
	client_max_body_size 1m;
	large_client_header_buffers 4 256k;
	client_body_timeout 12;
	client_header_timeout 12;
	keepalive_timeout 15;
	send_timeout 10;

	resolver 8.8.8.8 valid=1h;

	include /etc/nginx/neocities-upstream.conf;

	map $http_host $subdomain {
	hostnames;
	include map.txt;
	}

	# Neocities SSL

	server {
	listen 443 default_server ssl sndbuf=32k;
	server_name *.neocities.org;
	ssl_certificate certs/neocities.org.crt;
	ssl_certificate_key certs/neocities.org.key;

	location / {
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-Proto https;
	proxy_http_version 1.1;
	proxy_set_header Host $http_host;
	proxy_pass http://unix:/var/run/nginx.sock:$request_uri;
	}
	}

	# Neocities Sites

	server {
	listen 80 default_server sndbuf=32K;
	listen unix:/var/run/nginx.sock;
	access_log off;
	error_log /var/log/nginx/error.log;
	log_not_found off;

	if ($http_host ~ ^(.+)\.neocities\.org$) { set $subdomain $1; }

	set_real_ip_from unix:;

	proxy_intercept_errors on;
	# proxy_cache sitecache;
	# proxy_cache_valid 200 15d;
	# proxy_cache_valid 403 404 10m;
	# proxy_cache_key $subdomain$uri;
	# proxy_cache_bypass $http_cache_purge;
	proxy_http_version 1.1;
	proxy_set_header Connection "";
	add_header X-Cached $upstream_cache_status;

	recursive_error_pages on;

	# location ~.*\.(gif\|jpg\|png)$ {
	# valid_referers none blocked $http_host *.neocities.org;
	# }

	location @site_not_found {
	rewrite ^(/.*) /not_found.html last;
	}

	location @global_not_found {
	root /etc/nginx/error_pages;
	try_files /not_found.html =404;
	break;
	}

	location /not_found.html {
	internal;
	error_page 404 @global_not_found;
	proxy_pass https://neocities-upstream/$subdomain$uri;
	break;
	}

	location @cache_purge_miss {
	return 404 'miss';
	}

	location ~ /:cache/purge(/.*) {
	error_page 404 = @cache_purge_miss;
	proxy_cache_purge sitecache $subdomain$1;
	break;
	}

	set $original_scheme 'http';

	if ($http_x_forwarded_proto = 'https') {
	set $original_scheme 'https';
	}

	location / {
	if ($subdomain = '') {
	return 404;
	}

	# sub_filter </html> $surfinject;

	error_page 404 @site_not_found;
	access_log /var/log/nginx/neocities-sites.log neocities;
	proxy_redirect https://neocities-upstream/$subdomain $original_scheme://$http_host;
	proxy_pass https://neocities-upstream/$subdomain$uri$is_args$args;
	break;
	}
	}

	# SSL custom domains
	#include /etc/nginx/sslsites/sslsites.conf;
	}