diff options
| author | Dmitry Rokosov <rockosov@rulkc.org> | 2026-05-21 23:41:51 +0300 |
|---|---|---|
| committer | Dmitry Rokosov <rockosov@rulkc.org> | 2026-05-21 23:41:51 +0300 |
| commit | b06886bab783a8e4f3c154ae5d9ca1ad7af58df4 (patch) | |
| tree | f208b660d82977a16a6270969d111425c8ecf271 | |
| parent | 25f7cb7beb66b39a7493c41d3876fcb44307b3e0 (diff) | |
| download | config-b06886bab783a8e4f3c154ae5d9ca1ad7af58df4.tar.gz config-b06886bab783a8e4f3c154ae5d9ca1ad7af58df4.zip | |
Provide nginx configurations
We have the following sites based on nginx:
- landau.one
- git.rulkc.org
- beta.landau.one
Signed-off-by: Dmitry Rokosov <rockosov@rulkc.org>
| -rw-r--r-- | git.rulkc.org/nginx/beta.landau.one | 77 | ||||
| -rw-r--r-- | git.rulkc.org/nginx/git.rulkc.org | 52 | ||||
| -rw-r--r-- | git.rulkc.org/nginx/landau.one | 80 |
3 files changed, 209 insertions, 0 deletions
diff --git a/git.rulkc.org/nginx/beta.landau.one b/git.rulkc.org/nginx/beta.landau.one new file mode 100644 index 0000000..714c75f --- /dev/null +++ b/git.rulkc.org/nginx/beta.landau.one @@ -0,0 +1,77 @@ +server { + server_name beta.landau.one; + listen 443 ssl http2; # managed by Certbot + + root /home/landaudeploy/landau_suite/deploy/public; + disable_symlinks off; + index index.html; + + server_tokens off; + charset utf-8; + + access_log /var/log/nginx/landau.one.beta.access.log; + error_log /var/log/nginx/landau.one.beta.error.log warn; + + # Security headers + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always; + # При необходимости: CSP. Начни с report-only, чтобы не сломать рендер. + # add_header Content-Security-Policy "default-src 'self'; img-src 'self' data: https:; style-src 'self' 'unsafe-inline'; script-src 'self'" always; + + # Сжатие + gzip on; + gzip_vary on; + gzip_comp_level 6; + gzip_min_length 1024; + gzip_types text/plain text/css text/xml application/json application/javascript application/xml+rss image/svg+xml; + # Если сборка nginx с brotli — включи и его (brotli on; brotli_types ...) + + location ~ ^/preview/([^/]+)/ { + alias /home/landaudeploy/landau_suite/deploy/$1/; + index index.html; + try_files $uri $uri/ =404; + } + + # Чистые URL: /about -> /about.html + location / { + try_files $uri $uri/ $uri.html =404; + } + + # Кеш для хешированных ассетов + location ~* \.(?:css|js|woff2?|ttf|otf|eot|svg|jpg|jpeg|png|gif|webp|avif|ico)$ { + expires 1m; + add_header Cache-Control "no-cache"; + access_log off; + try_files $uri =404; + } + + # HTML и корневые манифесты — всегда свежие + location ~* \.(?:html|xml|txt|json|webmanifest)$ { + expires -1; + add_header Cache-Control "no-cache"; + } + + # Запрет скрытых файлов + location ~ /\.(?!well-known) { + deny all; + access_log off; + log_not_found off; + } + + ssl_certificate /etc/letsencrypt/live/git.rulkc.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/git.rulkc.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot +} + +server { + if ($host = beta.landau.one) { + return 301 https://$host$request_uri; + } # managed by Certbot + listen 80; + server_name beta.landau.one; + return 404; # managed by Certbot +} diff --git a/git.rulkc.org/nginx/git.rulkc.org b/git.rulkc.org/nginx/git.rulkc.org new file mode 100644 index 0000000..967a847 --- /dev/null +++ b/git.rulkc.org/nginx/git.rulkc.org @@ -0,0 +1,52 @@ +server { + server_name git.rulkc.org; + + root /usr/share/cgit; + try_files $uri @cgit; + + # Web interface: URLs with trailing slash (browsing) + location ~ ^/(pub/scm/.*\.git)/$ { + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME /usr/lib/cgit/cgit.cgi; + fastcgi_param PATH_INFO $uri; + fastcgi_param QUERY_STRING $query_string; + fastcgi_pass unix:/run/fcgiwrap.socket; + } + + # Git clone operations: URLs without trailing slash + location ~ ^/(pub/scm/.*\.git)$ { + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend; + fastcgi_param GIT_HTTP_EXPORT_ALL ""; + fastcgi_param GIT_PROJECT_ROOT /var/lib/git; + fastcgi_param PATH_INFO $uri; + fastcgi_pass unix:/run/fcgiwrap.socket; + } + + location @cgit { + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME /usr/lib/cgit/cgit.cgi; + fastcgi_param PATH_INFO $uri; + fastcgi_param QUERY_STRING $query_string; + fastcgi_pass unix:/run/fcgiwrap.socket; + } + + listen 443 ssl http2; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/git.rulkc.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/git.rulkc.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + + + +} +server { + if ($host = git.rulkc.org) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + listen 80; + server_name git.rulkc.org; + return 404; # managed by Certbot +} diff --git a/git.rulkc.org/nginx/landau.one b/git.rulkc.org/nginx/landau.one new file mode 100644 index 0000000..0e246e6 --- /dev/null +++ b/git.rulkc.org/nginx/landau.one @@ -0,0 +1,80 @@ +server { + server_name landau.one www.landau.one; + listen 443 ssl http2; # managed by Certbot + + root /var/www/landau.one; + #try_files $uri; + + index index.html; + + server_tokens off; + charset utf-8; + + access_log /var/log/nginx/landau.one.access.log; + error_log /var/log/nginx/landau.one.error.log warn; + + # Security headers + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always; + # При необходимости: CSP. Начни с report-only, чтобы не сломать рендер. + # add_header Content-Security-Policy "default-src 'self'; img-src 'self' data: https:; style-src 'self' 'unsafe-inline'; script-src 'self'" always; + + # Сжатие + gzip on; + gzip_vary on; + gzip_comp_level 6; + gzip_min_length 1024; + gzip_types text/plain text/css text/xml application/json application/javascript application/xml+rss image/svg+xml; + # Если сборка nginx с brotli — включи и его (brotli on; brotli_types ...) + + # Чистые URL: /about -> /about.html + location / { + try_files $uri $uri/ $uri.html =404; + } + + # Кеш для хешированных ассетов + location ~* \.(?:css|js|woff2?|ttf|otf|eot|svg|jpg|jpeg|png|gif|webp|avif|ico)$ { + expires 1d; + add_header Cache-Control "public, immutable"; + access_log off; + try_files $uri =404; + } + + # HTML и корневые манифесты — всегда свежие + #location ~* \.(?:html|xml|txt|json|webmanifest)$ { + # expires -1; + # add_header Cache-Control "no-cache"; + #} + + # Запрет скрытых файлов + location ~ /\.(?!well-known) { + deny all; + access_log off; + log_not_found off; + } + ssl_certificate /etc/letsencrypt/live/git.rulkc.org/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/git.rulkc.org/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + + + + + +} +server { + if ($host = landau.one) { + return 301 https://$host$request_uri; + } # managed by Certbot + if ($host = www.landau.one) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + listen 80; + server_name landau.one www.landau.one; + return 404; # managed by Certbot +} |
