diff options
Diffstat (limited to 'usr')
-rw-r--r-- | usr/local/etc/nginx/nginx.conf | 192 | ||||
-rw-r--r-- | usr/local/etc/pf.conf | 60 |
2 files changed, 252 insertions, 0 deletions
diff --git a/usr/local/etc/nginx/nginx.conf b/usr/local/etc/nginx/nginx.conf new file mode 100644 index 0000000..2cfd861 --- /dev/null +++ b/usr/local/etc/nginx/nginx.conf @@ -0,0 +1,192 @@ +worker_processes 1; + +events { + worker_connections 1024; +} + +http { + include mime.types; + default_type application/octet-stream; + sendfile on; + keepalive_timeout 65; + gzip on; + gzip_vary on; + gzip_min_length 1024; + gzip_proxied expired no-cache no-store private auth; + + server{ + server_name jozanofastora.xyz; + root /usr/local/www/jozan; + index index.html; + location / { + try_files $uri $uri/ =404; + } + location ~ /\.ht { + deny all; + } + error_page 403 /403.html; + location = /403.html { + root /usr/local/www/jozan/err; + } + error_page 404 /404.html; + location = /404.html { + root /usr/local/www/jozan/err; + } + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/local/www/nginx-dist; + } + + + listen 443 ssl; # managed by Certbot + ssl_certificate /usr/local/etc/letsencrypt/live/jozanofastora.xyz-0001/fullchain.pem; # managed by Certbot + ssl_certificate_key /usr/local/etc/letsencrypt/live/jozanofastora.xyz-0001/privkey.pem; # managed by Certbot + include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + +} + + server{ + server_name gitjoe.xyz git.jozanofastora.xyz; + root /usr/local/www/gitjoe; + index index.html; + location / { + try_files $uri $uri/ =404; + } + location ~ /\.ht { + deny all; + } + error_page 403 /403.html; + location = /403.html { + root /usr/local/www/gitjoe/err; + } + error_page 404 /404.html; + location = /404.html { + root /usr/local/www/gitjoe/err; + } + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/local/www/nginx-dist; + } + + + listen 443 ssl; # managed by Certbot + ssl_certificate /usr/local/etc/letsencrypt/live/jozanofastora.xyz-0001/fullchain.pem; # managed by Certbot + ssl_certificate_key /usr/local/etc/letsencrypt/live/jozanofastora.xyz-0001/privkey.pem; # managed by Certbot + include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + + +} + + server { + listen 80; + server_name cgit.gitjoe.xyz; + root /usr/local/www/cgit; + + # Serve static files with nginx + location ~* ^.+(cgit.(css|png)|favicon.ico|robots.txt) { + root /usr/share/webapps/cgit; + expires 30d; + } + location / { + try_files $uri @cgit; + } + location @cgit { + gzip off; + include uwsgi_params; + uwsgi_modifier1 9; + uwsgi_pass unix:/var/run/uwsgi/cgit.sock; + } + } + + server { + server_name fossil.jozanofastora.xyz; + index index.html; + root /usr/local/www/fossiljoe; + + # Bypass Fossil for the static documentation generated from + # our source code by Doxygen, so it merges into the embedded + # doc URL hierarchy at Fossil’s $ROOT/doc without requiring that + # these generated files actually be stored in the repo. This + # also lets us set aggressive caching on these docs, since + # they rarely change. + location /code/doc/html { + root /usr/local/www/fossiljoe; + + location ~* \.(html|ico|css|js|gif|jpg|png)$ { + expires 7d; + add_header Vary Accept-Encoding; + access_log off; + } + } + # Redirect everything else to the Fossil instance + location /code { + include scgi_params; + scgi_param SCRIPT_NAME "/code"; + scgi_pass 127.0.0.1:12345; + } + + + listen 443 ssl; # managed by Certbot + ssl_certificate /usr/local/etc/letsencrypt/live/jozanofastora.xyz-0001/fullchain.pem; # managed by Certbot + ssl_certificate_key /usr/local/etc/letsencrypt/live/jozanofastora.xyz-0001/privkey.pem; # managed by Certbot + include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Ce/srvrtbot + ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Cert/srvbot + + } + + +server{ + if ($host = git.jozanofastora.xyz) { + return 301 https://gitjoe.xyz$request_uri; + } # managed by Certbot + + if ($host = www.gitjoe.xyz) { + return 301 https://gitjoe.xyz$request_uri; + } # managed by Certbot + + if ($host = gitjoe.xyz) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + server_name gitjoe.xyz; + listen 80; + return 404; # managed by Certbot + + + + +} + +server{ + if ($host = www.jozanofastora.xyz) { + return 301 https://jozanofastora.xyz$request_uri; + } # managed by Certbot + + if ($host = jozanofastora.xyz) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + server_name jozanofastora.xyz; + listen 80; + return 404; # managed by Certbot + + +} + +server { + if ($host = fossil.jozanofastora.xyz) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + server_name fossil.jozanofastora.xyz; + listen 80; + return 404; # managed by Certbot + + +} +} diff --git a/usr/local/etc/pf.conf b/usr/local/etc/pf.conf new file mode 100644 index 0000000..1838656 --- /dev/null +++ b/usr/local/etc/pf.conf @@ -0,0 +1,60 @@ +## Set public interface ## +ext_if="vtnet0" + +## set and drop IP ranges on the public interface ## +martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ + 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \ + 0.0.0.0/8, 240.0.0.0/4 }" + +table <spamd> persist +table <spamd-allow> persist + +# Allowed webmail services +table <webmail> persist file "/usr/local/etc/pf.webmail.ip.conf" + +## Skip loop back interface - Skip all PF processing on interface ## +set skip on lo + +## Sets the interface for which PF should gather statistics such as bytes in/out and packets passed/blocked ## +set loginterface $ext_if + +# Deal with attacks based on incorrect handling of packet fragments +scrub in all + + +# Pass spamd allow list +pass quick log on $ext_if inet proto tcp from <spamd-allow> to $ext_if port smtp \ + -> 127.0.0.1 port 25 +# Pass webmail servers +rdr pass quick log on $ext_if inet proto tcp from <gmail> to $ext_if port smtp \ + -> 127.0.0.1 port 25 +# pass submission messages. +pass quick log on $ext_if inet proto tcp from any to $ext_if port submission modulate state +# Pass unknown mail to spamd +rdr pass log on $ext_if inet proto tcp from {!<spamd-allow> <spamd>} to $ext_if port smtp \ + -> 127.0.0.1 port 8025 + +## Blocking spoofed packets +antispoof quick for $ext_if + +## Set default policy ## +block return in log all +block out all + +# Drop all Non-Routable Addresses +block drop in quick on $ext_if from $martians to any +block drop out quick on $ext_if from any to $martians + +pass in inet proto tcp to $ext_if port ssh + +# Allow Ping-Pong stuff. Be a good sysadmin +pass inet proto icmp icmp-type echoreq + +# Open up imap/pop3 support +pass quick on $ext_if proto tcp from any to any port {imap, imaps, pop3, pop3s} modulate state + + +# Allow outgoing traffic +pass out on $ext_if proto tcp from any to any modulate state +pass out on $ext_if proto udp from any to any keep state +pass quick on $ext_if from any to any port http |