add cdn + nginx config

2023-04-13 19:37:55 +01:00 · 2023-04-13 19:37:55 +01:00 · a523b6c164
commit a523b6c164
2 changed files with 163 additions and 0 deletions
--- a/conf.d/cdn.conf
+++ b/conf.d/cdn.conf
@ -0,0 +1,104 @@
+server {
+    if ($host ~ ^[^.]+\.fascinated\.cc$) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+    
+    listen 80;
+    server_name cdn.fascinated.cc;
+
+    return 301 https://$host$request_uri;
+}
+
+server {
+  server_name cdn.fascinated.cc;
+
+  # Enable QUIC and HTTP/3.
+  listen 443 quic;
+
+  # Enable HTTP/2 (optional).
+  listen 443 ssl http2;
+  
+  add_header alt-svc 'h3-23=":443"; ma=86400';
+
+  gzip on;
+  gzip_disable "msie6";
+  gzip_vary on;
+  gzip_proxied any;
+  gzip_comp_level 8;
+  gzip_buffers 16 64k;
+  gzip_types text/plain text/html text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript; 
+
+  root /home/fascinated-cdn/;
+  index index.html index.htm;
+
+  client_max_body_size 500M;
+  client_body_buffer_size 500M; # Set the buffer size limit to 100MB or any desired size.
+
+  # Set the timeouts as per your requirements
+  client_body_timeout 120s;
+  client_header_timeout 120s;
+  send_timeout 120s;
+
+  # TCP optimizations
+  tcp_nopush on;
+  tcp_nodelay on;
+  
+  # file shit
+  sendfile on;
+  sendfile_max_chunk 1m;
+  aio on;
+  directio 512;
+
+  # Keep connections alive for 15 seconds
+  keepalive_timeout 15;
+
+  # SSL Configuration - Replace the example <domain> with your domain
+  ssl_certificate /etc/letsencrypt/live/fascinated.cc/fullchain.pem; # managed by Certbot
+  ssl_certificate_key /etc/letsencrypt/live/fascinated.cc/privkey.pem; # managed by Certbot
+  ssl_session_cache shared:SSL:10m;
+  ssl_protocols TLSv1.2 TLSv1.3;
+  ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA";
+  ssl_prefer_server_ciphers on;
+  
+  ssl_session_cache shared:SSL:10m;
+  ssl_session_timeout 1h;
+  
+  # Certbot (might not be needed? idk)
+  location /.well-known {
+    root /home/nginx/.well-known;
+    
+    try_files $uri $uri/;
+  }
+
+  location ~ \.php$ {
+    try_files $uri =404;
+
+    fastcgi_split_path_info ^(.+\.php)(/.+)$;
+    fastcgi_pass unix:/var/run/php/php-fpm.sock;
+    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+    fastcgi_param SCRIPT_NAME $fastcgi_script_name;
+    fastcgi_index index.php;
+    include fastcgi_params;
+  }
+
+  location / {
+    expires 7d;
+    
+    etag on;
+
+    open_file_cache max=1000 inactive=60s;
+    open_file_cache_valid 60s;
+    open_file_cache_min_uses 1;
+    open_file_cache_errors on;
+
+    # Serve the file directly from disk
+    try_files $uri $uri/ /fourohfour.html;
+  }
+
+  error_page 404 /fourohfour.html;
+
+  location = /fourohfour.html {
+    internal;
+  }
+
+}
--- a/nginx.conf
+++ b/nginx.conf
@ -0,0 +1,59 @@
+#load_module /usr/lib/nginx/modules/ngx_stream_module.so;
+
+user www-data;
+#pid /run/nginx.pid;
+worker_processes 4;
+
+events {
+  worker_connections  2048;
+}
+
+http {
+  proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=my_cache:50m inactive=60m;
+  
+  include       mime.types;
+  default_type  application/octet-stream;
+  #charset       utf-8;
+
+  sendfile            on;
+  tcp_nopush          on;
+  tcp_nodelay         on;
+  keepalive_timeout   15;
+  types_hash_max_size 4096;
+  
+  client_body_buffer_size 10K;
+  client_header_buffer_size 1k;
+  client_max_body_size 8m;
+  large_client_header_buffers 4 4k;
+
+  fastcgi_connect_timeout 600;
+  fastcgi_send_timeout    600;
+  fastcgi_read_timeout    600;
+
+  server_tokens off;
+  #gzip  on;
+  
+  brotli on;
+  brotli_types application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml;
+  gzip on;
+  gzip_comp_level 6;
+  gzip_types application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml;
+  http3 on;
+  quic_gso on;
+  quic_retry on;
+  
+  proxy_hide_header "server";
+  proxy_hide_header "x-powered-by";
+  
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+  add_header X-Frame-Options "SAMEORIGIN" always;
+  add_header X-Content-Type-Options "nosniff" always;
+  add_header Content-Security-Policy "default-src 'self';";
+  add_header Referrer-Policy "origin";
+    
+  access_log /var/log/nginx/access.log;
+  
+  include /etc/nginx/conf.d/*;
+}
+
+#include /etc/nginx/tcp-udp/*;