Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
169 lines (142 sloc) 4.5 KB
server {
listen 80 deferred;
listen [::]:80 deferred ipv6only=on;
server_name ~.;
location ~ ^/healthcheck$ {
fastcgi_send_timeout 220;
fastcgi_read_timeout 220;
proxy_pass http://127.0.0.1:81;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 220s;
proxy_send_timeout 220s;
send_timeout 220s;
}
location / {
if ($request_uri !~ "^/healthcheck$") {
return 301 https://$host$request_uri;
}
}
}
server {
listen 443 ssl http2 deferred;
listen [::]:443 ssl http2 deferred ipv6only=on;
server_name miraheze.org *.miraheze.org;
root /var/www/html;
ssl_certificate /etc/ssl/certs/wildcard.miraheze.org.crt;
ssl_certificate_key /etc/ssl/private/wildcard.miraheze.org.key;
ssl_trusted_certificate /etc/ssl/certs/GlobalSign.crt;
ssl_stapling_verify on;
# Floods the servers, causing serious issues
if ($http_user_agent ~ "ArchiveTeam ArchiveBot") {
return 403;
}
# A bit too much traffic.
if ($http_user_agent ~ "MJ12bot") {
return 403;
}
# A bit too much traffic.
if ($http_user_agent ~ "OpenVAS 8.0.9") {
return 403;
}
# Way too much traffic.
if ($http_user_agent ~ "SemrushBot") {
return 403;
}
# Temporarily backlist mwclient
if ($http_user_agent ~ "^MwClient/.* \(https://github.com/mwclient/mwclient\)$") {
return 403;
}
location / {
fastcgi_send_timeout 220;
fastcgi_read_timeout 220;
proxy_pass http://127.0.0.1:81;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 220s;
proxy_send_timeout 220s;
send_timeout 220s;
}
}
<% @sslredirects.each_pair do | name, property | %>
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
<% if property['mobiledomain'] -%>
server_name <%= property['url'] %> <%= property['mobiledomain'] %>;
<% else -%>
server_name <%= property['url'] %>;
<% end -%>
root /var/www/html;
ssl_certificate /etc/ssl/certs/<%= property['sslname'] %>.crt;
ssl_certificate_key /etc/ssl/private/<%= property['sslname'] %>.key;
ssl_trusted_certificate /etc/ssl/certs/<%= property['ca'] %>.crt;
<% if property['hsts'] == "strict" %>
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload";
<% else %>
add_header Strict-Transport-Security "max-age=604800";
<% end %>
return 301 https://<%= property['redirect'] %>$request_uri;
}
<% end %>
<% @sslcerts.each_pair do | name, property | %>
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
<% if property['mobiledomain'] -%>
server_name <%= property['url'] %> <%= property['mobiledomain'] %>;
<% else -%>
server_name <%= property['url'] %>;
<% end -%>
root /var/www/html;
<% if property['sslname'] -%>
ssl_certificate /etc/ssl/certs/<%= property['sslname'] %>.crt;
ssl_certificate_key /etc/ssl/private/<%= property['sslname'] %>.key;
<% else -%>
ssl_certificate /etc/ssl/certs/<%= property['url'] %>.crt;
ssl_certificate_key /etc/ssl/private/<%= property['url'] %>.key;
<% end -%>
ssl_trusted_certificate /etc/ssl/certs/<%= property['ca'] %>.crt;
# Floods the servers, causing serious issues
if ($http_user_agent ~ "ArchiveTeam ArchiveBot") {
return 403;
}
# A bit too much traffic.
if ($http_user_agent ~ "MJ12bot") {
return 403;
}
# A bit too much traffic.
if ($http_user_agent ~ "OpenVAS 8.0.9") {
return 403;
}
# Way too much traffic.
if ($http_user_agent ~ "SemrushBot") {
return 403;
}
# Temporarily backlist mwclient
if ($http_user_agent ~ "^MwClient/.* \(https://github.com/mwclient/mwclient\)$") {
return 403;
}
<% if property['hsts'] == "strict" %>
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload";
<% else %>
add_header Strict-Transport-Security "max-age=604800";
<% end %>
location / {
fastcgi_send_timeout 220;
fastcgi_read_timeout 220;
proxy_pass http://127.0.0.1:81;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 220s;
proxy_send_timeout 220s;
send_timeout 220s;
}
}
<% end %>
You can’t perform that action at this time.