From d9271192759e640eaec7abb3375b251b8f1fc2ba Mon Sep 17 00:00:00 2001
From: Your Name <you@example.com>
Date: Sun, 23 Aug 2020 12:08:17 +0000
Subject: [PATCH] nginx config

---
 production/nginx/nginx/conf.d/http3.conf      |   1 +
 production/nginx/nginx/conf.d/security.conf   |   7 ++
 production/nginx/nginx/nginx.conf.backup      | 113 ++++++++++++++++++
 .../nginx/nginx/sites-available/covid19map    |  17 +++
 production/nginx/nginx/sites-available/hatboy |  19 +++
 .../nginx/nginx/sites-enabled/covid19map      |   1 +
 production/nginx/nginx/sites-enabled/hatboy   |   1 +
 7 files changed, 159 insertions(+)
 create mode 100644 production/nginx/nginx/conf.d/http3.conf
 create mode 100644 production/nginx/nginx/conf.d/security.conf
 create mode 100644 production/nginx/nginx/nginx.conf.backup
 create mode 100644 production/nginx/nginx/sites-available/covid19map
 create mode 100644 production/nginx/nginx/sites-available/hatboy
 create mode 120000 production/nginx/nginx/sites-enabled/covid19map
 create mode 120000 production/nginx/nginx/sites-enabled/hatboy

diff --git a/production/nginx/nginx/conf.d/http3.conf b/production/nginx/nginx/conf.d/http3.conf
new file mode 100644
index 0000000..fce6eb7
--- /dev/null
+++ b/production/nginx/nginx/conf.d/http3.conf
@@ -0,0 +1 @@
+add_header Alt-Svc 'h3-25=":443"; ma=3600, h2=":443"; ma=3600';
diff --git a/production/nginx/nginx/conf.d/security.conf b/production/nginx/nginx/conf.d/security.conf
new file mode 100644
index 0000000..cb108b6
--- /dev/null
+++ b/production/nginx/nginx/conf.d/security.conf
@@ -0,0 +1,7 @@
+add_header X-XSS-Protection "1; mode=block";
+add_header X-Permitted-Cross-Domain-Policies none;
+add_header X-Frame-Options SAMEORIGIN;
+add_header X-Content-Type-Options nosniff;
+add_header Referrer-Policy same-origin;
+add_header X-Download-Options noopen;
+add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
diff --git a/production/nginx/nginx/nginx.conf.backup b/production/nginx/nginx/nginx.conf.backup
new file mode 100644
index 0000000..f57f253
--- /dev/null
+++ b/production/nginx/nginx/nginx.conf.backup
@@ -0,0 +1,113 @@
+#user www-data;
+worker_processes 4;
+pid /run/nginx.pid;
+#include /etc/nginx/modules-enabled/*.conf;
+
+events {
+	worker_connections 256;
+	# multi_accept on;
+}
+
+http {
+
+	##
+	# Basic Settings
+	##
+        client_max_body_size 10M;
+
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+	keepalive_timeout 65;
+	types_hash_max_size 2048;
+	# server_tokens off;
+
+	# server_names_hash_bucket_size 64;
+	# server_name_in_redirect off;
+
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	##
+	# SSL Settings
+	##
+
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
+	ssl_prefer_server_ciphers on;
+
+	##
+	# Logging Settings
+	##
+
+#	access_log /var/log/nginx/access.log;
+#	error_log /var/log/nginx/error.log;
+#        log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+#                      '$status $body_bytes_sent "$http_referer" '
+#                      '"$http_user_agent" "$http_x_forwarded_for"';
+#	access_log /usr/local/nginx/logs/access.log main;
+#	error_log /usr/local/nginx/logs/error.log;
+	##
+	# Gzip Settings
+	##
+
+	gzip on;
+
+	# gzip_vary on;
+	# gzip_proxied any;
+	# gzip_comp_level 6;
+	# gzip_buffers 16 8k;
+	# gzip_http_version 1.1;
+	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+	##
+	# Virtual Host Configs
+	##
+
+	include /etc/nginx/conf.d/*.conf;
+	include /etc/nginx/sites-enabled/*;
