From 27c160c1ccff73735acb315a23722383d7fffaee Mon Sep 17 00:00:00 2001 From: HF Date: Sun, 25 Sep 2022 04:19:18 +0200 Subject: [PATCH] add nginx example config --- deployment/README.md | 3 + deployment/nginx/README.md | 7 + deployment/nginx/conf.d/0realip.conf | 28 ++++ deployment/nginx/conf.d/1ratelimiters.conf | 5 + deployment/nginx/conf.d/2extiles.conf | 43 ++++++ deployment/nginx/conf.d/6denyws.conf | 42 ++++++ deployment/nginx/includes/canvas.conf | 135 +++++++++++++++++++ deployment/nginx/includes/certbotroot.conf | 4 + deployment/nginx/includes/ppfuncert.conf | 4 + deployment/nginx/sites-available/canvas.conf | 135 +++++++++++++++++++ 10 files changed, 406 insertions(+) create mode 100644 deployment/nginx/README.md create mode 100644 deployment/nginx/conf.d/0realip.conf create mode 100644 deployment/nginx/conf.d/1ratelimiters.conf create mode 100644 deployment/nginx/conf.d/2extiles.conf create mode 100644 deployment/nginx/conf.d/6denyws.conf create mode 100644 deployment/nginx/includes/canvas.conf create mode 100644 deployment/nginx/includes/certbotroot.conf create mode 100644 deployment/nginx/includes/ppfuncert.conf create mode 100644 deployment/nginx/sites-available/canvas.conf diff --git a/deployment/README.md b/deployment/README.md index a97a9d30..01aefa2c 100644 --- a/deployment/README.md +++ b/deployment/README.md @@ -4,6 +4,9 @@ Files here might be very specific to the setup of pixelplanet.fun and might not ## exalple-ecosystem-x.yml and captchaFonts Examples of configurations, will be copied into ./dist on build +# nginx +example nginx config + ## updtmsg Basic nodejs script to print a message and a youtube video, used as a message while updating diff --git a/deployment/nginx/README.md b/deployment/nginx/README.md new file mode 100644 index 00000000..3e4f875a --- /dev/null +++ b/deployment/nginx/README.md @@ -0,0 +1,7 @@ +# nginx config + +Example nginx config. +Ratelimiting can be adjusted in `conf.d/1ratelimiters.conf` +Everything that's important is in `includes/canvas.conf` +`sites-available/canvas.conf` is for domains and redirections. +`conf.d/2extiles.conf` is setting the different cache expire times for tile zoomlevels diff --git a/deployment/nginx/conf.d/0realip.conf b/deployment/nginx/conf.d/0realip.conf new file mode 100644 index 00000000..a3487eb0 --- /dev/null +++ b/deployment/nginx/conf.d/0realip.conf @@ -0,0 +1,28 @@ +# - IPv4 +set_real_ip_from 173.245.48.0/20; +set_real_ip_from 103.21.244.0/22; +set_real_ip_from 103.22.200.0/22; +set_real_ip_from 103.31.4.0/22; +set_real_ip_from 141.101.64.0/18; +set_real_ip_from 108.162.192.0/18; +set_real_ip_from 190.93.240.0/20; +set_real_ip_from 188.114.96.0/20; +set_real_ip_from 197.234.240.0/22; +set_real_ip_from 198.41.128.0/17; +set_real_ip_from 162.158.0.0/15; +set_real_ip_from 104.16.0.0/13; +set_real_ip_from 104.24.0.0/14; +set_real_ip_from 172.64.0.0/13; +set_real_ip_from 131.0.72.0/22; + +# - IPv6 +set_real_ip_from 2400:cb00::/32; +set_real_ip_from 2606:4700::/32; +set_real_ip_from 2803:f800::/32; +set_real_ip_from 2405:b500::/32; +set_real_ip_from 2405:8100::/32; +set_real_ip_from 2a06:98c0::/29; +set_real_ip_from 