Merge branch 'master' into devel

2022-09-26 00:35:06 +02:00 · 2022-09-26 00:35:06 +02:00 · 6c9dad52df
commit 6c9dad52df
parent f79aab102c 27c160c1cc
12 changed files with 407 additions and 1 deletions
--- a/deployment/README.md
+++ b/deployment/README.md
@ -4,6 +4,9 @@ Files here might be very specific to the setup of pixelplanet.fun and might not
 ## exalple-ecosystem-x.yml and captchaFonts
 Examples of configurations, will be copied into ./dist on build

+# nginx
+example nginx config
+
 ## updtmsg
 Basic nodejs script to print a message and a youtube video, used as a message while updating

--- a/deployment/nginx/README.md
+++ b/deployment/nginx/README.md
@ -0,0 +1,7 @@
+# nginx config
+
+Example nginx config.
+Ratelimiting can be adjusted in `conf.d/1ratelimiters.conf`
+Everything that's important is in `includes/canvas.conf`
+`sites-available/canvas.conf` is for domains and redirections.
+`conf.d/2extiles.conf` is setting the different cache expire times for tile zoomlevels
--- a/deployment/nginx/conf.d/0realip.conf
+++ b/deployment/nginx/conf.d/0realip.conf
@ -0,0 +1,28 @@
+# - IPv4
+set_real_ip_from 173.245.48.0/20;
+set_real_ip_from 103.21.244.0/22;
+set_real_ip_from 103.22.200.0/22;
+set_real_ip_from 103.31.4.0/22;
+set_real_ip_from 141.101.64.0/18;
+set_real_ip_from 108.162.192.0/18;
+set_real_ip_from 190.93.240.0/20;
+set_real_ip_from 188.114.96.0/20;
+set_real_ip_from 197.234.240.0/22;
+set_real_ip_from 198.41.128.0/17;
+set_real_ip_from 162.158.0.0/15;
+set_real_ip_from 104.16.0.0/13;
+set_real_ip_from 104.24.0.0/14;
+set_real_ip_from 172.64.0.0/13;
+set_real_ip_from 131.0.72.0/22;
+
+# - IPv6
+set_real_ip_from 2400:cb00::/32;
+set_real_ip_from 2606:4700::/32;
+set_real_ip_from 2803:f800::/32;
+set_real_ip_from 2405:b500::/32;
+set_real_ip_from 2405:8100::/32;
+set_real_ip_from 2a06:98c0::/29;
+set_real_ip_from 2c0f:f248::/32;
+
+real_ip_header CF-Connecting-IP;
+real_ip_recursive on;
--- a/deployment/nginx/conf.d/1ratelimiters.conf
+++ b/deployment/nginx/conf.d/1ratelimiters.conf
@ -0,0 +1,5 @@
+limit_req_zone $binary_remote_addr zone=websocket:5m rate=1r/s;
+limit_req_zone $binary_remote_addr zone=general:5m rate=1r/s;
+limit_req_zone $binary_remote_addr zone=chunks:5m rate=40r/s;
+limit_req_zone $binary_remote_addr zone=captcha:5m rate=20r/m;
+limit_req_zone $binary_remote_addr zone=authimp:5m rate=5r/m;
--- a/deployment/nginx/conf.d/2extiles.conf
+++ b/deployment/nginx/conf.d/2extiles.conf
@ -0,0 +1,43 @@
+# maps to set expiration time for /tiles
+# based on canvas $1 and zoomlevel $2
+
+map $2 $ex2k {
+  2 15m;
+  1 90m;
+  0 6h;
+  default 2h;
+}
+
+map $2 $ex16k {
+  5 15m;
+  4 90m;
+  3 6h;
+  2 9h;
+  1 12h;
+  0 18h;
+  default 2h;
+}
+
+map $2 $ex64k {
+  7 15m;
+  6 90m;
+  5 6h;
+  4 9h;
+  3 12h;
+  2 18h;
+  1 24h;
+  0 30h;
+  default 2h;
+}
+
+map $1 $extile {
+  0 $ex64k;
+  1 $ex16k;
+  5 $ex16k;
+  6 $ex16k;
+  7 $ex16k;
