From 1f42b1332c92f2432440dbd25869afe1de2b8616 Mon Sep 17 00:00:00 2001 From: inference Date: Sun, 29 Jun 2025 17:44:55 +0000 Subject: [PATCH] rebase(nginx): file "gitea" onto "website" Rather than performing fine-grained commits to catch up with the website configuration files, just update the entire file in a single commit. While this is not the typical way of updating files, the changes can be mostly seen via the website configuration files' commits, and this prevents becoming confusingly out-of-sync with the other configuration files. --- xb-00-01/nginx/gitea.conf | 74 +++++++++++++++++++++++---------------- 1 file changed, 43 insertions(+), 31 deletions(-) diff --git a/xb-00-01/nginx/gitea.conf b/xb-00-01/nginx/gitea.conf index f86baa3..30dfe4f 100644 --- a/xb-00-01/nginx/gitea.conf +++ b/xb-00-01/nginx/gitea.conf @@ -1,53 +1,65 @@ -# Inferencium - xb000-0 +# Inferencium - xb-00-01 # Nginx - Configuration - Gitea +# Version: 4.0.0-alpha.1 # Copyright 2022 Jake Winters # SPDX-License-Identifier: BSD-3-Clause -# Version: 3.0.1.12 - # Server (unencrypted) +## Redirect from this server block to an encrypted server block if TLS is required server { # General - server_name git.inferencium.net; - listen 80; - listen [::]:80; + server_name src.inferencium.net www.src.inferencium.net; + ## IPv4 + listen 80; + ## IPv6 + listen [::]:80; # Location - location / { - return 301 https://$server_name$request_uri; + location / { + return 301 https://$server_name$request_uri; } } + # Server (TLS) server { # General - server_name git.inferencium.net; - listen 443 ssl http2; - listen [::]:443 ssl http2; - - # Security - ssl_certificate /etc/letsencrypt/live/git.inferencium.net/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/git.inferencium.net/privkey.pem; - ssl_protocols TLSv1.3; - ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256"; - ssl_conf_command Ciphersuites "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"; - ssl_conf_command Options PrioritizeChaCha; - ssl_prefer_server_ciphers on; - ssl_ecdh_curve X25519; - add_header Strict-Transport-Security "max-age=126200000; includeSubDomains; preload"; - add_header X-Frame-Options "DENY"; - add_header X-Content-Type-Options nosniff; -# add_header Content-Security-Policy "default-src 'self'; img-src 'self'; media-src 'self'; object-src 'none'; script-src 'none'; connect-src 'none'; frame-src 'none'; style-src 'self'; font-src 'self'"; - add_header Referrer-Policy no-referrer; + server_name src.inferencium.net; + http2 on; + ## IPv4 + listen 443 ssl; + ## IPv6 + listen [::]:443 ssl; # Location location / { - proxy_pass http://unix:/run/gitea/gitea.socket; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://unix:/run/gitea/gitea.sock; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; } + + # Security + ssl_trusted_certificate /etc/letsencrypt/live/inferencium.net/chain.pem; + ssl_certificate /etc/letsencrypt/live/inferencium.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/inferencium.net/privkey.pem; + ssl_protocols TLSv1.3; + ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256"; + ssl_conf_command Ciphersuites "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"; + ssl_conf_command Options PrioritizeChaCha; + ssl_prefer_server_ciphers on; + ssl_ecdh_curve X25519:secp256r1; + ssl_stapling on; + ssl_stapling_verify on; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; + ssl_session_cache shared:ssl_session_cache:10m; + ssl_session_tickets off; + + ## Headers + include /etc/nginx/include/header-security-nocsp.conf; } +