diff options
author | terminaldweller <thabogre@gmail.com> | 2023-01-04 05:29:55 +0000 |
---|---|---|
committer | terminaldweller <thabogre@gmail.com> | 2023-01-04 05:29:55 +0000 |
commit | 0775e0c9f094bcba05284bc73b336151cf6a9e51 (patch) | |
tree | aeefb0fe6f79a394d8f4c8b2683b328f0dcad38c /terminaldweller.com | |
parent | update (diff) | |
download | scripts-0775e0c9f094bcba05284bc73b336151cf6a9e51.tar.gz scripts-0775e0c9f094bcba05284bc73b336151cf6a9e51.zip |
update
Diffstat (limited to '')
-rw-r--r-- | terminaldweller.com/haproxy/haproxy.cfg | 11 | ||||
-rw-r--r-- | terminaldweller.com/privatebin/conf.php | 248 | ||||
-rw-r--r-- | terminaldweller.com/privatebin/docker-compose.yaml | 38 | ||||
-rw-r--r-- | terminaldweller.com/privatebin/nginx.conf | 40 |
4 files changed, 337 insertions, 0 deletions
diff --git a/terminaldweller.com/haproxy/haproxy.cfg b/terminaldweller.com/haproxy/haproxy.cfg index feee75c..57f79f4 100644 --- a/terminaldweller.com/haproxy/haproxy.cfg +++ b/terminaldweller.com/haproxy/haproxy.cfg @@ -48,6 +48,7 @@ frontend http acl browsh-host hdr_sub(host) -i browsh.terminaldweller.com acl main-host hdr_sub(host) -i terminaldweller.com acl doh2-host hdr_sub(shost) -i doh2.terminaldweller.com + acl pastebin-host hdr_sub(shost) -i pastebin.terminaldweller.com acl mila-api-acl url_beg /mila acl crypto-api-acl url_beg /crypto acl http ssl_fc,not @@ -69,6 +70,7 @@ frontend http http-request redirect scheme https code 301 if http rssgen-host !letsencrypt-acl http-request redirect scheme https code 301 if http main-host !letsencrypt-acl http-request redirect scheme https code 301 if http doh2-host !letsencrypt-acl + http-request redirect scheme https code 301 if http pastebin-host !letsencrypt-acl #Conditions use_backend blog-backend-cert if letsencrypt-acl blog-host @@ -84,6 +86,7 @@ frontend http use_backend searx-backend-cert if letsencrypt-acl cargo-host use_backend vpn6-cert-backend if letsencrypt-acl browsh-host use_backend searx-backend-cert if letsencrypt-acl main-host + use_backend searx-backend-cert if letsencrypt-acl pastebin-host use_backend doh2-backend-cert if letsencrypt-acl doh2-host # use_backend editor-backend-cert if letsencrypt-acl editor-host use_backend certbot-backend if letsencrypt-acl !jabber-host !blog-host !api-host @@ -121,6 +124,7 @@ frontend https acl browsh-host-s req.ssl_sni -i browsh.terminaldweller.com acl main-host-s req.ssl_sni -i terminaldweller.com acl doh2-host-s req.ssl_sni -i doh2.terminaldweller.com + acl pastebin-host-s req.ssl_sni -i pastebin.terminaldweller.com #Conditions use_backend mail-backend-s if mail-host-s #use_backend chat-backend-s if chat-host-s @@ -138,6 +142,7 @@ frontend https use_backend browsh-backend-s if browsh-host-s use_backend main-backend-s if main-host-s use_backend doh2-backend-s if doh2-host-s + use_backend pastebin-backend-s if pastebin-host-s #frontend jabber5222 # bind *:5222 @@ -412,7 +417,13 @@ backend main-backend-s backend doh2-backend-cert mode http server doh2-backend-host 185.130.47.81:80 + backend doh2-backend-s mode tcp option tcp-check server doh2-backend-s 185.130.47.81:443 + +backend pastebin-backend-s + mode tcp + option tcp-check + server main-host-s 185.130.47.208:3010 diff --git a/terminaldweller.com/privatebin/conf.php b/terminaldweller.com/privatebin/conf.php new file mode 100644 index 0000000..3ffefab --- /dev/null +++ b/terminaldweller.com/privatebin/conf.php @@ -0,0 +1,248 @@ +;<?php http_response_code(403); /* +; config file for PrivateBin +; +; An explanation of each setting can be find online at https://github.com/PrivateBin/PrivateBin/wiki/Configuration. + +[main] +; (optional) set a project name to be displayed on the website +; name = "PrivateBin" + +; The full URL, with the domain name and directories that point to the +; PrivateBin files, including an ending slash (/). This URL is essential to +; allow Opengraph images to be displayed on social networks. +basepath = "https://privatebin.terminaldweller.com/" + +; enable or disable the discussion feature, defaults to true +discussion = true + +; preselect the discussion feature, defaults to false +opendiscussion = false + +; enable or disable the password feature, defaults to true +password = true // pragma: allowlist secret + +; enable or disable the file upload feature, defaults to false +fileupload = false + +; preselect the burn-after-reading feature, defaults to false +burnafterreadingselected = false + +; which display mode to preselect by default, defaults to "plaintext" +; make sure the value exists in [formatter_options] +defaultformatter = "plaintext" + +; (optional) set a