~sircmpwn/sr.ht-nginx

sr.ht-nginx/meta.sr.ht.conf -rw-r--r-- 2.4 KiB
e71e2079Drew DeVault builds.sr.ht: correct API port a month ago
                                                                                
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
server {
	listen 80;
	listen [::]:80;
	server_name meta.sr.ht;

	location / {
		return 302 https://$server_name$request_uri;
	}

	location ^~ /.well-known {
		root /var/www;
	}

	location = /robots.txt {
		root /var/www;
	}
}

server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	server_name meta.sr.ht;
	ssl_certificate /etc/ssl/uacme/meta.sr.ht/cert.pem;
	ssl_certificate_key /etc/ssl/uacme/private/meta.sr.ht/key.pem;

	add_header X-Clacks-Overhead "GNU Terry Pratchett";
	add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline' *.stripe.com *.stripe.network; frame-src *.stripe.com *.stripe.network" always;
	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
	# Fuck you, Google, I don't spy on my users
	add_header Permissions-Policy interest-cohort=();

	gzip on;
	gzip_types text/css text/html;

	location / {
		proxy_pass http://127.0.0.1:5000;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto https;
	}

	location /static {
		root /usr/lib/python3.8/site-packages/metasrht;
		expires 30d;
	}

	location ^~ /.well-known {
		root /var/www;
	}

	location /query {
		proxy_pass http://127.0.0.1:5100;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto https;
		if ($request_method = 'OPTIONS') {
			add_header 'Access-Control-Allow-Origin' '*';
			add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
			add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
			add_header 'Access-Control-Max-Age' 1728000;
			add_header 'Content-Type' 'text/plain; charset=utf-8';
			add_header 'Content-Length' 0;
			return 204;
		}

	        add_header 'Access-Control-Allow-Origin' '*';
        	add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
        	add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
        	add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
	}

	location = /robots.txt {
		root /var/www;
	}
}