# rawgithack # Derived from https://github.com/neoascetic/rawgithack/blob/6e95e6c5f398a321b18b2586266a2cce9a3b1f6f/rawgithack.conf resolver 127.0.0.1; #error_log logs/error.log warn; proxy_cache_path /var/cache/nginx/ra.ws.co.ls use_temp_path=off levels=1:2 max_size=1g inactive=7d keys_zone=ra.ws.co.ls.cache:2m; limit_req_zone $rawscols_throttle zone=rawscols_throttling:10m rate=10r/s; limit_req_log_level notice; map $http_referer $rawscols_throttle { ~*^https?://ra\.ws\.co\.ls ""; ~*^https?://(?[^/]+) $domain/$origin$uri; } # file extension to mime-type mapping # kind of workaround because nginx can detect mime-type only for local file map $extension $detect_content_type { ~*^(?:appcache|manifest)$ text/cache-manifest; ~*^atom$ application/atom+xml; ~*^bat$ application/x-msdownload; ~*^coffee$ text/coffeescript; ~*^css$ text/css; ~*^csv$ text/csv; ~*^eot$ application/vnd.ms-fontobject; ~*^geojson$ application/vnd.geo+json; ~*^(?:hbs|handlebars)$ text/x-handlebars-template; ~*^htc$ text/x-component; ~*^html?$ text/html; ~*^ics$ text/calendar; ~*^jscad$ application/javascript; ~*^json$ application/json; ~*^jsonld$ application/ld+json; ~*^kml$ application/vnd.google-earth.kml+xml; ~*^(?:md|markdown)$ text/markdown; ~*^m?js$ application/javascript; ~*^mhtml$ multipart/related; ~*^n3$ text/n3; ~*^nt$ application/n-triples; ~*^otf$ font/otf; ~*^(?:owl|rdf)$ application/rdf+xml; ~*^pdf$ application/pdf; ~*^rss$ application/rss+xml; ~*^shexc?$ text/shex; ~*^svg$ image/svg+xml; ~*^swf$ application/x-shockwave-flash; ~*^stl$ model/stl; ~*^tt(?:c|f)$ application/x-font-ttf; ~*^ttl$ text/turtle; ~*^vcard$ text/vcard; ~*^vcf$ text/x-vcard; ~*^vtt$ text/vtt; ~*^woff$ application/font-woff; ~*^woff2$ application/font-woff2; ~*^xht(?:ml)?$ application/xhtml+xml; ~*^xml$ text/xml; ~*^txt$ text/plain; ~*^(?:xsl|xsd)$ application/xml; ~*^xslt$ application/xslt+xml; ~*^ya?ml$ text/yaml; ~*^wasm$ application/wasm; ~*^(?:d|s)?rpm$ application/x-redhat-package-manager; default ''; } # defines which extensions should include charset definition map $extension $content_type_charset_string { ~*^(?:bat|eot|htc|kml|nt|otf|pdf|svg|swf|ttc|ttf|woff2?|wasm|rpm|drpm|srpm)$ ''; default '; charset=utf-8'; } map $host $origin { #~*^(real\.)?ra\.ws\.co\.ls$ git.sr.ht; ~*^(real\.)?ra\.ws\.co\.ls$ srhtcdn.githack.com; } server { listen 192.168.1.250:80; listen 192.168.1.250:443 ssl; server_name ra.ws.co.ls real.ra.ws.co.ls; root /var/www/ra.ws.co.ls; location = /favicon.ico { return 301 /favicon.svg; } location = /favicon.svg { limit_except GET HEAD { deny all; } add_header Cache-Control 'max-age=2592000, public, immutable'; try_files $uri =404; } # Instead of soft-merging slashes, merge them with a 301 merge_slashes off; rewrite (.*?)//+(.*) $1/$2 permanent; location ~ ^/[a-z.-]+$ { limit_except GET HEAD { deny all; } add_header Cache-Control 'max-age=86400, public'; default_type "text/plain; charset=utf-8"; try_files $uri.html $uri =404; } # location ~* ^/[^/]+/[^/]+/[^/]+/.+?(?:\.(?[a-zA-Z0-9]+))?$ { location ~* ^/~nabijaczleweli/[^/]+/[^/]+/.+?(?:\.(?[a-zA-Z0-9]+))?$ { limit_except GET { deny all; } limit_req zone=rawscols_throttling nodelay; limit_req_status 429; proxy_read_timeout 10s; # caching proxy_cache ra.ws.co.ls.cache; proxy_cache_key "$origin$uri"; proxy_cache_revalidate on; proxy_cache_valid any 5m; proxy_cache_use_stale updating; proxy_cache_background_update on; proxy_cache_lock on; proxy_buffer_size 16k; proxy_buffers 8 16k; proxy_busy_buffers_size 16k; proxy_force_ranges on; proxy_http_version 1.1; proxy_ignore_headers X-Accel-Limit-Rate X-Accel-Buffering X-Accel-Redirect X-Accel-Expires X-Accel-Charset Cache-Control Set-Cookie Expires Vary; proxy_intercept_errors on; proxy_ssl_server_name on; proxy_pass https://$origin; proxy_redirect https://$origin $scheme://$host; # we need to hide these headers in order to redefine them # if we don't, they will be set twice proxy_hide_header Status; proxy_hide_header Expires; proxy_hide_header Content-Type; proxy_hide_header Cache-Control; proxy_hide_header X-Frame-Options; proxy_hide_header X-XSS-Protection; proxy_hide_header Content-Disposition; proxy_hide_header X-Content-Type-Options; proxy_hide_header Content-Security-Policy; proxy_hide_header Strict-Transport-Security; proxy_hide_header Access-Control-Allow-Origin; add_header Cache-Control 'max-age=86400, public, immutable' always; add_header X-Robots-Tag none; # robots, go away! add_header Access-Control-Allow-Origin *; add_header X-Githack-Cache-Status $upstream_cache_status always; add_header Content-Type $detect_content_type$content_type_charset_string; } ssl_certificate /etc/letsencrypt/live/ra.ws.co.ls/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/ra.ws.co.ls/privkey.pem; # managed by Certbot }