+  8 $ex2k;
+  default 2h;
+}
+
+
--- a/deployment/nginx/conf.d/6denyws.conf
+++ b/deployment/nginx/conf.d/6denyws.conf
@ -0,0 +1,42 @@
+geo $deny_ws {
+    default           0;
+    # Google
+    34.64.0.0/10      1;
+    34.128.0.0/10     1;
+    34.132.0.0/14     1;
+    35.184.0.0/13     1;
+    35.192.0.0/12     1;
+    46.131.0.0/16     1;
+    66.102.0.0/20     1;
+    72.55.128.0/18    1;
+    74.125.0.0/16     1;
+    84.239.14.0/24    1;
+    84.239.49.0/24    1;
+    # Google
+    104.154.0.0/15    1;
+    # Google
+    104.196.0.0/14    1;
+    119.59.121.0/24   1;
+    130.211.0.0/16    1;
+    # Google
+    168.149.128.0/18  1;
+    173.255.112.0/20  1;
+    185.245.26.0/23   1;
+    194.26.192.0/24   1;
+    194.71.130.0/24   1;
+    # TeraSwitch Networks Inc
+    204.16.240.0/21   1;
+    # DataHata BestHost Net
+    217.21.55.0/24    1;
+    # DataHata
+    31.130.200.0/21   1;
+    # DataHata BestHost Net
+    93.125.114.0/24   1;
+    # Secure Servers LLC
+    131.153.0.0/17    1;
+    2a07:d847::/32    1;
+    2a0f:c943::/32    1;
+    2a02:6b8:c08::/48 1;
+    # PlusWeb
+    2a0a:fa40::/29    1;
+}
--- a/deployment/nginx/includes/canvas.conf
+++ b/deployment/nginx/includes/canvas.conf
@ -0,0 +1,135 @@
+# For maintenance
+#location / {
+#  autoindex off;
+#  expires -1;
+#  access_log off;
+#  add_header Cache-Control "public";
+#  proxy_set_header X-Real-IP $remote_addr;
+#  root /home/pixelpla/pixelplace-redirect/wait;
+#}
+
+
+include /etc/nginx/includes/certbotroot.conf;
+
+location / {
+  proxy_no_cache 1;
+  if ($http_user_agent ~* (python-requests)) {
+    return 503;
+  }
+  limit_req zone=general burst=20 delay=10;
+  proxy_set_header X-Real-IP $remote_addr;
+  client_max_body_size 3M;
+  proxy_pass http://$ppfun$request_uri;
+}
+
+location = / {
+  if ($http_user_agent ~* (python-requests)) {
+    return 503;
+  }
+  if ( $query_string ) { return 403; }
+  limit_req zone=captcha burst=5;
+  proxy_set_header X-Real-IP $remote_addr;
+  proxy_pass http://$ppfun$request_uri;
+}
+
+# for matrix
+location /.well-known/matrix/client {
+  return 200 '{"m.homeserver": {"base_url": "https://matrix.pixelplanet.fun"}}';
+  default_type application/json;
+  add_header Access-Control-Allow-Origin *;
+}
+
+# for matrix delegations
+location /.well-known/matrix/server {
+  return 200 '{"m.server":"matrix.pixelplanet.fun:443"}';
+  default_type application/json;
+  add_header Access-Control-Allow-Origin *;
+}
+
+# block adminapi
+location /adminapi {
+  return 403 '{"errors": ["Not allowed from nginx"]}';
+  default_type application/json;
+}
+
+location ~ ^/tiles/([0-9]+)/([0-9]+)/([0-9]+)/([0-9]+).webp$ {
+  proxy_no_cache 1;
+  expires $extile;
+  add_header Cache-Control "public";
+  add_header Access-Control-Allow-Origin *;
+  root /home/pixelpla/pixelplanet/tiles;
+  try_files /$1/$2/$3/$4.webp /$1/emptytile.webp =404; 
+}
+
+location /chunks {
