summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--git.rulkc.org/nginx/beta.landau.one77
-rw-r--r--git.rulkc.org/nginx/git.rulkc.org52
-rw-r--r--git.rulkc.org/nginx/landau.one80
3 files changed, 209 insertions, 0 deletions
diff --git a/git.rulkc.org/nginx/beta.landau.one b/git.rulkc.org/nginx/beta.landau.one
new file mode 100644
index 0000000..714c75f
--- /dev/null
+++ b/git.rulkc.org/nginx/beta.landau.one
@@ -0,0 +1,77 @@
+server {
+ server_name beta.landau.one;
+ listen 443 ssl http2; # managed by Certbot
+
+ root /home/landaudeploy/landau_suite/deploy/public;
+ disable_symlinks off;
+ index index.html;
+
+ server_tokens off;
+ charset utf-8;
+
+ access_log /var/log/nginx/landau.one.beta.access.log;
+ error_log /var/log/nginx/landau.one.beta.error.log warn;
+
+ # Security headers
+ add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+ add_header X-Content-Type-Options "nosniff" always;
+ add_header X-Frame-Options "SAMEORIGIN" always;
+ add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+ add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
+ # При необходимости: CSP. Начни с report-only, чтобы не сломать рендер.
+ # add_header Content-Security-Policy "default-src 'self'; img-src 'self' data: https:; style-src 'self' 'unsafe-inline'; script-src 'self'" always;
+
+ # Сжатие
+ gzip on;
+ gzip_vary on;
+ gzip_comp_level 6;
+ gzip_min_length 1024;
+ gzip_types text/plain text/css text/xml application/json application/javascript application/xml+rss image/svg+xml;
+ # Если сборка nginx с brotli — включи и его (brotli on; brotli_types ...)
+
+ location ~ ^/preview/([^/]+)/ {
+ alias /home/landaudeploy/landau_suite/deploy/$1/;
+ index index.html;
+ try_files $uri $uri/ =404;
+ }
+
+ # Чистые URL: /about -> /about.html
+ location / {
+ try_files $uri $uri/ $uri.html =404;
+ }
+
+ # Кеш для хешированных ассетов
+ location ~* \.(?:css|js|woff2?|ttf|otf|eot|svg|jpg|jpeg|png|gif|webp|avif|ico)$ {
+ expires 1m;
+ add_header Cache-Control "no-cache";
+ access_log off;
+ try_files $uri =404;
+ }
+
+ # HTML и корневые манифесты — всегда свежие
+ location ~* \.(?:html|xml|txt|json|webmanifest)$ {
+ expires -1;
+ add_header Cache-Control "no-cache";
+ }
+
+ # Запрет скрытых файлов
+ location ~ /\.(?!well-known) {
+ deny all;
+ access_log off;
+ log_not_found off;
+ }
+
+ ssl_certificate /etc/letsencrypt/live/git.rulkc.org/fullchain.pem; # managed by Certbot
+ ssl_certificate_key /etc/letsencrypt/live/git.rulkc.org/privkey.pem; # managed by Certbot
+ include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+ ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+}
+
+server {
+ if ($host = beta.landau.one) {
+ return 301 https://$host$request_uri;
+ } # managed by Certbot
+ listen 80;
+ server_name beta.landau.one;
+ return 404; # managed by Certbot
+}
diff --git a/git.rulkc.org/nginx/git.rulkc.org b/git.rulkc.org/nginx/git.rulkc.org
new file mode 100644
index 0000000..967a847
--- /dev/null
+++ b/git.rulkc.org/nginx/git.rulkc.org
@@ -0,0 +1,52 @@
+server {
+ server_name git.rulkc.org;
+
+ root /usr/share/cgit;
+ try_files $uri @cgit;
+
+ # Web interface: URLs with trailing slash (browsing)
+ location ~ ^/(pub/scm/.*\.git)/$ {
+ include fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME /usr/lib/cgit/cgit.cgi;
+ fastcgi_param PATH_INFO $uri;
+ fastcgi_param QUERY_STRING $query_string;
+ fastcgi_pass unix:/run/fcgiwrap.socket;
+ }
+
+ # Git clone operations: URLs without trailing slash
+ location ~ ^/(pub/scm/.*\.git)$ {
