forked from wanderer/pwt-0x01-ng
surtur
7abdd05701
* setup considers deploying on dotya.ml but this can easily be changed * [skip ci]
100 lines
3.4 KiB
Plaintext
100 lines
3.4 KiB
Plaintext
upstream pwt {
|
|
server 127.0.0.1:8001;
|
|
}
|
|
|
|
server {
|
|
return 301 https://pwt.dotya.ml$request_uri;
|
|
|
|
listen 80;
|
|
listen [::]:80;
|
|
server_name pwt.dotya.ml;
|
|
return 404;
|
|
|
|
add_header Referrer-Policy "no-referrer, origin-when-cross-origin";
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
add_header X-XSS-Protection "1; mode=block" always;
|
|
add_header X-Robots-Tag none;
|
|
add_header X-Real-IP $remote_addr;
|
|
add_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
add_header X-Forwarded-Proto $scheme;
|
|
}
|
|
|
|
server {
|
|
server_name pwt.dotya.ml;
|
|
|
|
access_log /var/log/nginx/pwt.dotya.ml.access.log;
|
|
error_log /var/log/nginx/pwt.dotya.ml.error.log;
|
|
|
|
expires $expires;
|
|
etag on;
|
|
brotli on;
|
|
brotli_static on;
|
|
brotli_types *;
|
|
|
|
if ($http_user_agent ~* SemrushBot|morfeus) {
|
|
return 302 your-script-kiddie-box;
|
|
}
|
|
error_page 302 @blackhole;
|
|
|
|
location @blackhole {
|
|
add_header MESSAGE "YOU ALL SUCK D*CK";
|
|
add_header Retry-after "your script dies";
|
|
return 200;
|
|
}
|
|
|
|
location / {
|
|
proxy_pass http://pwt;
|
|
}
|
|
location = /robots.txt {
|
|
allow all;
|
|
add_header Content-Type "text/plain; charset=utf-8";
|
|
add_header X-Robots-Tag "none";
|
|
return 200 "User-agent: *\nDisallow: /";
|
|
}
|
|
|
|
add_header Content-Security-Policy "default-src 'none'; manifest-src 'self'; font-src 'self' https: blob:; img-src 'self'; script-src 'self' https: 'sha256-BU6NaT/mFkOb6wlKw9aAUV4i5MFr/Z/IFLIYAVFkmxQ=' 'sha256-V1j096ud9m6h5KncKkiAplx22jz14i0avalMtHLMFPs=' 'sha256-ggCJb9MSbkFha0PX0DCP2JxSZ4Vyz95IZKhP9nHXES8='; style-src 'self' https:; object-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self';";
|
|
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
|
|
add_header Feature-Policy "geolocation 'none'; midi 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; fullscreen 'self'; payment 'none';";
|
|
add_header Referrer-Policy "no-referrer, strict-origin-when-cross-origin";
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
add_header X-XSS-Protection "1; mode=block" always;
|
|
add_header X-Robots-Tag none;
|
|
add_header X-Real-IP $remote_addr;
|
|
add_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
add_header X-Forwarded-Proto $scheme;
|
|
|
|
listen [::]:443 ssl http2;
|
|
listen 443 ssl http2;
|
|
ssl_certificate /etc/letsencrypt/live/pwt.dotya.ml/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/pwt.dotya.ml/privkey.pem;
|
|
include /etc/letsencrypt/options-ssl-nginx.conf;
|
|
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
|
}
|
|
|
|
server {
|
|
if ($host = www.pwt.dotya.ml) {
|
|
return 301 https://pwt.dotya.ml$request_uri;
|
|
}
|
|
listen 80;
|
|
listen [::]:80;
|
|
server_name www.pwt.dotya.ml;
|
|
return 404;
|
|
|
|
add_header Referrer-Policy "no-referrer, origin-when-cross-origin, strict-origin-when-cross-origin";
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
add_header X-XSS-Protection "1; mode=block" always;
|
|
add_header X-Robots-Tag none;
|
|
add_header X-Real-IP $remote_addr;
|
|
add_header X-Forwarded-For $remote_addr;
|
|
|
|
listen [::]:443 ssl http2;
|
|
listen 443 ssl http2;
|
|
ssl_certificate /etc/letsencrypt/live/pwt.dotya.ml/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/pwt.dotya.ml/privkey.pem;
|
|
include /etc/letsencrypt/options-ssl-nginx.conf;
|
|
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
|
}
|