From 459942c34fd24d4755aad756bbb80c36e9f73e25 Mon Sep 17 00:00:00 2001
From: nutra-bot <nutradigest@gmail.com>
Date: Tue, 18 Apr 2023 00:05:19 +0000
Subject: [PATCH] restore old config

---
 etc/nginx/conf.d/default.conf  | 161 ++++++++++++++++++++++++---------
 etc/nginx/conf.d/fowarded.conf |  37 ++++++++
 etc/nginx/proxy_params         |   4 +
 3 files changed, 161 insertions(+), 41 deletions(-)
 create mode 100644 etc/nginx/conf.d/fowarded.conf
 create mode 100644 etc/nginx/proxy_params

diff --git a/etc/nginx/conf.d/default.conf b/etc/nginx/conf.d/default.conf
index ff2ced6..ab0a8ed 100644
--- a/etc/nginx/conf.d/default.conf
+++ b/etc/nginx/conf.d/default.conf
@@ -1,44 +1,123 @@
+upstream dev.nutra.tk {
+  keepalive 100;
+  server 127.0.0.1:20000;
+  # server unix:/tmp/sanic.sock;
+}
+
 server {
-    listen       80;
-    server_name  localhost;
-
-    #access_log  /var/log/nginx/host.access.log  main;
-
-    location / {
-        root   /usr/share/nginx/html;
-        index  index.html index.htm;
-    }
-
-    #error_page  404              /404.html;
-
-    # redirect server error pages to the static page /50x.html
-    #
-    error_page   500 502 503 504  /50x.html;
-    location = /50x.html {
-        root   /usr/share/nginx/html;
-    }
-
-    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
-    #
-    #location ~ \.php$ {
-    #    proxy_pass   http://127.0.0.1;
-    #}
-
-    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
-    #
-    #location ~ \.php$ {
-    #    root           html;
-    #    fastcgi_pass   127.0.0.1:9000;
-    #    fastcgi_index  index.php;
-    #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
-    #    include        fastcgi_params;
-    #}
-
-    # deny access to .htaccess files, if Apache's document root
-    # concurs with nginx's one
-    #
-    #location ~ /\.ht {
-    #    deny  all;
-    #}
+  server_name dev.nutra.tk;
+  # listen 80 default_server;
+  # listen [::]:80 ipv6only=on;
+  listen 443 ssl http2 default_server;
+  listen [::]:443 ssl ipv6only=on; # managed by Certbot
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+  ssl_stapling on;
+  ssl_stapling_verify on;
+  ssl_trusted_certificate /etc/ssl/private/ca-certs.pem;
+  # ssl_protocols TLSv1 TLSv1.1; # support legacy browsers
+  # ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+
+  client_max_body_size 50m;
+
+  # React app (base URL)
+  location / {
+    root /var/www/app;
+    index index.html;
+    #try_files $uri $uri/ /index.html =404;
+  }
+
+
+  # Blog / Sphinx
+  location /blog {
+    alias /var/www/blog;
+    index index.html;
+  }
+
+
+  # Sanic
+  location /api/ {
+    proxy_pass http://$server_name;
+    # Allow fast streaming HTTP/1.1 pipes (keep-alive, unbuffered)
+    proxy_http_version 1.1;
+    proxy_request_buffering off;
+    proxy_buffering off;
+    # Proxy forwarding (password configured in app.config.FORWARDED_SECRET)
+    proxy_set_header forwarded "$proxy_forwarded;secret=\"REDACTED\"";
+    # Allow websockets and keep-alive (avoid connection: close)
+    proxy_set_header connection "upgrade";
+    proxy_set_header upgrade $http_upgrade;
+  }
+
+
+#  # New chat (matrix / element)
+#  location ~ /v2/chat/ {
+#    proxy_pass http://127.0.0.1:8008;
+#    proxy_set_header X-Forwarded-For $remote_addr;
+#  }
+
+  # default favicon
+  location = /favicon.ico {
+    alias /var/www/favicon.gif;
+  }
+
+
+  # Other
+  location ~ /.well-known {
+    allow all;
+  }
+
+
+  # HTTPS / SSL
+  ssl_certificate /etc/letsencrypt/live/dev.nutra.tk/fullchain.pem; # managed by Certbot
+  ssl_certificate_key /etc/letsencrypt/live/dev.nutra.tk/privkey.pem; # managed by Certbot
+  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+}
+
+
+# Open matrix chat on 8448
+#server {
+#  listen 8448 ssl default_server;
+#  listen [::]:8448 ssl default_server;
+#  server_name dev.nutra.tk;
+#
+#  location / {
+#    proxy_pass http://127.0.0.1:8008;
+#    proxy_set_header X-Forwarded-For $remote_addr;
+#  }
+#
+#  # HTTPS / SSL
+#  ssl_certificate /etc/letsencrypt/live/dev.nutra.tk/fullchain.pem; # managed by Certbot
+#  ssl_certificate_key /etc/letsencrypt/live/dev.nutra.tk/privkey.pem; # managed by Certbot
+#  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+#  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+#}
+
+
+# Redirect all HTTP to HTTPS with no-WWW
+server {
+  listen 80 default_server;
+  listen [::]:80 default_server;
+  server_name ~^(?:www\.)?(.*)$;
+  return 301 https://$1$request_uri;
 }
 
