UNMAINTAINED

unmaintained/reverse/rootfs/nginx/conf.d/ct.conf

@@ -0,0 +1,2 @@
+ssl_ct on;
+add_header Expect-CT "enforce; max-age=86400";

unmaintained/reverse/rootfs/nginx/conf.d/headers.conf

@@ -0,0 +1,2 @@
+add_header X-Content-Type-Options nosniff;
+add_header X-XSS-Protection "1; mode=block";

unmaintained/reverse/rootfs/nginx/conf.d/hsts.conf

@@ -0,0 +1 @@
+add_header Strict-Transport-Security "max-age=31536000";

unmaintained/reverse/rootfs/nginx/conf.d/ocsp.conf

@@ -0,0 +1,4 @@
+ssl_stapling on;
+ssl_stapling_verify on;
+resolver 84.200.69.80 84.200.70.40 valid=300s;
+resolver_timeout 5s;

unmaintained/reverse/rootfs/nginx/conf.d/proxy.conf

@@ -0,0 +1,11 @@
+  proxy_http_version 1.1;
+  proxy_set_header Upgrade $http_upgrade;
+  proxy_set_header Connection "upgrade";
+  proxy_set_header Host $host;
+  proxy_set_header X-Real-IP $remote_addr;
+  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+  proxy_set_header X-Forwarded-Proto $scheme;
+  proxy_set_header X-Remote-Port $remote_port;
+  proxy_redirect off;
+  proxy_set_header Proxy "";
+  proxy_pass_header Server;

unmaintained/reverse/rootfs/nginx/conf.d/ssl.conf

@@ -0,0 +1,9 @@
+ssl_protocols TLSv1.2;
+ssl_ecdh_curve X25519:P-521:P-384;
+ssl_ciphers EECDH+CHACHA20:EECDH+AESGCM;
+ssl_prefer_server_ciphers on;
+
+ssl_session_cache shared:SSL:20m;
+ssl_session_timeout 15m;
+ssl_session_tickets off;
+ssl_dyn_rec_enable on;

unmaintained/reverse/rootfs/nginx/conf/nginx.conf

@@ -0,0 +1,82 @@
+worker_processes auto;
+pid /nginx/run/nginx.pid;
+daemon off;
+pcre_jit on;
+
+events {
+    worker_connections 2048; 
+    use epoll;
+}
+
+http {
+    limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
+    limit_conn limit_per_ip 128;
+    limit_req_zone $binary_remote_addr zone=allips:10m rate=150r/s;
+    limit_req zone=allips burst=150 nodelay;
+    
+    include /nginx/conf/mime.types;
+    default_type  application/octet-stream;
+
+    access_log /nginx/log/nginx_access.log combined;
+    error_log /nginx/log/nginx_error.log error;
+
+    aio threads;
+    aio_write on;
+    
+    more_set_headers 'Server: secret';
+
+    sendfile on;
+    keepalive_timeout 15;
+    keepalive_disable msie6;
+    keepalive_requests 100;
+    tcp_nopush on;
+    tcp_nodelay off;
+    server_tokens off;
+    proxy_max_temp_file_size 20480m;
+    
+    gzip on;
+    gzip_comp_level 5;
+    gzip_min_length 512;
+    gzip_buffers 4 8k;
+    gzip_proxied any;
+    gzip_vary on;
+    gzip_disable "msie6";
+    gzip_types
+        text/css
+        text/javascript
+        text/xml
+        text/plain
+        text/x-component
+        application/javascript
+        application/x-javascript
+        application/json
+        application/xml
+        application/rss+xml
+        application/vnd.ms-fontobject
+        font/truetype
+        font/opentype
+        image/svg+xml;
+
+    brotli on;
+    brotli_static on;
+    brotli_buffers 16 8k;
+    brotli_comp_level 6;
+    brotli_types
+        text/css
+        text/javascript
+        text/xml
+        text/plain
+        text/x-component
+        application/javascript
+        application/x-javascript
+        application/json
+        application/xml
+        application/rss+xml
+        application/vnd.ms-fontobject
+        font/truetype
+        font/opentype
+        image/svg+xml;
+
+    include /nginx/sites-enabled/*.conf;
+    include /nginx/custom_sites/*.conf;
+}

unmaintained/reverse/rootfs/nginx/path.d/template

@@ -0,0 +1,5 @@
+  location <frontend_path> {
+    include /nginx/conf.d/proxy.conf;
+    client_max_body_size <frontend_domain_max_body_size>;
+    proxy_pass http://<backend_addr>:<backend_port>;
+  }

unmaintained/reverse/rootfs/nginx/path.d/template_auth

@@ -0,0 +1,7 @@
+  location <frontend_path> {
+    include /nginx/conf.d/proxy.conf;
+    auth_basic "Who's this?";
+    auth_basic_user_file "<auth_file>";
+    client_max_body_size <frontend_domain_max_body_size>;
+    proxy_pass http://<backend_addr>:<backend_port>;
+  }

unmaintained/reverse/rootfs/nginx/sites-enabled/template

@@ -0,0 +1,6 @@
+server {
+  listen 8080;
+  server_name <frontend_domain>;
+  include /nginx/conf.d/headers.conf;
+  include /nginx/path.d/<frontend_domain>/*.conf;
+}

unmaintained/reverse/rootfs/nginx/sites-enabled/template_ssl

@@ -0,0 +1,31 @@
+server {
+  listen 8080;
+  server_name <frontend_domain>;
+
+  rewrite ^ https://<frontend_domain>:443$request_uri? permanent;
+}
+
+
+server {
+
+  listen 8443 ssl http2;
+  server_name <frontend_domain>;
+  index index.html index.php index.htm;
+
+  ssl_certificate /nginx/ssl/certificates/<frontend_domain>.crt;
+  ssl_certificate_key /nginx/ssl/certificates/<frontend_domain>.key;
+  ssl_trusted_certificate /nginx/ssl/certificates/<frontend_domain>.chain.pem;
+  ssl_ct_static_scts /nginx/ssl/timestamps/<frontend_domain>;
+  include /nginx/conf.d/ssl.conf;
+  include /nginx/conf.d/headers.conf;
+  include /nginx/conf.d/hsts.conf;
+  include /nginx/conf.d/ocsp.conf;
+  include /nginx/conf.d/ct.conf;
+
+  include /nginx/path.d/<frontend_domain>/*.conf;
+
+  location ~ /\.well-known/acme-challenge {
+    root /nginx/www/<frontend_domain>;
+    allow all;
+  }
+}