-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathef.gy.nginx
189 lines (144 loc) · 5.19 KB
/
ef.gy.nginx
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
# This is the configuration file for http://ef.gy/
# Evidently, this server is running nginx with the native XSLT processor.
map $http_host $preferredScheme {
default "http";
~^ef.gy$ "https";
}
map $http_host $hostnameproper {
default "ef.gy";
~onion$ "vturtipc7vmz6xjy.onion";
}
map $http_host $sts {
default "max-age=10886400; includeSubDomains; preload";
~onion$ "";
}
map $http_dnt $dnt {
default "nodnt";
1 "dnt";
}
map $http_user_agent $capa {
default "default";
~Feedly "dumb";
}
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
server {
listen 80;
listen [::]:80;
server_name *.ef.gy;
return 301 https://ef.gy$request_uri;
}
server {
listen 80 default;
listen [::]:80 default;
listen 443 ssl spdy;
listen [::]:443 ssl spdy;
server_name ef.gy;
server_name vturtipc7vmz6xjy.onion;
ssl_certificate /etc/letsencrypt/live/ef.gy/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ef.gy/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
gzip on;
gzip_min_length 1000;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain application/xml text/css text/html application/xhtml+xml application/javascript text/javascript application/x-javascript;
gzip_static on;
add_header Vary "Accept";
add_header Vary "Accept-Encoding";
add_header Content-Security-Policy "default-src blob: ef.gy 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' ajax.googleapis.com cdnjs.cloudflare.com cdn.mathjax.org apis.google.com code.jquery.com *.google.com *.gstatic.com; frame-src 'self' dee.pe www.youtube.com *.google.com jsfiddle.net *.radiomast.io; img-src 'self' 'unsafe-inline' ssl.gstatic.com code.jquery.com data:; font-src 'self' 'unsafe-inline' cdn.mathjax.org data: about:; style-src 'self' 'unsafe-inline' cdnjs.cloudflare.com code.jquery.com";
add_header Strict-Transport-Security $sts;
add_header DNT $http_dnt;
add_header Pragma public;
add_header Cache-Control "public";
charset_types text/html application/xhtml+xml text/xml text/plain text/vnd.wap.wml application/javascript application/atom+xml;
charset utf-8;
set $documentRoot /srv/http/ef.gy;
root $documentRoot;
location /.well-known {
}
if ($preferredScheme != $scheme)
{
return 301 $preferredScheme://$http_host$request_uri;
}
if ($request_uri ~ \?.*$ )
{
rewrite ^/(.*)$ /$1? permanent;
}
if ($request_uri ~ ^/x?html/ )
{
rewrite ^/x?html/(.*)$ /$1 permanent;
}
rewrite ^/(fibreproduct.rss|rss/fibreproduct)$ http://stream.ef.gy/rss/fibreproduct permanent;
rewrite ^/(mobi|epub)/(.+)\.(epub|mobi)$ /$2 permanent;
rewrite ^/(pdf|mobi|epub|docbook)/(.+)$ /$2 permanent;
rewrite ^/svg/tesseract$ https://dee.pe/r permanent;
rewrite ^/(webgl/)?topologic(-web)?(.x?html)?$ https://dee.pe/r permanent;
rewrite ^/rss/(.+)$ /atom/$1 permanent;
# there's no more /target@collection for archive content anymore
rewrite ^/([^@/]+)@([^@/]+)$ $2 permanent;
rewrite ^(.*)/([^@]+)@([^@]+)$ $1/$3;
rewrite ^/source-code$ /about#source-code permanent;
location = /robots.txt {
}
location = /favicon.ico {
types { image/svg+xml ico; }
}
location /sitemap.xml {
alias $documentRoot/.cache/$hostnameproper/;
try_files sitemap.xml =404;
}
location / {
if ($uri ~ ^/\.git)
{
break;
}
rewrite ^/$ /site permanent;
# Google+ seems to choke on XHTML
if ($http_user_agent ~* Google)
{
rewrite ^(.*)$ /html$1 last;
}
if ($http_accept ~* application/xhtml\+xml)
{
rewrite ^(.*)$ /xhtml$1 last;
}
rewrite ^(.*)$ /html$1 last;
}
location /include/ef.gy {
rewrite ^/(.*) https://github.com/ef-gy/libefgy/tree/master$1 redirect;
}
location /.git {
error_page 403 /source-code;
}
location ~ /(?<type>css|jpeg|js|png|svg)/(?<file>.+) {
alias $documentRoot/.cache/$type/;
try_files $file.$type $file =404;
expires 1w;
}
location ~ /(?<type>atom)/(?<file>.+) {
alias $documentRoot/.cache/$hostnameproper/;
try_files $file.$capa.$type $file.$type $file =404;
types {
application/atom+xml atom;
}
expires 1h;
}
location /raw {
alias $documentRoot;
try_files $uri =404;
}
location /rasterised/svg {
alias $documentRoot/png/rasterised;
try_files $uri.png $uri =404;
}
location ~ /(?<type>x?html)/(?<file>.+) {
alias $documentRoot/.cache/$hostnameproper/;
try_files $file.$dnt.$type $file.$type $file.$dnt.xhtml $file.xhtml $file =404;
expires 3h;
}
location /documentation/ {
rewrite ^/documentation/(.*) https://documentation.ef.gy/$1 redirect;
}
}