+  proxy_no_cache 1;
+  if ( $query_string ) { return 404; }
+  limit_req zone=chunks burst=400 delay=200;
+  access_log off;
+  proxy_pass http://$ppfun$request_uri;
+}
+
+location /ws {
+  #proxy_no_cache 1;
+  limit_req zone=websocket burst=5;
+  if ($deny_ws) {
+    return 403;
+  }
+  proxy_http_version 1.1;
+  proxy_set_header X-Real-IP $remote_addr;
+  proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
+  proxy_set_header X-Forwarded-Host $host;
+  proxy_set_header Upgrade $http_upgrade;
+  proxy_set_header Connection "Upgrade";
+  proxy_pass http://$ppfun$request_uri;
+}
+
+location /captcha.svg {
+  proxy_no_cache 1;
+  limit_req zone=captcha burst=5;
+  limit_req_status 429;
+  if ($http_user_agent ~* (python-requests)) {
+    return 503;
+  }
+  proxy_set_header X-Real-IP $remote_addr;
+  proxy_pass http://$ppfun$request_uri;
+}
+
+location /reset_password {
+  limit_req zone=authimp burst=3;
+  proxy_set_header X-Real-IP $remote_addr;
+  proxy_pass http://$ppfun$request_uri;
+}
+
+location /mcws {
+  proxy_no_cache 1;
+  limit_req zone=websocket burst=5;
+  proxy_http_version 1.1;
+  proxy_set_header X-Real-IP $remote_addr;
+  proxy_set_header Upgrade $http_upgrade;
+  proxy_set_header Connection "Upgrade";
+  proxy_pass http://$ppfun$request_uri;
+}
+
+location /api/auth {
+  proxy_no_cache 1;
+  limit_req zone=websocket burst=5;
+  proxy_set_header X-Real-IP $remote_addr;
+  proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
+  proxy_set_header X-Forwarded-Host $host;
+  proxy_pass http://$ppfun$request_uri;
+}
+
+location /api/captcha {
+  proxy_no_cache 1;
+  limit_req zone=general burst=10 nodelay;
+  proxy_set_header X-Real-IP $remote_addr;
+  proxy_pass http://$ppfun$request_uri;
+}
+
+location /moderation {
+  autoindex on;
+  expires 15m;
+  add_header Cache-Control "public";
+  root /home/pixelpla/pixelplanet/log;
+}
--- a/deployment/nginx/includes/certbotroot.conf
+++ b/deployment/nginx/includes/certbotroot.conf
@ -0,0 +1,4 @@
+# very handy for setting a common webroot for certbot only
+location /.well-known/acme-challenge {
+  root /home/pixelpla/certbotroot;
+}
--- a/deployment/nginx/includes/ppfuncert.conf
+++ b/deployment/nginx/includes/ppfuncert.conf
@ -0,0 +1,4 @@
+ssl_certificate /etc/letsencrypt/live/pixelplanet.fun/fullchain.pem;
+ssl_certificate_key /etc/letsencrypt/live/pixelplanet.fun/privkey.pem;
+ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
+ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
--- a/deployment/nginx/sites-available/canvas.conf
+++ b/deployment/nginx/sites-available/canvas.conf
@ -0,0 +1,135 @@
+server {
+  listen 123.123.123.120:80;
+
+  server_name www.pixelplanet.fun;
+
+  listen 123.123.123.120:443 ssl http2;
+  include /etc/nginx/includes/ppfuncert.conf;
+
+  return 301 https://pixelplanet.fun$request_uri;
+}
+
+server {
+  listen 123.123.123.120:80;
+
+  server_name www.fuckyouarkeros.fun;
