diff options
| -rw-r--r-- | etc/nftables.conf | 3 | ||||
| -rw-r--r-- | etc/nginx/nginx.conf | 32 |
2 files changed, 33 insertions, 2 deletions
diff --git a/etc/nftables.conf b/etc/nftables.conf index 1fa3ce22..06d6f04e 100644 --- a/etc/nftables.conf +++ b/etc/nftables.conf @@ -32,6 +32,9 @@ table inet my_table { udp dport swgp accept tcp dport http accept tcp dport https accept + # http3 quic + # seems no need open port 80 udp for http3, see https://serverfault.com/q/1185886 + udp dport https accept # email related ports tcp dport smtp accept tcp dport pop3 accept diff --git a/etc/nginx/nginx.conf b/etc/nginx/nginx.conf index 73ff11e0..4fad34f0 100644 --- a/etc/nginx/nginx.conf +++ b/etc/nginx/nginx.conf @@ -1,6 +1,7 @@ #user http; -worker_processes 1; +# https://freenginx.org/en/docs/ngx_core_module.html#worker_processes +worker_processes auto; #error_log logs/error.log; #error_log logs/error.log notice; @@ -48,6 +49,21 @@ http { listen 80; # needed for ipv6 listen [::]:80; + # needed for http3 quic + # https://freenginx.org/en/docs/quic.html + # https://oheng.com/enabling-http-3-under-nginx/ + # + # http3 quic can be testd with https://http3check.net + # + # Note reuseport should only be used once per address:port pair. + # https://serverfault.com/a/1000428 points out that + # https://freenginx.org/en/docs/http/ngx_http_core_module.html#listen + # wrote: "The listen directive can have several additional parameters + # specific to socket-related system calls. These parameters can be + # specified in any listen directive, but only once for a given + # address:port pair." Also see https://stackoverflow.com/q/76348128 + listen 443 quic reuseport; + listen [::]:443 quic reuseport; # https://nginx.org/en/docs/http/configuring_https_servers.html#single_http_https_server listen 443 ssl; listen [::]:443 ssl; @@ -56,6 +72,10 @@ http { ssl_certificate /etc/postfix/flylightning.pem; ssl_certificate_key /etc/postfix/flylightning.key; + # needed for http3 quic + # https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Alt-Svc + add_header Alt-Svc 'h3=":443"; ma=86400'; + #charset koi8-r; #access_log logs/host.access.log main; @@ -137,6 +157,8 @@ http { server { listen 80; listen [::]:80; + listen 443 quic; + listen [::]:443 quic; listen 443 ssl; listen [::]:443 ssl; server_name mirrors.flylightning.xyz; @@ -144,6 +166,8 @@ http { ssl_certificate /etc/postfix/flylightning.pem; ssl_certificate_key /etc/postfix/flylightning.key; + add_header Alt-Svc 'h3=":443"; ma=86400'; + location / { root /srv/http/mirrors; autoindex on; @@ -158,6 +182,8 @@ http { server { listen 80; listen [::]:80; + listen 443 quic; + listen [::]:443 quic; listen 443 ssl; listen [::]:443 ssl; server_name git.flylightning.xyz; @@ -166,6 +192,8 @@ http { ssl_certificate /etc/postfix/flylightning.pem; ssl_certificate_key /etc/postfix/flylightning.key; + add_header Alt-Svc 'h3=":443"; ma=86400'; + # about nginx location regex: # - https://nginx.org/en/docs/http/ngx_http_core_module.html#location # - https://stackoverflow.com/a/59846239 @@ -177,7 +205,7 @@ http { # - note: I don't think sed support ?: , because POSIX ERE and BRE doesn't seem to support ?: # - maybe improve a little bit performance by not storing things (not tested, also I did not read the source code) # Serve static files with nginx - location ~ ^/(?:cgit\.(?:css|png)|robots\.txt|highlight\.css|mycgit\.css)$ { + location ~ ^/(?:cgit\.(?:css|png|js)|robots\.txt|highlight\.css|mycgit\.css|favicon\.ico)$ { root /usr/share/webapps/cgit; expires 30d; } |