jethron-id-au.nginx

server_tokens off; # removal entirely would be nice but not available in OSS nginx

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_session_tickets off;
ssl_session_timeout 1d;
ssl_session_cache shared:tls:6m; # 6mb is low but not expecting high traffic

sendfile on;
tcp_nodelay on;
keepalive_timeout 65;

access_log syslog:server=unix:/var/run/log;
error_log syslog:server=unix:/var/run/log;

# encoding settings
charset utf-8;
gzip on;
gzip_vary on;
gzip_static on; # for static stuff compressed with zopfli
gzip_comp_level 7;
gzip_http_version 1.1;
# usually want these in sync; text/html is implicit
charset_types	text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml;
gzip_types	text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml;

map $http_upgrade $connection_upgrade {
	default upgrade;
	'' close;
}

server {
	listen [::]:80 default_server ipv6only=off;
	listen [::]:443 default_server ssl ipv6only=off;

	http2 on;

	server_name jethron.id.au www.jethron.id.au;

	if ($https = "") {
		return 301 https://jethron.id.au$request_uri;
	}

	ssl_certificate /home/jethron/letsencrypt/jethron.id.au/cert.pem;
	ssl_certificate_key /home/jethron/letsencrypt/private/jethron.id.au/key.pem;
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 108.61.10.10;

	add_header Expect-CT "max-age=86400,enforce" always;
	add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
	add_header X-Content-Type-Options "nosniff" always;

	root /home/jethron/code/jethron.id.au;
	index index.html index.php;

	location /.git {
		return 404;
	}

	location /jethron-id-au.nginx {
		return 404;
	}

	location / {
		try_files $uri $uri/ =404;
	}

	location ^~ /.well-known/openpgpkey/hu/ {
		add_header Access-Control-Allow-Origin "*" always;
	}

	location ^~ /sync/ {
		auth_basic "Syncthing";
		auth_basic_user_file /home/jethron/htaccess;

		proxy_set_header Host localhost;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;

		proxy_pass http://localhost:8384/;
		break;
	}

	location ~* \.html {
		# these only make sense for pages (i think)
		add_header Content-Security-Policy  "default-src 'self'; font-src 'none'; object-src 'none'; frame-src 'none'; img-src 'self' https://github.com https://*.githubusercontent.com; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'; form-action 'self';" always;
		add_header X-Frame-Options "DENY" always;
		add_header X-XSS-Protection "1; mode=block" always;

		# adding new headers stops inheritance, so duplicate these ones
		add_header Expect-CT  "max-age=86400,enforce" always;
		add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
		add_header X-Content-Type-Options "nosniff" always;
	}

	location /pkg/ {
		proxy_pass http://pkg0.syd.freebsd.org/;
	}

	location /print/ {
		set $home_endpoint http://home.jethron.id.au:5000;
		proxy_pass $home_endpoint;
		proxy_read_timeout 10s;
		proxy_http_version 1.1;
		proxy_set_header Connection "upgrade";
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header X-Script-Name "/print";
		proxy_set_header X-Forwarded-Host $http_host;
		proxy_set_header X-Scheme $scheme;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

		client_max_body_size 0;
	}

	location /aero {
		return 302 https://docs.google.com/spreadsheets/d/1afzWN7Mfv_3zm1wJbd_WA0Bq2ARVrQiBks9jf_9vaIE/edit;
	}
}