user nginx nginx; worker_processes 1; error_log /var/log/nginx/error.log info; events { worker_connections 1024; use epoll; } http { add_header_inherit merge; include /etc/nginx/mime.types.nginx; charset utf-8; types_hash_max_size 4096; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] ' '"$request" $status $bytes_sent ' '"$http_referer" "$http_user_agent" ' '"$gzip_ratio" handler=$sent_http_handler'; log_format i2pd '$remote_addr - $remote_user [$time_local] ' '"$request" $status $bytes_sent ' '"$http_referer" "$http_user_agent" ' '"$gzip_ratio" ' '"$http_host" "$http_x_i2p_destb32" "$http_x_i2p_desthash" "$http_x_i2p_destb64"'; log_format json escape=json '{' '"epoch":"$msec",' # request unixtime in seconds with a milliseconds resolution '"connection":"$connection",' # connection serial number '"connection_requests":"$connection_requests",' # number of requests made in connection '"pid":"$pid",' # process pid '"request_id":"$request_id",' # the unique request id '"request_length":"$request_length",' # request length (including headers and body) '"remote_addr":"$remote_addr",' # client IP '"remote_user":"$remote_user",' # client HTTP username '"remote_port":"$remote_port",' # client port '"time_local":"$time_local",' '"time_iso8601":"$time_iso8601",' # local time in the ISO 8601 standard format '"request":"$request",' # full path no arguments if the request '"request_uri":"$request_uri",' # full path and arguments if the request '"args":"$args",' # args '"status":"$status",' # response status code '"body_bytes_sent":"$body_bytes_sent",' # the number of body bytes exclude headers sent to a client '"bytes_sent":"$bytes_sent",' # the number of bytes sent to a client '"http_referer":"$http_referer",' # HTTP referer '"http_user_agent":"$http_user_agent",' # user agent '"http_x_forwarded_for":"$http_x_forwarded_for",' # http_x_forwarded_for '"http_host":"$http_host",' # the request Host: header '"http_sec_ch_ua_platform":"$http_sec_ch_ua_platform",' '"http_sec_ch_ua":"$http_sec_ch_ua",' '"server_name":"$server_name",' # the name of the vhost serving the request '"request_time":"$request_time",' # request processing time in seconds with msec resolution '"upstream":"$upstream_addr",' # upstream backend server for proxied requests '"upstream_connect_time":"$upstream_connect_time",' # upstream handshake time incl. TLS '"upstream_header_time":"$upstream_header_time",' # time spent receiving upstream headers '"upstream_response_time":"$upstream_response_time",' # time spend receiving upstream body '"upstream_response_length":"$upstream_response_length",' # upstream response length '"upstream_cache_status":"$upstream_cache_status",' # cache HIT/MISS where applicable '"ssl_protocol":"$ssl_protocol",' # TLS protocol '"ssl_cipher":"$ssl_cipher",' # TLS cipher '"scheme":"$scheme",' # http or https '"request_method":"$request_method",' # request method '"server_protocol":"$server_protocol",' # request protocol, like HTTP/1.1 or HTTP/2.0 '"pipe":"$pipe",' # ā€œpā€ if request was pipelined, ā€œ.ā€ otherwise '"gzip_ratio":"$gzip_ratio",' # gzip ratio '"http_accept":"$http_accept"' # accept header '}'; client_header_timeout 10m; client_body_timeout 10m; send_timeout 10m; connection_pool_size 256; client_header_buffer_size 1k; large_client_header_buffers 4 4k; request_pool_size 4k; gzip off; output_buffers 4 32k; postpone_output 1460; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 75 20; ignore_invalid_headers on; index index.html; ssl_protocols TLSv1.3; ssl_ecdh_curve X25519:prime256v1:secp384r1; ssl_prefer_server_ciphers off; # http server { listen 80 default_server; listen [::]:80 default_server; server_name _; location / { return 301 https://$host$request_uri; } location /.well-known/ { root /var/www/localhost/htdocs; } add_header Strict-Transport-Security "max-age=86400; includeSubDomains; preload" always; } # cgit.space server { listen 51.222.150.227:443 ssl default_server; listen [2607:5300:401:2c01::c0de]:443 ssl default_server; server_name cgit.space; ssl_certificate /etc/letsencrypt/live/cgit.space/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/cgit.space/privkey.pem; include server.conf; add_header Strict-Transport-Security "max-age=86400; includeSubDomains; preload" always; add_header Onion-Location "http://cgitspacea7m5fmo5stfwxkykfbrjcecevl6z3xm5u7nfppuiigqoeyd.onion$uri" always; } # cgit.dn42 server { listen 172.20.133.164:443 ssl; listen [fd62:5e23:8905:3::2]:443 ssl; server_name cgit.dn42; ssl_certificate /etc/letsencrypt/live/cgit.dn42/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/cgit.dn42/privkey.pem; include server.conf; } # user-repo.cgit.zone server { listen 51.222.150.227:443 ssl; listen [2607:5300:401:2c01::c0de]:443 ssl; server_name ~^(?[^.-]+)(-(?[^.]+))\.cgit\.zone$; ssl_certificate /etc/letsencrypt/live/cgit.zone/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/cgit.zone/privkey.pem; root /home/$user/$repo.git/webroot/; http2 on; location /.well-known/ { root /var/www/localhost/htdocs; } if (!-d /home/$user/$repo.git/webroot/) { return 502; } add_header Strict-Transport-Security "max-age=86400; includeSubDomains; preload" always; } # private server { listen 51.222.150.227:444 ssl default_server; listen [2607:5300:401:2c01::c0de]:444 ssl default_server; server_name cgit.space; chunked_transfer_encoding off; ssl_certificate /etc/letsencrypt/live/cgit.space/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/cgit.space/privkey.pem; ssl_verify_client on; ssl_trusted_certificate mtls_trusted_cert.pem; root /var/www/private/htdocs; try_files $uri $uri/ =404; location / { fastcgi_pass unix:/run/php-fpm/cgitsuper.sock; include fastcgi_params; } } # onion server { listen unix:/var/run/tor/cgitspace.sock; server_name cgitspacea7m5fmo5stfwxkykfbrjcecevl6z3xm5u7nfppuiigqoeyd.onion; include server.conf; } # i2p server { listen 127.0.0.1:3275; server_name cgit.i2p cgitiek6febqkrplowpeqssm6cur3fk6de76oajer7dqixw2pwkq.i2p cgitiek6febqkrplowpeqssm6cur3fk6de76oajer7dqixw2pwkq.b32.i2p; include server.conf; } }