initial commit

2025-08-09 04:53:40 +08:00 · 2018-01-07 16:30:12 +01:00
commit 1bbaee1cde
18 changed files with 741 additions and 0 deletions
--- a/public/templates/_general.conf.html
+++ b/public/templates/_general.conf.html
@@ -0,0 +1,44 @@
+# headers
+add_header X-Frame-Options "SAMEORIGIN" always;
+add_header X-XSS-Protection "1; mode=block" always;
+add_header X-Content-Type-Options "nosniff" always;
+add_header X-UA-Compatible "IE=Edge" always;
+add_header Cache-Control "no-transform" always;
+
+# . files
+location ~ /\.(?!well-known).* {
+	deny all;
+}<span ng-if="data.expires.css_js !== '' && data.expires.css_js !== data.expires.media">
+
+# css/js
+location ~* \.(css|js)$ {
+	expires {{ data.expires.css_js }};<span ng-if="data.access_log !== ''">
+	access_log off;</span>
+}</span><span ng-if="data.expires.media !== ''">
+
+# {{ data.expires.css_js !== '' && data.expires.css_js === data.expires.media ? 'css/js, ' : '' }}media
+location ~* \.({{ data.expires.css_js !== '' && data.expires.css_js === data.expires.media ? 'css|js|' : '' }}jpe?g|gif|png|heic|ico|cur|mp4|mov|ogg|ogv|webm|htc)$ {
+	expires {{ data.expires.media }};<span ng-if="data.access_log !== ''">
+	access_log off;</span>
+}</span><span ng-if="data.expires.svg !== '' && data.expires.svg !== data.expires.font">
+
+# svg
+location ~* \.svg$ {
+	add_header Access-Control-Allow-Origin "*";
+	expires {{ data.expires.svg }};<span ng-if="data.access_log !== ''">
+	access_log off;</span>
+}</span><span ng-if="data.expires.font !== ''">
+
+# {{ data.expires.svg !== '' && data.expires.svg === data.expires.font ? 'svg, ' : '' }}fonts
+location ~* \.({{ data.expires.svg !== '' && data.expires.svg === data.expires.font ? 'svg|' : '' }}ttf|ttc|otf|eot|woff|woff2)$ {
+	add_header Access-Control-Allow-Origin "*";
+	expires {{ data.expires.font }};<span ng-if="data.access_log !== ''">
+	access_log off;</span>
+}</span>
+<span ng-if="data.gzip">
+# gzip
+gzip on;
+gzip_vary on;
+gzip_proxied any;
+gzip_comp_level 6;
+gzip_types text/plain text/css text/xml application/json application/javascript application/xml+rss application/atom+xml image/svg+xml;</span>
--- a/public/templates/_letsencrypt.conf.html
+++ b/public/templates/_letsencrypt.conf.html
@@ -0,0 +1,4 @@
+location ^~ /.well-known/acme-challenge/ {
+	default_type "text/plain";
+	root /var/www/_letsencrypt;
+}
--- a/public/templates/_php.conf.html
+++ b/public/templates/_php.conf.html
@@ -0,0 +1,14 @@
+# index
+index {{ data.index_html ? 'index.html ' : '' }}index.php;
+
+# process with {{ data.index_html ? 'index.html, ' : '' }}index.php
+location / {
+	try_files $uri $uri/ {{ data.index_html ? '/index.html ' : '' }}/index.php?$query_string;
+}
+
+# handle .php
+location ~ \.php$ {<span ng-if="data.file_structure === 'separated'">
+	include _php_fastcgi.conf;
+	</span><span ng-if="data.file_structure === 'unified'">
+	<ng-include src="'templates/_php_fastcgi.conf.html'" onload="refreshHighlighting()"></ng-include></span>
+}
--- a/public/templates/_php_fastcgi.conf.html
+++ b/public/templates/_php_fastcgi.conf.html
@@ -0,0 +1,23 @@
+try_files $uri =404;
+
+# fastcgi
+fastcgi_pass				{{
+	data.php === 'tcp' ? '127.0.0.1:9000' : (
+		data.php === '5.x' ? 'unix:/var/run/php5-fpm.sock' : (
+			'unix:/var/run/php/php' + data.php +'-fpm.sock'
+		)
+	)
+}};
+fastcgi_index				index.php;
+fastcgi_split_path_info		^(.+\.php)(/.+)$;
+fastcgi_param				SCRIPT_FILENAME $document_root$fastcgi_script_name;
+fastcgi_param				PHP_ADMIN_VALUE open_basedir=$base/:/usr/lib/php/:/tmp/;
