forked from FastGitORG/nginx-conf
-
Notifications
You must be signed in to change notification settings - Fork 1
/
hub.fastgit.org.conf
137 lines (110 loc) · 4.42 KB
/
hub.fastgit.org.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
upstream github {
server github.com:443;
keepalive 32;
}
server {
listen 443 ssl http2;
server_name hub.fastgit.org;
root /www/wwwroot/fg;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /var/www/cert/fg.pem;
ssl_certificate /var/www/cert/fg.pem;
ssl_certificate_key /var/www/cert/fg.key;
# Run following command & set permission before configuring
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /var/lib/nginx/dhparam.pem
ssl_dhparam /var/lib/nginx/dhparam.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 60m;
ssl_session_tickets off;
client_max_body_size 2G;
error_page 497 https://$host$request_uri;
include /etc/nginx/snippets/anti-floc.conf;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.1;
gzip_comp_level 2;
gzip_vary on;
gzip_proxied any; # test required
gzip_types
text/plain
text/css
text/js
text/xml
text/javascript
application/javascript
application/json
application/xml
application/rss+xml
image/svg+xml;
# SSL
location ~ \.well-known {
allow all;
}
# releases download
location ~ ^/[^/]+/[^/]+/releases/download/ {
return 301 https://download.fastgit.org$request_uri;
}
# archive download
location ~ ^/[^/]+/[^/]+/archive/ {
return 301 https://archive.fastgit.org$request_uri;
}
location ~ ^/[^/]+/[^/]+/suites/[^/]+/artifacts/ {
return 301 https://download.fastgit.org$request_uri;
}
# Fuck Search Engine
location /robots.txt {
allow all;
}
location / {
proxy_hide_header referrer-policy;
proxy_hide_header content-security-policy;
proxy_hide_header Strict-Transport-Security;
proxy_hide_header x-pjax-url;
proxy_set_header Host github.com;
proxy_set_header Accept-Encoding "";
proxy_set_header Referer https://github.com/;
proxy_set_header Origin https://github.com;
#proxy_set_header Connection "";
add_header x-pjax-url "https://hub.fastgit.org$request_uri";
add_header X-FastGit-Node "azure-ea-0";
proxy_http_version 1.1;
proxy_connect_timeout 10s;
proxy_read_timeout 10s;
# Not supported when installed from Debian source
# proxy_socket_keepalive on;
proxy_ssl_server_name on;
sub_filter "\"https://raw.githubusercontent.com" "\"https://raw.fastgit.org";
sub_filter "\"https://github.com" "\"https://hub.fastgit.org";
sub_filter "\"https://github.githubassets.com" "\"https://assets.fastgit.org";
sub_filter "\"https://github.githubassets.com" "\"https://assets.fastgit.org";
sub_filter "https://customer-stories-feed.github.com" "https://customer-stories-feed.fastgit.org";
sub_filter_once off;
proxy_cookie_domain github.com hub.fastgit.org;
proxy_redirect https://github.com https://hub.fastgit.org;
proxy_redirect https://raw.githubusercontent.com https://raw.fastgit.org;
proxy_redirect https://github.githubassets.com https://assets.fastgit.org;
proxy_redirect https://customer-stories-feed.github.com https://customer-stories-feed.fastgit.org;
proxy_redirect https://codeload.github.com https://codeload.fastgit.org;
proxy_pass https://github;
}
# Block search engine
# if ($http_user_agent ~* "qihoobot|Baiduspider|Bingbot|Googlebot|Googlebot-Mobile|Googlebot-Image|Mediapartners-Google|Adsbot-Google|Feedfetcher-Google|Yahoo! Slurp|Yahoo! Slurp China|YoudaoBot|Sosospider|Sogou spider|Sogou web spider|MSNBot|ia_archiver|Tomato Bot")
# {
# return 403;
# }
# Anti Agent Bot DDoS
# If behind CDN, use folloing commented code
# if ($http_x_forwarded_for != $remote_addr) {
# return 503;
# }
if ($proxy_add_x_forwarded_for != $remote_addr) {
return 503;
}
access_log /www/wwwlogs/hub.fastgit.org.log;
error_log /www/wwwlogs/hub.fastgit.org.error.log;
}