+
+  return 301 https://fuckyouarkeros.fun$request_uri;
+}
+
+server {
+  listen 123.123.123.120:80;
+
+  server_name fuckyouarkeros.fun;
+
+  set $ppfun 127.0.0.1:3000;
+  include /etc/nginx/includes/canvas.conf;
+}
+
+server {
+  listen 123.123.123.120:80;
+
+  server_name pixelplanet.fun sca.pixelplanet.fun;
+
+  listen 123.123.123.120:443 ssl http2;
+  include /etc/nginx/includes/ppfuncert.conf;
+
+  set $ppfun 127.0.0.1:3000;
+  include /etc/nginx/includes/canvas.conf;
+}
+
+server {
+  listen 123.123.123.120:80;
+
+  server_name dev.pixelplanet.fun;
+
+  listen 123.123.123.120:443 ssl http2;
+  include /etc/nginx/includes/ppfuncert.conf;
+
+  set $ppfun 127.0.0.1:4000;
+  include /etc/nginx/includes/canvas.conf;
+}
+
+server {
+  listen 123.123.123.120:80;
+
+  server_name scb.pixelplanet.fun;
+
+  listen 123.123.123.120:443 ssl http2;
+  include /etc/nginx/includes/ppfuncert.conf;
+
+  set $ppfun 127.0.0.1:3333;
+  include /etc/nginx/includes/canvas.conf;
+}
+
+server {
+  listen 123.123.123.120:80;
+
+  server_name scc.pixelplanet.fun;
+
+  listen 123.123.123.120:443 ssl http2;
+  include /etc/nginx/includes/ppfuncert.conf;
+
+  set $ppfun 127.0.0.1:3334;
+  include /etc/nginx/includes/canvas.conf;
+}
+
+server {
+  listen 123.123.123.120:80;
+
+  server_name scd.pixelplanet.fun;
+
+  listen 123.123.123.120:443 ssl http2;
+  include /etc/nginx/includes/ppfuncert.conf;
+
+  set $ppfun 127.0.0.1:3335;
+  include /etc/nginx/includes/canvas.conf;
+}
+
+server {
+  listen 123.123.123.120:80;
+
+  server_name sce.pixelplanet.fun;
+
+  listen 123.123.123.120:443 ssl http2;
+  include /etc/nginx/includes/ppfuncert.conf;
+
+  set $ppfun 127.0.0.1:3336;
+  include /etc/nginx/includes/canvas.conf;
+}
+
+server {
+  listen 123.123.123.120:80;
+
+  server_name scf.pixelplanet.fun;
+
+  listen 123.123.123.120:443 ssl http2;
+  include /etc/nginx/includes/ppfuncert.conf;
+
+  set $ppfun 127.0.0.1:3337;
+  include /etc/nginx/includes/canvas.conf;
+}
+
+server {
+  listen 123.123.123.120:80;
+
+  server_name scg.pixelplanet.fun;
+
+  listen 123.123.123.120:443 ssl http2;
+  include /etc/nginx/includes/ppfuncert.conf;
+
+  set $ppfun 127.0.0.1:3338;
+  include /etc/nginx/includes/canvas.conf;
+}
+
+server {
+  listen 123.123.123.120:80;
+
+  server_name sch.pixelplanet.fun;
+
+  listen 123.123.123.120:443 ssl http2;
+  include /etc/nginx/includes/ppfuncert.conf;
+
+  set $ppfun 127.0.0.1:3339;
+  include /etc/nginx/includes/canvas.conf;
+}
--- a/public/cf/xk.gif
+++ b/public/cf/xk.gif
--- a/src/store/actions/fetch.js
+++ b/src/store/actions/fetch.js
@ -29,7 +29,7 @@ export const shardOrigin = shardHost
 * defaults to 8s
 */
 async function fetchWithTimeout(url, options = {}) {
-  const { timeout = 10000 } = options;
+  const { timeout = 30000 } = options;

  const controller = new AbortController();
  const id = setTimeout(() => controller.abort(), timeout);