+fastcgi_intercept_errors	off;
+
+fastcgi_buffer_size				128k;
+fastcgi_buffers					256 16k;
+fastcgi_busy_buffers_size		256k;
+fastcgi_temp_file_write_size	256k;
+
+# default fastcgi_params
+include fastcgi_params;
--- a/public/templates/_ssl.conf.html
+++ b/public/templates/_ssl.conf.html
@@ -0,0 +1,24 @@
+# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.1.0g&hsts=yes&profile=intermediate
+ssl_session_timeout 1d;
+ssl_session_cache shared:SSL:50m;
+ssl_session_tickets off;
+
+# Diffie-Hellman parameter for DHE ciphersuites
+# openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 4096
+ssl_dhparam /etc/nginx/dhparam.pem;
+
+# intermediate configuration
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
+ssl_prefer_server_ciphers on;
+
+# HSTS
+add_header Strict-Transport-Security "max-age=15768000" always;
+
+# OCSP Stapling
+# fetch OCSP records from URL in ssl_certificate and cache them
+ssl_stapling on;
+ssl_stapling_verify on;
+
+resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
+resolver_timeout 2s;
--- a/public/templates/_wordpress.conf.html
+++ b/public/templates/_wordpress.conf.html
@@ -0,0 +1,30 @@
+# allow tinymce
+location = /wp-includes/js/tinymce/wp-tinymce.php {
+	include _php_fastcgi.conf;
+}
+
+# wp-content, wp-includes php files
+location ~* ^/(wp-content|wp-includes)/.*\.php$ {
+	deny all;
+}
+
+# wp-content/uploads nasty stuff
+location ~* ^/wp-content/uploads/.*\.(html|htm|shtml|php|js|swf|css)$ {
+	deny all;
+}
+
+# wp-content/plugins nasty stuff
+location ~* ^/wp-content/plugins/.*\.(?!jpe?g|gif|png|svg|heic|js|css) {
+	deny all;
+}
+
+# WordPress stuff
+location ~* ^/(xmlrpc\.php|wp-config\.php|wp-config-sample\.php|wp-comments-post\.php|readme\.html|license\.txt)$ {
+	deny all;
+}<span ng-if="data.limit_req">
+
+# wp-login.php throttle
+location = /wp-login.php {
+	limit_req zone=login burst=2 nodelay;
+	include _php_fastcgi.conf;
+}</span>
--- a/public/templates/example.com.conf.html
+++ b/public/templates/example.com.conf.html
@@ -0,0 +1,83 @@
+<span ng-if="data.https"># certbot certonly --non-interactive --text --email {{ data.email }} --agree-tos --force-renew --webroot --webroot-path /var/www/_letsencrypt --domain {{ data.domain }} --domain www.{{ data.domain }}
+server {
+	listen 443 ssl{{ data.http2 ? ' http2' : '' }};
+	listen [::]:443 ssl{{ data.http2 ? ' http2' : '' }};
+
+	server_name {{ !data.non_www ? 'www.' : '' }}{{ data.domain }};
+	set $base /var/www/{{ data.domain }};
+	root $base/public;
+
+	ssl_certificate /etc/letsencrypt/live/{{ data.domain }}/fullchain.pem;
+	ssl_certificate_key /etc/letsencrypt/live/{{ data.domain }}/privkey.pem;
+	ssl_trusted_certificate /etc/letsencrypt/live/{{ data.domain }}/fullchain.pem;
+	<span ng-if="data.file_structure === 'separated'">
+	include _general.conf;<span ng-if="data.php !== 'off' && data.wordpress">
+	include _wordpress.conf;</span><span ng-if="data.php !== 'off'">
+	include _php.conf;</span>
+	include _letsencrypt.conf;
+	include _ssl.conf;</span><span ng-if="data.file_structure === 'unified'">
+	<ng-include src="'templates/_general.conf.html'" onload="refreshHighlighting()"></ng-include><span ng-if="data.php !== 'off' && data.wordpress">
+
+	<ng-include src="'templates/_wordpress.conf.html'" onload="refreshHighlighting()"></ng-include></span><span ng-if="data.php !== 'off'">
+
+	<ng-include src="'templates/_php.conf.html'" onload="refreshHighlighting()"></ng-include></span>
+
+	<ng-include src="'templates/_letsencrypt.conf.html'" onload="refreshHighlighting()"></ng-include>
