-
Notifications
You must be signed in to change notification settings - Fork 14
/
Copy pathnginx.conf
132 lines (95 loc) · 4.19 KB
/
nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log off;
server_tokens off;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
# Fix server_names_hash_bucket_size for Tor address
server_names_hash_bucket_size 128;
map $sent_http_content_type $expires {
default off;
text/html epoch;
text/css max;
application/javascript max;
~image/ max;
}
server {
listen 0.0.0.0:80;
server_name blog.sethforprivacy.com;
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 444;
}
return 301 https://sethforprivacy.com$request_uri;
}
server {
listen 0.0.0.0:80;
server_name sethforprivacy.com;
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 444;
}
# Enable compression for all types of files
gzip_static always;
gzip_proxied expired no-cache no-store private auth;
gunzip on;
# Enable client-side caching
expires $expires;
root /usr/share/nginx/html/public/; #Absolute path to where your hugo site is
index index.html; # Hugo generates HTML
add_header Onion-Location http://sfprivg7qec6tdle7u6hdepzjibin6fn3ivm6qlwytr235rh5vc6bfqd.onion$request_uri;
# Block site from being framed with X-Frame-Options and CSP
add_header Content-Security-Policy "frame-ancestors 'none'; frame-src 'self; default-src 'none'; media-src 'self'; img-src 'self'; script-src 'self' 'unsafe-inline' https://gist.github.com; style-src 'self' 'unsafe-inline' https://github.githubassets.com; form-action; base-uri 'none'; font-src 'self'; connect-src 'self'";
add_header X-Frame-Options "DENY";
# Security headers
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
# Privacy headers
add_header Referrer-Policy "no-referrer-when-downgrade";
add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), speaker=(), usb=(), vibrate=(), sync-xhr=(), interest-cohort=()";
location / {
try_files $uri $uri/ =404;
}
error_page 404 /404.html;
}
server {
listen 80;
listen [::]:80;
server_name sfprivg7qec6tdle7u6hdepzjibin6fn3ivm6qlwytr235rh5vc6bfqd.onion;
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 444;
}
# Enable compression for all types of files
gzip_static always;
gzip_proxied expired no-cache no-store private auth;
gunzip on;
# Enable client-side caching
expires $expires;
root /usr/share/nginx/html/tor/;
index index.html;
# Block site from being framed with X-Frame-Options and CSP
add_header Content-Security-Policy "frame-ancestors 'none'; frame-src 'self'; default-src 'none'; media-src 'self'; img-src 'self'; script-src 'self' 'unsafe-inline' https://gist.github.com; style-src 'self' 'unsafe-inline' https://github.githubassets.com; form-action; base-uri 'none'; font-src 'self'; connect-src 'self'";
add_header X-Frame-Options "DENY";
# Security headers
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
# Privacy headers
add_header Referrer-Policy "no-referrer";
add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), speaker=(), usb=(), vibrate=(), sync-xhr=(), interest-cohort=()";
location / {
try_files $uri $uri/ =404;
}
error_page 404 /404.html;
}
}