From: nutra-bot Date: Wed, 24 Dec 2025 09:57:31 +0000 (+0000) Subject: track stuff X-Git-Url: https://git.nutra.tk/v1?a=commitdiff_plain;h=40a6ec8efd67f227c0f8c6afd34d2b60b31891e2;p=nutratech%2Fvps-root.git track stuff --- diff --git a/etc/nginx/conf.d/default.conf b/etc/nginx/conf.d/default.conf new file mode 100644 index 0000000..c661fac --- /dev/null +++ b/etc/nginx/conf.d/default.conf @@ -0,0 +1,87 @@ +# Redirect all HTTP to HTTPS with no-WWW +server { + listen 80 default_server; + listen [::]:80 default_server; + server_name ~^(?:www\.)?(.*)$; + return 301 https://$1$request_uri; +} + +# API +server { + server_name api.nutra.tk; + #listen 80; + listen 443 ssl http2; + # HSTS + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + + # Sanic + location / { + proxy_pass http://127.0.0.1:20000; # API server + # Allow fast streaming HTTP/1.1 pipes (keep-alive, unbuffered) + proxy_http_version 1.1; + proxy_request_buffering off; + proxy_buffering off; + # Proxy forwarding (password configured in app.config.FORWARDED_SECRET) + proxy_set_header forwarded "$proxy_forwarded;secret=\"REDACTED\""; + # Allow websockets and keep-alive (avoid connection: close) + proxy_set_header connection "upgrade"; + proxy_set_header upgrade $http_upgrade; + } + + # default favicon + location /favicon.ico { + alias /var/www/favicon.gif; + } +} + +# UI, blog, favicon, default server +server { + server_name nutra.tk; + #listen 80 default_server; + #listen [::]:80 ipv6only=on; + listen 443 ssl http2 default_server; + listen [::]:443 ssl ipv6only=on; # managed by Certbot + # HSTS + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + # OCSP stapling + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate /etc/ssl/private/ca-certs.pem; + + client_max_body_size 50m; + + # React app (base URL) + location / { + #return 302 https://$host/api$request_uri; + root /var/www/app; + index index.html; + #try_files $uri $uri/ /index.html =404; + } + + # Blog / Sphinx + location /blog { + alias /var/www/blog; + index index.html; + } + + # default favicon + location = /favicon.ico { + alias /var/www/favicon.gif; + } + + # Other + location ~ /.well-known { + allow all; + } + + # HTTPS / SSL + ssl_certificate /etc/letsencrypt/live/nutra.tk/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/nutra.tk/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + + # TODO: better redirect based on server, not if? + if ($host = www.nutra.tk) { + return 301 https://nutra.tk$request_uri; + } +} diff --git a/etc/nginx/conf.d/forwarded.conf b/etc/nginx/conf.d/forwarded.conf new file mode 100644 index 0000000..7141d89 --- /dev/null +++ b/etc/nginx/conf.d/forwarded.conf @@ -0,0 +1,37 @@ +# RFC 7239 Forwarded header for Nginx proxy_pass + +# Add within your server or location block: +# proxy_set_header forwarded "$proxy_forwarded;secret=\"YOUR SECRET\""; + +# Configure your upstream web server to identify this proxy by that password +# because otherwise anyone on the Internet could spoof these headers and fake +# their real IP address and other information to your service. + + +# Provide the full proxy chain in $proxy_forwarded +map $proxy_add_forwarded $proxy_forwarded { + default "$proxy_add_forwarded;by=\"_$hostname\";proto=$scheme;host=\"$http_host\";path=\"$request_uri\""; +} + +# The following mappings are based on +# https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/ + +map $remote_addr $proxy_forwarded_elem { + # IPv4 addresses can be sent as-is + ~^[0-9.]+$ "for=$remote_addr"; + + # IPv6 addresses need to be bracketed and quoted + ~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\""; + + # Unix domain socket names cannot be represented in RFC 7239 syntax + default "for=unknown"; +} + +map $http_forwarded $proxy_add_forwarded { + # If the incoming Forwarded header is syntactically valid, append to it + "~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem"; + + # Otherwise, replace it + default "$proxy_forwarded_elem"; +} + diff --git a/var/spool/cron/crontabs/root b/var/spool/cron/crontabs/root new file mode 100644 index 0000000..c8a3e15 --- /dev/null +++ b/var/spool/cron/crontabs/root @@ -0,0 +1,28 @@ +# DO NOT EDIT THIS FILE - edit the master and reinstall. +# (/tmp/crontab.K8RTD8/crontab installed on Wed Dec 24 09:52:40 2025) +# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $) +# Edit this file to introduce tasks to be run by cron. +# +# Each task to run has to be defined through a single line +# indicating with different fields when the task will be run +# and what command to run for the task +# +# To define the time you can provide concrete values for +# minute (m), hour (h), day of month (dom), month (mon), +# and day of week (dow) or use '*' in these fields (for 'any'). +# +# Notice that tasks will be started based on the cron's system +# daemon's notion of time and timezones. +# +# Output of the crontab jobs (including errors) is sent through +# email to the user the crontab file belongs to (unless redirected). +# +# For example, you can run a backup of all your user accounts +# at 5 a.m every week with: +# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/ +# +# For more information see the manual pages of crontab(5) and cron(8) +# +# m h dom mon dow command +0 0,12 * * * /opt/certbot/bin/certbot renew -q +