+
+	include _ssl.conf;</span>
+}
+
+# https {{ !data.non_www ? 'domain, ' : '' }}subdomains redirect
+server {
+	listen 443 ssl{{ data.http2 ? ' http2' : '' }};
+	listen [::]:443 ssl{{ data.http2 ? ' http2' : '' }};
+
+	server_name {{ !data.non_www ? data.domain + ' ' : '' }}*.{{ data.domain }};
+
+	ssl_certificate /etc/letsencrypt/live/{{ data.domain }}/fullchain.pem;
+	ssl_certificate_key /etc/letsencrypt/live/{{ data.domain }}/privkey.pem;
+	ssl_trusted_certificate /etc/letsencrypt/live/{{ data.domain }}/fullchain.pem;
+
+	include _ssl.conf;
+
+	return 301 https://{{ !data.non_www ? 'www.' : '' }}{{ data.domain }}$request_uri;
+}
+
+# http redirect
+server {
+	listen [::]:80;
+	listen 80;
+
+	server_name {{ data.domain }} *.{{ data.domain }};
+	<span ng-if="data.file_structure === 'separated'">
+	include _letsencrypt.conf;</span><span ng-if="data.file_structure === 'unified'">
+	<ng-include src="'templates/_letsencrypt.conf.html'" onload="refreshHighlighting()"></ng-include></span>
+
+	return 301 https://{{ !data.non_www ? 'www.' : '' }}{{ data.domain }}$request_uri;
+}</span><span ng-if="!data.https">server {
+	listen [::]:80;
+	listen 80;
+
+	server_name {{ !data.non_www ? 'www.' : '' }}{{ data.domain }};
+	set $base /var/www/{{ data.domain }};
+	root $base/public;
+	<span ng-if="data.file_structure === 'separated'">
+	include _general.conf;<span ng-if="data.php !== 'off' && data.wordpress">
+	include _wordpress.conf;</span><span ng-if="data.php !== 'off'">
+	include _php.conf;</span></span><span ng-if="data.file_structure === 'unified'">
+	<ng-include src="'templates/_general.conf.html'" onload="refreshHighlighting()"></ng-include><span ng-if="data.php !== 'off' && data.wordpress">
+
+	<ng-include src="'templates/_wordpress.conf.html'" onload="refreshHighlighting()"></ng-include></span><span ng-if="data.php !== 'off'">
+
+	<ng-include src="'templates/_php.conf.html'" onload="refreshHighlighting()"></ng-include></span></span>
+}
+
+# {{ !data.non_www ? 'domain, ' : '' }}subdomains redirect
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name {{ !data.non_www ? data.domain + ' ' : '' }}*.{{ data.domain }};
+
+	return 301 http://{{ !data.non_www ? 'www.' : '' }}{{ data.domain }}$request_uri;
+}</span>
--- a/public/templates/nginx.conf.html
+++ b/public/templates/nginx.conf.html
@@ -0,0 +1,41 @@
+user {{ data.user }};
+pid {{ data.pid}};
+worker_processes {{ data.worker_processes }};
+worker_rlimit_nofile 409600;
+
+events {
+	worker_connections 4096;
+	multi_accept on;
+	use epoll;
+}
+
+http {
+	charset utf-8;
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+	types_hash_max_size 2048;<span ng-if="!data.server_tokens">
+	server_tokens off;</span><span ng-if="!data.log_not_found">
+	log_not_found off;</span>
+
+	client_max_body_size 50M;
+	client_body_buffer_size 128k;
+
+	# mime
+	include mime.types;
+	default_type application/octet-stream;
+
+	# logging<span ng-if="data.access_log !== ''">
+	access_log {{ data.access_log }};</span>
+	error_log {{ data.error_log }} warn;<span ng-if="data.limit_req">
+
+	# limits
+	limit_req_log_level warn;
+	limit_req_zone $binary_remote_addr zone=login:10m rate=10r/m;</span>
+
+	# include configs
+	include /etc/nginx/conf.d/*.conf;<span ng-if="data.file_structure === 'separated'">
+	include /etc/nginx/sites-enabled/*;</span><span ng-if="data.file_structure === 'unified'">
+
+	<ng-include src="'templates/example.com.conf.html'" onload="refreshHighlighting()"></ng-include></span>
+}