+
+        server_tokens off;
+
+        root /usr/local/nginx/html;
+}
+
+
+#mail {
+#	# See sample authentication script at:
+#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
+# 
+#	# auth_http localhost/auth.php;
+#	# pop3_capabilities "TOP" "USER";
+#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
+# 
+#	server {
+#		listen     localhost:110;
+#		protocol   pop3;
+#		proxy      on;
+#	}
+# 
+#	server {
+#		listen     localhost:143;
+#		protocol   imap;
+#		proxy      on;
+#	}
+#}
+
+rtmp {
+    server {
+        listen 1936;
+#        chunk_size 4000;
+        application hls {
+            live on;
+            hls on;
+            hls_path /etc/nginx/hls;
+            hls_fragment 30s;
+            hls_playlist_length 3m;
+            allow publish 172.51.0.1;
+            deny publish all;
+            allow play all;
+#            exec_static /bin/bash /etc/nginx/emitir-live.sh;
+            exec_static ffmpeg -loglevel quiet -re -i async:cache:rtmp://172.10.0.101:1936/hls/streaming -threads 1 -async 1 -c:v libx264 -preset superfast -tune zerolatency -c:a aac -ar 44100 -f flv rtmp://a.rtmp.youtube.com/live2/4qye-a4f7-9zfy-eq2u-30yz;
+        }
+    }
+}
diff --git a/production/nginx/nginx/sites-available/covid19map b/production/nginx/nginx/sites-available/covid19map
new file mode 100644
index 0000000..6b6af68
--- /dev/null
+++ b/production/nginx/nginx/sites-available/covid19map
@@ -0,0 +1,17 @@
+server {
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+  server_name covid19.hatthieves.es covid19map.hatthieves.es covidmap.hatthieves.es;
+  location / {
+     proxy_pass http://172.25.0.101:3000;
+     proxy_set_header X-Real-IP $remote_addr;
+     proxy_set_header Host $host;
+     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+     proxy_set_header X-Forwarded-Proto $scheme;
+     proxy_set_header Upgrade $http_upgrade;
+     proxy_set_header Connection "Upgrade";
+     proxy_buffering off;
+#     add_header Alt-Svc 'h3-25=":443"; ma=3600, h2=":443"; ma=3600';
+  }
+}
+
diff --git a/production/nginx/nginx/sites-available/hatboy b/production/nginx/nginx/sites-available/hatboy
new file mode 100644
index 0000000..490e509
--- /dev/null
+++ b/production/nginx/nginx/sites-available/hatboy
@@ -0,0 +1,19 @@
+server {
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+  server_name hatboy.hatthieves.es;
+  client_max_body_size 2G;
+  location / {
+     proxy_pass http://172.159.0.101:8080;
+     proxy_set_header X-Real-IP $remote_addr;
+     proxy_set_header Host $host;
+     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+     proxy_set_header X-Forwarded-Proto $scheme;
+     proxy_set_header Upgrade $http_upgrade;
+     proxy_set_header Connection "Upgrade";
+     proxy_buffering off;
+     proxy_http_version 1.1;
+#     add_header Alt-Svc 'h3-25=":443"; ma=3600, h2=":443"; ma=3600';
+  }
+}
+
diff --git a/production/nginx/nginx/sites-enabled/covid19map b/production/nginx/nginx/sites-enabled/covid19map
new file mode 120000
index 0000000..d7d49dc
--- /dev/null
+++ b/production/nginx/nginx/sites-enabled/covid19map
@@ -0,0 +1 @@
+../sites-available/covid19map
\ No newline at end of file
diff --git a/production/nginx/nginx/sites-enabled/hatboy b/production/nginx/nginx/sites-enabled/hatboy
new file mode 120000
index 0000000..a50190e
--- /dev/null
+++ b/production/nginx/nginx/sites-enabled/hatboy
@@ -0,0 +1 @@
+../sites-available/hatboy
\ No newline at end of file