diff --git a/script/install/nginx/conf.d/common.conf b/script/install/nginx/conf.d/common.conf new file mode 100644 index 000000000..fde1b08b7 --- /dev/null +++ b/script/install/nginx/conf.d/common.conf @@ -0,0 +1,92 @@ +ssl_protocols TLSv1 TLSv1.1 TLSv1.2; +ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; +ssl_prefer_server_ciphers on; +ssl_session_timeout 4h; +ssl_session_cache shared:SSL:20m; +ssl_session_tickets off; +ssl_stapling on; +ssl_stapling_verify on; +ssl_dhparam /etc/nginx/ssl/dhparam.pem; +resolver 8.8.8.8 8.8.4.4; + +root /var/www/danbooru/current/public; +index index.html; +access_log off; +error_log /var/www/danbooru/shared/log/server.error.log; +try_files $uri/index.html $uri.html $uri @app; +client_max_body_size 30m; +error_page 503 @maintenance; +error_page 404 /404.html; +error_page 500 502 503 504 /500.html; + +location /assets { + expires max; + break; +} + +location /data/preview { + expires max; + break; +} + +location /posts/mobile { + return 404; +} + +location /users { + limit_req zone=users burst=5; + limit_req_status 429; + try_files $uri @app_server; +} + +location /posts { + limit_req zone=posts burst=20; + limit_req_status 429; + try_files $uri @app_server; +} + +location /data { + valid_referers none *.donmai.us donmai.us ~\.google\. ~\.bing\. ~\.yahoo\.; + + if ($invalid_referer) { + return 403; + } + + rewrite ^/data/sample/__.+?__(.+) /data/sample/$1 last; + rewrite ^/data/__.+?__(.+) /data/$1 last; + + expires max; + break; +} + +location /maintenance.html { + expires 10; +} + +if (-f $document_root/maintenance.html) { + return 503; +} + +if ($http_user_agent ~ (WinHttp\.WinHttpRequest\.5) ) { + return 403; +} + +location @maintenance { + rewrite ^(.*)$ /maintenance.html last; +} + +location @app_server { + proxy_pass http://app_server; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Real-IP $remote_addr; + proxy_redirect off; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffer_size 128k; + proxy_buffers 4 256k; + proxy_busy_buffers_size 256k; +} + +location / { + try_files $uri @app_server; +} diff --git a/script/install/nginx/nginx.conf b/script/install/nginx/nginx.conf new file mode 100644 index 000000000..f8d9b7e99 --- /dev/null +++ b/script/install/nginx/nginx.conf @@ -0,0 +1,82 @@ +user www-data; +worker_processes auto; +pid /var/run/nginx.pid; + +events { + use epoll; + worker_connections 10000; + multi_accept on; + accept_mutex on; +} + +http { + limit_req_zone $binary_remote_addr zone=users:10m rate=5r/s; + limit_req_zone $binary_remote_addr zone=posts:100m rate=10r/s; + + ## + # Basic Settings + ## + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 5; + types_hash_max_size 2048; + # server_tokens off; + + server_names_hash_bucket_size 128; + # server_name_in_redirect off; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + ## + # Logging Settings + ## + + access_log off; + error_log /var/log/nginx/error.log; + + ## + # Gzip Settings + ## + + gzip on; + gzip_disable "msie6"; + + gzip_http_version 1.1; + gzip_vary on; + gzip_comp_level 5; + gzip_proxied any; + gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/rss+xml text/javascript application/atom+xml; + + # curl https://www.cloudflare.com/ips-v4 | sort + set_real_ip_from 103.21.244.0/22; + set_real_ip_from 103.22.200.0/22; + set_real_ip_from 103.31.4.0/22; + set_real_ip_from 104.16.0.0/12; + set_real_ip_from 108.162.192.0/18; + set_real_ip_from 131.0.72.0/22; + set_real_ip_from 141.101.64.0/18; + set_real_ip_from 162.158.0.0/15; + set_real_ip_from 172.64.0.0/13; + set_real_ip_from 173.245.48.0/20; + set_real_ip_from 188.114.96.0/20; + set_real_ip_from 190.93.240.0/20; + set_real_ip_from 197.234.240.0/22; + set_real_ip_from 198.41.128.0/17; + set_real_ip_from 199.27.128.0/21; + + # curl https://www.cloudflare.com/ips-v4 | sort + set_real_ip_from 2400:cb00::/32; + set_real_ip_from 2606:4700::/32; + set_real_ip_from 2803:f800::/32; + set_real_ip_from 2405:b500::/32; + set_real_ip_from 2405:8100::/32; + set_real_ip_from 2a06:98c0::/29; + set_real_ip_from 2c0f:f248::/32; + + real_ip_header CF-Connecting-IP; + + include /etc/nginx/sites-enabled/*.conf; +} diff --git a/script/install/nginx/sites-enabled/danbooru.conf b/script/install/nginx/sites-enabled/danbooru.conf new file mode 100644 index 000000000..30d19cda3 --- /dev/null +++ b/script/install/nginx/sites-enabled/danbooru.conf @@ -0,0 +1,68 @@ +server { + listen 443 ssl http2 default_server; + server_name danbooru.donmai.us; + + ssl_certificate /etc/nginx/ssl/danbooru.chain.pem; + ssl_certificate_key /etc/nginx/ssl/danbooru.key; + + include /etc/nginx/conf.d/common.conf; +} + +server { + listen 443 ssl http2; + server_name safebooru.donmai.us; + + ssl_certificate /etc/nginx/ssl/safebooru.chain.pem; + ssl_certificate_key /etc/nginx/ssl/safebooru.key; + + include /etc/nginx/conf.d/common.conf; +} + +server { + listen 443 ssl http2; + server_name kagamihara.donmai.us; + + ssl_certificate /etc/letsencrypt/live/kagamihara.donmai.us/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/kagamihara.donmai.us/privkey.pem; # managed by Certbot + + include /etc/nginx/conf.d/common.conf; +} + +server { + listen 443 ssl http2; + server_name saitou.donmai.us; + + ssl_certificate /etc/letsencrypt/live/saitou.donmai.us/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/saitou.donmai.us/privkey.pem; # managed by Certbot + + include /etc/nginx/conf.d/common.conf; +} + +server { + listen 443 ssl http2; + server_name shima.donmai.us; + + ssl_certificate /etc/letsencrypt/live/shima.donmai.us/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/shima.donmai.us/privkey.pem; # managed by Certbot + + include /etc/nginx/conf.d/common.conf; +} + +# redirect HTTP to HTTPS. +server { + listen 80; + server_name safebooru.donmai.us danbooru.donmai.us kagamihara.donmai.us saitou.donmai.us shima.donmai.us; + return 301 https://$host$request_uri; +} + +# redirect donmai.us and www.donmai.us to danbooru.donmai.us. +server { + listen 80; + listen 443 ssl; + server_name donmai.us www.donmai.us; + return 301 https://danbooru.donmai.us$request_uri; +} + +upstream app_server { + server unix:/tmp/.unicorn.sock fail_timeout=0; +}