+ include fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
+ fastcgi_param GIT_HTTP_EXPORT_ALL "";
+ fastcgi_param GIT_PROJECT_ROOT /var/lib/git;
+ fastcgi_param PATH_INFO $uri;
+ fastcgi_pass unix:/run/fcgiwrap.socket;
+ }
+
+ location @cgit {
+ include fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME /usr/lib/cgit/cgit.cgi;
+ fastcgi_param PATH_INFO $uri;
+ fastcgi_param QUERY_STRING $query_string;
+ fastcgi_pass unix:/run/fcgiwrap.socket;
+ }
+
+ listen 443 ssl http2; # managed by Certbot
+ ssl_certificate /etc/letsencrypt/live/git.rulkc.org/fullchain.pem; # managed by Certbot
+ ssl_certificate_key /etc/letsencrypt/live/git.rulkc.org/privkey.pem; # managed by Certbot
+ include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+ ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+
+
+}
+server {
+ if ($host = git.rulkc.org) {
+ return 301 https://$host$request_uri;
+ } # managed by Certbot
+
+
+ listen 80;
+ server_name git.rulkc.org;
+ return 404; # managed by Certbot
+}
diff --git a/git.rulkc.org/nginx/landau.one b/git.rulkc.org/nginx/landau.one
new file mode 100644
index 0000000..0e246e6
--- /dev/null
+++ b/git.rulkc.org/nginx/landau.one
@@ -0,0 +1,80 @@
+server {
+ server_name landau.one www.landau.one;
+ listen 443 ssl http2; # managed by Certbot
+
+ root /var/www/landau.one;
+ #try_files $uri;
+
+ index index.html;
+
+ server_tokens off;
+ charset utf-8;
+
+ access_log /var/log/nginx/landau.one.access.log;
+ error_log /var/log/nginx/landau.one.error.log warn;
+
+ # Security headers
+ add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+ add_header X-Content-Type-Options "nosniff" always;
+ add_header X-Frame-Options "SAMEORIGIN" always;
+ add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+ add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
+ # При необходимости: CSP. Начни с report-only, чтобы не сломать рендер.
+ # add_header Content-Security-Policy "default-src 'self'; img-src 'self' data: https:; style-src 'self' 'unsafe-inline'; script-src 'self'" always;
+
+ # Сжатие
+ gzip on;
+ gzip_vary on;
+ gzip_comp_level 6;
+ gzip_min_length 1024;
+ gzip_types text/plain text/css text/xml application/json application/javascript application/xml+rss image/svg+xml;
+ # Если сборка nginx с brotli — включи и его (brotli on; brotli_types ...)
+
+ # Чистые URL: /about -> /about.html
+ location / {
+ try_files $uri $uri/ $uri.html =404;
+ }
+
+ # Кеш для хешированных ассетов
+ location ~* \.(?:css|js|woff2?|ttf|otf|eot|svg|jpg|jpeg|png|gif|webp|avif|ico)$ {
+ expires 1d;
+ add_header Cache-Control "public, immutable";
+ access_log off;
+ try_files $uri =404;
+ }
+
+ # HTML и корневые манифесты — всегда свежие
+ #location ~* \.(?:html|xml|txt|json|webmanifest)$ {
+ # expires -1;
+ # add_header Cache-Control "no-cache";
+ #}
+
+ # Запрет скрытых файлов
+ location ~ /\.(?!well-known) {
+ deny all;
+ access_log off;
+ log_not_found off;
+ }
+ ssl_certificate /etc/letsencrypt/live/git.rulkc.org/fullchain.pem; # managed by Certbot
+ ssl_certificate_key /etc/letsencrypt/live/git.rulkc.org/privkey.pem; # managed by Certbot
+ include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+ ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+
+
+
+
+}
+server {
+ if ($host = landau.one) {
+ return 301 https://$host$request_uri;
+ } # managed by Certbot
+ if ($host = www.landau.one) {
+ return 301 https://$host$request_uri;
+ } # managed by Certbot
+
+
+ listen 80;
+ server_name landau.one www.landau.one;
+ return 404; # managed by Certbot
+}