work

2026-05-21 14:02:15 +00:00 · 2023-12-27 02:01:24 +01:00
parent d26e31b377
commit 3f55c69e02
16 changed files with 294 additions and 283 deletions
--- a/ssh_lib/assets/nginx/cloudflare.conf
+++ b/ssh_lib/assets/nginx/cloudflare.conf
@@ -0,0 +1,29 @@
+# https://www.cloudflare.com/ips/
+
+set_real_ip_from 103.21.244.0/22;
+set_real_ip_from 103.22.200.0/22;
+set_real_ip_from 103.31.4.0/22;
+set_real_ip_from 104.16.0.0/13;
+set_real_ip_from 104.24.0.0/14;
+set_real_ip_from 108.162.192.0/18;
+set_real_ip_from 131.0.72.0/22;
+set_real_ip_from 141.101.64.0/18;
+set_real_ip_from 162.158.0.0/15;
+set_real_ip_from 172.64.0.0/13;
+set_real_ip_from 173.245.48.0/20;
+set_real_ip_from 188.114.96.0/20;
+set_real_ip_from 190.93.240.0/20;
+set_real_ip_from 197.234.240.0/22;
+set_real_ip_from 198.41.128.0/17;
+
+set_real_ip_from 2400:cb00::/32;
+set_real_ip_from 2405:8100::/32;
+set_real_ip_from 2405:b500::/32;
+set_real_ip_from 2606:4700::/32;
+set_real_ip_from 2803:f800::/32;
+set_real_ip_from 2a06:98c0::/29;
+set_real_ip_from 2c0f:f248::/32;
+
+# use any of the following two
+real_ip_header CF-Connecting-IP;
+#real_ip_header X-Forwarded-For;
--- a/ssh_lib/assets/nginx/default_disable.conf
+++ b/ssh_lib/assets/nginx/default_disable.conf
@@ -0,0 +1,20 @@
+map "" $empty {
+    default "";
+}
+
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+
+    listen 443 ssl default_server;
+    listen [::]:443 ssl default_server;
+    http2 on;
+
+    server_name _;
+
+    ssl_ciphers aNULL;
+    ssl_certificate /etc/nginx/ssl/dummy.crt;
+    ssl_certificate_key /etc/nginx/ssl/dummy.key;
+
+    return 444;
+}
--- a/ssh_lib/assets/nginx/nginx.conf
+++ b/ssh_lib/assets/nginx/nginx.conf
@@ -0,0 +1,69 @@
+user nginx;
+pid /var/run/nginx.pid;
+
+
+worker_processes auto;
+worker_rlimit_nofile 300000; # needs to be < ulimit -n
+
+error_log /data/nginx/logs/nginx-error.log warn;
+
+events {
+    worker_connections 40000;
+    multi_accept on;
+}
+
+http {
+    # aggressive caching for read-only sources
+    open_file_cache max=1000000 inactive=60m;
+    open_file_cache_valid 60m;
+    open_file_cache_min_uses 1;
+    open_file_cache_errors on;
+
+    server_tokens off;
+
+    # TODO add application/vnd.mapbox-vector-tile
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    charset utf-8;
+
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+
+    reset_timedout_connection on;
+    send_timeout 20;
+
+    max_ranges 0;
+
+    gzip on;
+    gzip_comp_level 1;
+    gzip_types application/json;
+
+    log_format access_json '{'
+    '"time": "$time_iso8601", '
+    '"msec": "$msec", '
+    '"status": $status, '
+    '"request": "$request", '
+    '"request_method": "$request_method", '
+    '"request_time": $request_time, '
+    '"body_bytes_sent": $body_bytes_sent, '
+    '"remote_addr": "$remote_addr", '
+    '"remote_user": "$remote_user", '
+    '"http_referrer": "$http_referer", '
+    '"http_x_forwarded_for": "$http_x_forwarded_for", '
+    '"http_user_agent": "$http_user_agent", '
+    '"host": "$host", '
+    '"uri": "$uri", '
+    '"http_cf_connecting_ip": "$http_cf_connecting_ip", '
+    '"http_cf_ray": "$http_cf_ray", '
+    '"http_cf_ipcountry": "$http_cf_ipcountry", '
+    '"scheme": "$scheme", '
+    '"http_host": "$http_host"'
+    '}';
+
+    access_log /data/nginx/logs/nginx-access.log access_json buffer=32k;
+
+    include /data/nginx/config/*;
+    include /data/nginx/sites/*;
+}