2c0f:f248::/32; + +real_ip_header CF-Connecting-IP; +real_ip_recursive on; diff --git a/deployment/nginx/conf.d/1ratelimiters.conf b/deployment/nginx/conf.d/1ratelimiters.conf new file mode 100644 index 00000000..a54a65fe --- /dev/null +++ b/deployment/nginx/conf.d/1ratelimiters.conf @@ -0,0 +1,5 @@ +limit_req_zone $binary_remote_addr zone=websocket:5m rate=1r/s; +limit_req_zone $binary_remote_addr zone=general:5m rate=1r/s; +limit_req_zone $binary_remote_addr zone=chunks:5m rate=40r/s; +limit_req_zone $binary_remote_addr zone=captcha:5m rate=20r/m; +limit_req_zone $binary_remote_addr zone=authimp:5m rate=5r/m; diff --git a/deployment/nginx/conf.d/2extiles.conf b/deployment/nginx/conf.d/2extiles.conf new file mode 100644 index 00000000..d4dd06f5 --- /dev/null +++ b/deployment/nginx/conf.d/2extiles.conf @@ -0,0 +1,43 @@ +# maps to set expiration time for /tiles +# based on canvas $1 and zoomlevel $2 + +map $2 $ex2k { + 2 15m; + 1 90m; + 0 6h; + default 2h; +} + +map $2 $ex16k { + 5 15m; + 4 90m; + 3 6h; + 2 9h; + 1 12h; + 0 18h; + default 2h; +} + +map $2 $ex64k { + 7 15m; + 6 90m; + 5 6h; + 4 9h; + 3 12h; + 2 18h; + 1 24h; + 0 30h; + default 2h; +} + +map $1 $extile { + 0 $ex64k; + 1 $ex16k; + 5 $ex16k; + 6 $ex16k; + 7 $ex16k; + 8 $ex2k; + default 2h; +} + + diff --git a/deployment/nginx/conf.d/6denyws.conf b/deployment/nginx/conf.d/6denyws.conf new file mode 100644 index 00000000..356923b0 --- /dev/null +++ b/deployment/nginx/conf.d/6denyws.conf @@ -0,0 +1,42 @@ +geo $deny_ws { + default 0; + # Google + 34.64.0.0/10 1; + 34.128.0.0/10 1; + 34.132.0.0/14 1; + 35.184.0.0/13 1; + 35.192.0.0/12 1; + 46.131.0.0/16 1; + 66.102.0.0/20 1; + 72.55.128.0/18 1; + 74.125.0.0/16 1; + 84.239.14.0/24 1; + 84.239.49.0/24 1; + # Google + 104.154.0.0/15 1; + # Google + 104.196.0.0/14 1; + 119.59.121.0/24 1; + 130.211.0.0/16 1; + # Google + 168.149.128.0/18 1; + 173.255.112.0/20 1; + 185.245.26.0/23 1; + 194.26.192.0/24 1; + 194.71.130.0/24 1; + # TeraSwitch Networks Inc + 204.16.240.0/21 1; + # DataHata BestHost Net + 217.21.55.0/24 1; + # DataHata + 31.130.200.0/21 1; + # DataHata BestHost Net + 93.125.114.0/24 1; + # Secure Servers LLC + 131.153.0.0/17 1; + 2a07:d847::/32 1; + 2a0f:c943::/32 1; + 2a02:6b8:c08::/48 1; + # PlusWeb + 2a0a:fa40::/29 1; +} diff --git a/deployment/nginx/includes/canvas.conf b/deployment/nginx/includes/canvas.conf new file mode 100644 index 00000000..9b3e040d --- /dev/null +++ b/deployment/nginx/includes/canvas.conf @@ -0,0 +1,135 @@ +# For maintenance +#location / { +# autoindex off; +# expires -1; +# access_log off; +# add_header Cache-Control "public"; +# proxy_set_header X-Real-IP $remote_addr; +# root /home/pixelpla/pixelplace-redirect/wait; +#} + + +include /etc/nginx/includes/certbotroot.conf; + +location / { + proxy_no_cache 1; + if ($http_user_agent ~* (python-requests)) { + return 503; + } + limit_req zone=general burst=20 delay=10; + proxy_set_header X-Real-IP $remote_addr; + client_max_body_size 3M; + proxy_pass http://$ppfun$request_uri; +} + +location = / { + if ($http_user_agent ~* (python-requests)) { + return 503; + } + if ( $query_string ) { return 