+
+# Redirect WWW to no-WWW
+server {
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+  server_name ~^www\.(.*)$;
+  return 301 $scheme://$1$request_uri;
+}
+
+
+# TODO: if is evil
+# https://wordpress.org/support/article/nginx/
+# http://wiki.nginx.org/IfIsEvil
+#server {
+#  if ($host = dev.nutra.tk) {
+#    return 301 $scheme://$host$request_uri;
+#  } # managed by Certbot
+#}
+
diff --git a/etc/nginx/conf.d/fowarded.conf b/etc/nginx/conf.d/fowarded.conf
new file mode 100644
index 0000000..7141d89
--- /dev/null
+++ b/etc/nginx/conf.d/fowarded.conf
@@ -0,0 +1,37 @@
+# RFC 7239 Forwarded header for Nginx proxy_pass
+
+# Add within your server or location block:
+#    proxy_set_header forwarded "$proxy_forwarded;secret=\"YOUR SECRET\"";
+
+# Configure your upstream web server to identify this proxy by that password
+# because otherwise anyone on the Internet could spoof these headers and fake
+# their real IP address and other information to your service.
+
+
+# Provide the full proxy chain in $proxy_forwarded
+map $proxy_add_forwarded $proxy_forwarded {
+  default "$proxy_add_forwarded;by=\"_$hostname\";proto=$scheme;host=\"$http_host\";path=\"$request_uri\"";
+}
+
+# The following mappings are based on
+# https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/
+
+map $remote_addr $proxy_forwarded_elem {
+  # IPv4 addresses can be sent as-is
+  ~^[0-9.]+$          "for=$remote_addr";
+
+  # IPv6 addresses need to be bracketed and quoted
+  ~^[0-9A-Fa-f:.]+$   "for=\"[$remote_addr]\"";
+
+  # Unix domain socket names cannot be represented in RFC 7239 syntax
+  default             "for=unknown";
+}
+
+map $http_forwarded $proxy_add_forwarded {
+  # If the incoming Forwarded header is syntactically valid, append to it
+  "~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
+
+  # Otherwise, replace it
+  default "$proxy_forwarded_elem";
+}
+
diff --git a/etc/nginx/proxy_params b/etc/nginx/proxy_params
new file mode 100644
index 0000000..df75bc5
--- /dev/null
+++ b/etc/nginx/proxy_params
@@ -0,0 +1,4 @@
+proxy_set_header Host $http_host;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $scheme;
-- 
2.52.0