Nginx

From Kicksecure
Jump to navigation Jump to search

Documentation for this is incomplete. Contributions are happily considered! See this for potential alternatives.

/etc/tor/torrc[edit]

HiddenServiceDir /var/lib/tor-instances/onionv3/onionv3/
HiddenServiceVersion 3

## web
HiddenServicePort 80 127.0.0.1:70

/etc/nginx/conf.d/hsts[edit]

## HSTS settings

/etc/nginx/sites-available/00100.conf[edit]

## default_server, apex domain (non-subdomain) or invalid subdomain catch-all

## redirect plaintext clearnet non-subdomain to TLS non-subdomain
server {
   listen 80 default_server;
   listen [::]:80 default_server;
   return 301 https://kicksecure.com$request_uri;
}

## redirect TLS clearnet non-subdomain to TLS www subdomain
server {
   listen 443 ssl http2 default_server;
   listen [::]:443 ssl http2 default_server;

   ssl_certificate /etc/letsencrypt/live/kicksecure.com/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/kicksecure.com/privkey.pem;
   ssl_trusted_certificate /etc/letsencrypt/live/kicksecure.com/fullchain.pem;
   include /etc/nginx/conf.d/hsts;

   return 301 https://www.kicksecure.com$request_uri;
}

## redirect onion non-subdomain to www subdomain
server {
   listen 127.0.0.1:70;
   server_name w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion;

   return 301 http://www.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion$request_uri;
}

/etc/nginx/sites-available/www.conf[edit]

## http clearnet port 80 unencrypted listener
server {
   listen 80;
   listen [::]:80;
   server_name www.kicksecure.com;
   return 301 https://www.kicksecure.com$request_uri;
}

## clearnet www
server {
   listen 443 ssl http2;
   listen [::]:443 ssl http2;
   server_name www.kicksecure.com;

   ssl_certificate /etc/letsencrypt/live/kicksecure.com/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/kicksecure.com/privkey.pem;
   ssl_trusted_certificate /etc/letsencrypt/live/kicksecure.com/fullchain.pem;
   include /etc/nginx/conf.d/hsts;

   more_set_headers "Onion-Location: http://www.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion$request_uri";

   include /etc/nginx/conf.d/www;
}

## onion www
server {
   listen 127.0.0.1:70;
   server_name www.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion;

   more_set_headers "X-Robots-Tag: noindex, nofollow";

   include /etc/nginx/conf.d/www;
}

/etc/nginx/conf.d/www[edit]

## actual nginx config shared among TLS and onion goes here

Unfinished: This wiki is a work in progress. Please do not report broken links until this notice is removed, use Search Engines First and contribute improving this wiki.

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 11 year success story and maybe DONATE!