403; } + limit_req zone=captcha burst=5; + proxy_set_header X-Real-IP $remote_addr; + proxy_pass http://$ppfun$request_uri; +} + +# for matrix +location /.well-known/matrix/client { + return 200 '{"m.homeserver": {"base_url": "https://matrix.pixelplanet.fun"}}'; + default_type application/json; + add_header Access-Control-Allow-Origin *; +} + +# for matrix delegations +location /.well-known/matrix/server { + return 200 '{"m.server":"matrix.pixelplanet.fun:443"}'; + default_type application/json; + add_header Access-Control-Allow-Origin *; +} + +# block adminapi +location /adminapi { + return 403 '{"errors": ["Not allowed from nginx"]}'; + default_type application/json; +} + +location ~ ^/tiles/([0-9]+)/([0-9]+)/([0-9]+)/([0-9]+).webp$ { + proxy_no_cache 1; + expires $extile; + add_header Cache-Control "public"; + add_header Access-Control-Allow-Origin *; + root /home/pixelpla/pixelplanet/tiles; + try_files /$1/$2/$3/$4.webp /$1/emptytile.webp =404; +} + +location /chunks { + proxy_no_cache 1; + if ( $query_string ) { return 404; } + limit_req zone=chunks burst=400 delay=200; + access_log off; + proxy_pass http://$ppfun$request_uri; +} + +location /ws { + #proxy_no_cache 1; + limit_req zone=websocket burst=5; + if ($deny_ws) { + return 403; + } + proxy_http_version 1.1; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_pass http://$ppfun$request_uri; +} + +location /captcha.svg { + proxy_no_cache 1; + limit_req zone=captcha burst=5; + limit_req_status 429; + if ($http_user_agent ~* (python-requests)) { + return 503; + } + proxy_set_header X-Real-IP $remote_addr; + proxy_pass http://$ppfun$request_uri; +} + +location /reset_password { + limit_req zone=authimp burst=3; + proxy_set_header X-Real-IP $remote_addr; + proxy_pass http://$ppfun$request_uri; +} + +location /mcws { + proxy_no_cache 1; + limit_req zone=websocket burst=5; + proxy_http_version 1.1; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_pass http://$ppfun$request_uri; +} + +location /api/auth { + proxy_no_cache 1; + limit_req zone=websocket burst=5; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; + proxy_set_header X-Forwarded-Host $host; + proxy_pass http://$ppfun$request_uri; +} + +location /api/captcha { + proxy_no_cache 1; + limit_req zone=general burst=10 nodelay; + proxy_set_header X-Real-IP $remote_addr; + proxy_pass http://$ppfun$request_uri; +} + +location /moderation { + autoindex on; + expires 15m; + add_header Cache-Control "public"; + root /home/pixelpla/pixelplanet/log; +} diff --git a/deployment/nginx/includes/certbotroot.conf b/deployment/nginx/includes/certbotroot.conf new file mode 100644 index 00000000..0b92168d --- /dev/null +++ b/deployment/nginx/includes/certbotroot.conf @@ -0,0 +1,4 @@ +# very handy for setting a common webroot for certbot only +location /.well-known/acme-challenge { + root /home/pixelpla/certbotroot; +} diff --git a/deployment/nginx/includes/ppfuncert.conf b/deployment/nginx/includes/ppfuncert.conf new file mode 100644 index 00000000..b60793d1 --- /dev/null +++ b/deployment/nginx/includes/ppfuncert.conf @@ -0,0 +1,4 @@ +ssl_certificate /etc/letsencrypt/live/pixelplanet.fun/fullchain.pem; +ssl_certificate_key /etc/letsencrypt/live/pixelplanet.fun/privkey.pem; +ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; +ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; diff --git a/deployment/nginx/sites-available/canvas.conf b/deployment/nginx/sites-available/canvas.conf new file mode 100644 index 00000000..f4f321b4 --- /dev/null +++ b/deployment/nginx/sites-available/canvas.conf @@ -0,0 +1,135 @@ +server { + listen 123.123.123.120:80; + + server_name www.pixelplanet.fun; + + listen 123.123.123.120:443 ssl http2; + include /etc/nginx/includes/ppfuncert.conf; + + return 301 https://pixelplanet.fun$request_uri; +} + +server { + listen 123.123.123.120:80; + + server_name www.fuckyouarkeros.fun; + + return 301 https://fuckyouarkeros.fun$request_uri; +} + +server { + listen 123.123.123.120:80; + + server_name fuckyouarkeros.fun; + + set $ppfun 127.0.0.1:3000; + include /etc/nginx/includes/canvas.conf; +} + +server { + listen 123.123.123.120:80; + + server_name pixelplanet.fun sca.pixelplanet.fun; + + listen 123.123.123.120:443 ssl http2; + include /etc/nginx/includes/ppfuncert.conf; + + set $ppfun 127.0.0.1:3000; + include /etc/nginx/includes/canvas.conf; +} + +server { + listen 123.123.123.120:80; + + server_name dev.pixelplanet.fun; + + listen 123.123.123.120:443 ssl http2; + include /etc/nginx/includes/ppfuncert.conf; + + set $ppfun 127.0.0.1:4000; + include /etc/nginx/includes/canvas.conf; +} + +server { + listen 123.123.123.120:80; + + server_name scb.pixelplanet.fun; + + listen 123.123.123.120:443 ssl http2; + include /etc/nginx/includes/ppfuncert.conf; + + set $ppfun 127.0.0.1:3333; + include /etc/nginx/includes/canvas.conf; +} + +server { + listen 123.123.123.120:80; + + server_name scc.pixelplanet.fun; + + listen 123.123.123.120:443 ssl http2; + include /etc/nginx/includes/ppfuncert.conf; + + set $ppfun 127.0.0.1:3334; + include /etc/nginx/includes/canvas.conf; +} + +server { + listen 123.123.123.120:80; + + server_name scd.pixelplanet.fun; + + listen 123.123.123.120:443 ssl http2; + include /etc/nginx/includes/ppfuncert.conf; + + set $ppfun 127.0.0.1:3335; + include /etc/nginx/includes/canvas.conf; +} + +server { + listen 123.123.123.120:80; + + server_name sce.pixelplanet.fun; + + listen 123.123.123.120:443 ssl http2; + include /etc/nginx/includes/ppfuncert.conf; + + set $ppfun 127.0.0.1:3336; + include /etc/nginx/includes/canvas.conf; +} + +server { + listen 123.123.123.120:80; + + server_name scf.pixelplanet.fun; + + listen 123.123.123.120:443 ssl http2; + include /etc/nginx/includes/ppfuncert.conf; + + set $ppfun 127.0.0.1:3337; + include /etc/nginx/includes/canvas.conf; +} + +server { + listen 123.123.123.120:80; + + server_name scg.pixelplanet.fun; + + listen 123.123.123.120:443 ssl http2; + include /etc/nginx/includes/ppfuncert.conf; + + set $ppfun 127.0.0.1:3338; + include /etc/nginx/includes/canvas.conf; +} + +server { + listen 123.123.123.120:80; + + server_name sch.pixelplanet.fun; + + listen 123.123.123.120:443 ssl http2; + include /etc/nginx/includes/ppfuncert.conf; + + set $ppfun 127.0.0.1:3339; + include /etc/nginx/includes/canvas.conf; +}