From a523b6c164a334dbad59697bf1226c2b84e446fc Mon Sep 17 00:00:00 2001 From: Fascinated Date: Thu, 13 Apr 2023 19:37:55 +0100 Subject: [PATCH] add cdn + nginx config --- conf.d/cdn.conf | 104 ++++++++++++++++++++++++++++++++++++++++++++++++ nginx.conf | 59 +++++++++++++++++++++++++++ 2 files changed, 163 insertions(+) create mode 100644 conf.d/cdn.conf create mode 100644 nginx.conf diff --git a/conf.d/cdn.conf b/conf.d/cdn.conf new file mode 100644 index 0000000..c2626e1 --- /dev/null +++ b/conf.d/cdn.conf @@ -0,0 +1,104 @@ +server { + if ($host ~ ^[^.]+\.fascinated\.cc$) { + return 301 https://$host$request_uri; + } # managed by Certbot + + listen 80; + server_name cdn.fascinated.cc; + + return 301 https://$host$request_uri; +} + +server { + server_name cdn.fascinated.cc; + + # Enable QUIC and HTTP/3. + listen 443 quic; + + # Enable HTTP/2 (optional). + listen 443 ssl http2; + + add_header alt-svc 'h3-23=":443"; ma=86400'; + + gzip on; + gzip_disable "msie6"; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 8; + gzip_buffers 16 64k; + gzip_types text/plain text/html text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript; + + root /home/fascinated-cdn/; + index index.html index.htm; + + client_max_body_size 500M; + client_body_buffer_size 500M; # Set the buffer size limit to 100MB or any desired size. + + # Set the timeouts as per your requirements + client_body_timeout 120s; + client_header_timeout 120s; + send_timeout 120s; + + # TCP optimizations + tcp_nopush on; + tcp_nodelay on; + + # file shit + sendfile on; + sendfile_max_chunk 1m; + aio on; + directio 512; + + # Keep connections alive for 15 seconds + keepalive_timeout 15; + + # SSL Configuration - Replace the example with your domain + ssl_certificate /etc/letsencrypt/live/fascinated.cc/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/fascinated.cc/privkey.pem; # managed by Certbot + ssl_session_cache shared:SSL:10m; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA"; + ssl_prefer_server_ciphers on; + + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 1h; + + # Certbot (might not be needed? idk) + location /.well-known { + root /home/nginx/.well-known; + + try_files $uri $uri/; + } + + location ~ \.php$ { + try_files $uri =404; + + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass unix:/var/run/php/php-fpm.sock; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param SCRIPT_NAME $fastcgi_script_name; + fastcgi_index index.php; + include fastcgi_params; + } + + location / { + expires 7d; + + etag on; + + open_file_cache max=1000 inactive=60s; + open_file_cache_valid 60s; + open_file_cache_min_uses 1; + open_file_cache_errors on; + + # Serve the file directly from disk + try_files $uri $uri/ /fourohfour.html; + } + + error_page 404 /fourohfour.html; + + location = /fourohfour.html { + internal; + } + +} \ No newline at end of file diff --git a/nginx.conf b/nginx.conf new file mode 100644 index 0000000..82851e5 --- /dev/null +++ b/nginx.conf @@ -0,0 +1,59 @@ +#load_module /usr/lib/nginx/modules/ngx_stream_module.so; + +user www-data; +#pid /run/nginx.pid; +worker_processes 4; + +events { + worker_connections 2048; +} + +http { + proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=my_cache:50m inactive=60m; + + include mime.types; + default_type application/octet-stream; + #charset utf-8; + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 15; + types_hash_max_size 4096; + + client_body_buffer_size 10K; + client_header_buffer_size 1k; + client_max_body_size 8m; + large_client_header_buffers 4 4k; + + fastcgi_connect_timeout 600; + fastcgi_send_timeout 600; + fastcgi_read_timeout 600; + + server_tokens off; + #gzip on; + + brotli on; + brotli_types application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml; + gzip on; + gzip_comp_level 6; + gzip_types application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml; + http3 on; + quic_gso on; + quic_retry on; + + proxy_hide_header "server"; + proxy_hide_header "x-powered-by"; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Content-Security-Policy "default-src 'self';"; + add_header Referrer-Policy "origin"; + + access_log /var/log/nginx/access.log; + + include /etc/nginx/conf.d/*; +} + +#include /etc/nginx/tcp-udp/*; \ No newline at end of file