syntax highlighting theme, as found in css/prettify/ +; syntaxhighlightingtheme = "sons-of-obsidian" + +; size limit per paste or comment in bytes, defaults to 10 Mebibytes +sizelimit = 10485760 + +; template to include, default is "bootstrap" (tpl/bootstrap.php) +template = "bootstrap" + +; (optional) info text to display +; use single, instead of double quotes for HTML attributes +;info = "More information on the <a href='https://privatebin.info/'>project page</a>." + +; (optional) notice to display +notice = "Note: This is an ephemeral service: Data may be deleted anytime. Kittens will die if you abuse this service." + +; by default PrivateBin will guess the visitors language based on the browsers +; settings. Optionally you can enable the language selection menu, which uses +; a session cookie to store the choice until the browser is closed. +languageselection = false + +; set the language your installs defaults to, defaults to English +; if this is set and language selection is disabled, this will be the only language +languagedefault = "en" + +; (optional) URL shortener address to offer after a new paste is created. +; It is suggested to only use this with self-hosted shorteners as this will leak +; the pastes encryption key. +; urlshortener = "https://shortener.example.com/api?link=" + +; (optional) Let users create a QR code for sharing the paste URL with one click. +; It works both when a new paste is created and when you view a paste. +qrcode = true + +; (optional) IP based icons are a weak mechanism to detect if a comment was from +; a different user when the same username was used in a comment. It might get +; used to get the IP of a comment poster if the server salt is leaked and a +; SHA512 HMAC rainbow table is generated for all (relevant) IPs. +; Can be set to one these values: +; "none" / "identicon" (default) / "jdenticon" / "vizhash". +; icon = "none" + +; Content Security Policy headers allow a website to restrict what sources are +; allowed to be accessed in its context. You need to change this if you added +; custom scripts from third-party domains to your templates, e.g. tracking +; scripts or run your site behind certain DDoS-protection services. +; Check the documentation at https://content-security-policy.com/ +; Notes: +; - If you use a bootstrap theme, you can remove the allow-popups from the +; sandbox restrictions. +; - By default this disallows to load images from third-party servers, e.g. when +; they are embedded in pastes. If you wish to allow that, you can adjust the +; policy here. See https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-it-load-embedded-images +; for details. +; - The 'unsafe-eval' is used in two cases; to check if the browser supports +; async functions and display an error if not and for Chrome to enable +; webassembly support (used for zlib compression). You can remove it if Chrome +; doesn't need to be supported and old browsers don't need to be warned. +cspheader = "default-src 'none'; base-uri 'self'; form-action 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'unsafe-eval'; style-src 'self'; font-src 'self'; frame-ancestors 'none'; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads" + +; stay compatible with PrivateBin Alpha 0.19, less secure +; if enabled will use base64.js version 1.7 instead of 2.1.9 and sha1 instead of +; sha256 in HMAC for the deletion token +; zerobincompatibility = false + +; Enable or disable the warning message when the site is served over an insecure +; connection (insecure HTTP instead of HTTPS), defaults to true. +; Secure transport methods like Tor and I2P domains are automatically whitelisted. +; It is **strongly discouraged** to disable this. +; See https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-it-show-me-an-error-about-an-insecure-connection for more information. +httpwarning = true + +; Pick compression algorithm or disable it. Only applies to pastes/comments +; created after changing the setting. +; Can be set to one these values: "none" / "zlib" (default). +compression = "zlib" + +[expire] +; expire value that is selected per default +; make sure the value exists in [expire_options] +default = "1week" + +[expire_options] +; Set each one of these to the number of seconds in the expiration period, +; or 0 if it should never expire +5min = 300 +10min = 600 +1hour = 3600 +1day = 86400 +1week = 604800 +; Well this is not *exactly* one month, it's 30 days: +1month = 2592000 +1year = 31536000 +never = 0 + +[formatter_options] +; Set available formatters, their order and their labels +plaintext = "Plain Text" +syntaxhighlighting = "Source Code" +markdown = "Markdown" + +[traffic] +; time limit between calls from the same IP address in seconds +; Set this to 0 to disable rate limiting. +limit = 10 + +; (optional) Set IPs addresses (v4 or v6) or subnets (CIDR) which are exempted +; from the rate-limit. Invalid IPs will be ignored. If multiple values are to +; be exempted, the list needs to be comma separated. Leave unset to disable +; exemptions. +; exempted = "1.2.3.4,10.10.10/24" + +; (optional) If you want only some source IP addresses (v4 or v6) or subnets +; (CIDR) to be allowed to create pastes, set these here. Invalid IPs will be +; ignored. If multiple values are to be exempted, the list needs to be comma +; separated. Leave unset to allow anyone to create pastes. +; creators = "1.2.3.4,10.10.10/24" + +; (optional) if your website runs behind a reverse proxy or load balancer, +; set the HTTP header containing the visitors IP address, i.e. X_FORWARDED_FOR +; header = "X_FORWARDED_FOR" + +[purge] +; minimum time limit between two purgings of expired pastes, it is only +; triggered when pastes are created +; Set this to 0 to run a purge every time a paste is created. +limit = 300 + +; maximum amount of expired pastes to delete in one purge +; Set this to 0 to disable purging. Set it higher, if you are running a large +; site +batchsize = 10 + +[model] +; name of data model class to load and directory for storage +; the default model "Filesystem" stores everything in the filesystem +class = Filesystem +[model_options] +dir = PATH "data" + +;[model] +; example of a Google Cloud Storage configuration +;class = GoogleCloudStorage +;[model_options] +;bucket = "my-private-bin" +;prefix = "pastes" +;uniformacl = false + +;[model] +; example of DB configuration for MySQL +;class = Database +;[model_options] +;dsn = "mysql:host=localhost;dbname=privatebin;charset=UTF8" +;tbl = "privatebin_" ; table prefix +;usr = "privatebin" +;pwd = "Z3r0P4ss" +;opt[12] = true ; PDO::ATTR_PERSISTENT + +;[model] +; example of DB configuration for SQLite +;class = Database +;[model_options] +;dsn = "sqlite:" PATH "data/db.sq3" +;usr = null +;pwd = null +;opt[12] = true ; PDO::ATTR_PERSISTENT + +;[model] +; example of DB configuration for PostgreSQL +;class = Database +;[model_options] +;dsn = "pgsql:host=localhost;dbname=privatebin" +;tbl = "privatebin_" ; table prefix +;usr = "privatebin" +;pwd = "Z3r0P4ss" +;opt[12] = true ; PDO::ATTR_PERSISTENT + +;[model] +; example of S3 configuration for Rados gateway / CEPH +;class = S3Storage +;[model_options] +;region = "" +;version = "2006-03-01" +;endpoint = "https://s3.my-ceph.invalid" +;use_path_style_endpoint = true +;bucket = "my-bucket" +;accesskey = "my-rados-user" +;secretkey = "my-rados-pass" + +;[model] +; example of S3 configuration for AWS +;class = S3Storage +;[model_options] +;region = "eu-central-1" +;version = "latest" +;bucket = "my-bucket" +;accesskey = "access key id" +;secretkey = "secret access key" + +[yourls] +; When using YOURLS as a "urlshortener" config item: +; - By default, "urlshortener" will point to the YOURLS API URL, with or without +; credentials, and will be visible in public on the PrivateBin web page. +; Only use this if you allow short URL creation without credentials. +; - Alternatively, using the parameters in this section ("signature" and +; "apiurl"), "urlshortener" needs to point to the base URL of your PrivateBin +; instance with "shortenviayourls?link=" appended. For example: +; urlshortener = "${basepath}shortenviayourls?link=" +; This URL will in turn call YOURLS on the server side, using the URL from +; "apiurl" and the "access signature" from the "signature" parameters below. + +; (optional) the "signature" (access key) issued by YOURLS for the using account +; signature = "" +; (optional) the URL of the YOURLS API, called to shorten a PrivateBin URL +; apiurl = "https://yourls.example.com/yourls-api.php" diff --git a/terminaldweller.com/privatebin/docker-compose.yaml b/terminaldweller.com/privatebin/docker-compose.yaml new file mode 100644 index 0000000..c6f97e3 --- /dev/null +++ b/terminaldweller.com/privatebin/docker-compose.yaml @@ -0,0 +1,38 @@ +version: "3" +services: + privatebin: + image: privatebin/nginx-fpm-alpine:stable + networks: + - privatebinnet + ports: + - "127.0.0.1:3180:8080" + restart: unless-stopped + depends_on: + - nginx + volumes: + - ./conf.php:/srv/cfg/conf.php:ro + # - privatebin-vault:/srv/data + # cap_drop: + # - ALL + nginx: + image: nginx:stable + ports: + - "3010:443" + networks: + - privatebinnet + restart: unless-stopped + cap_drop: + - ALL + cap_add: + - CHOWN + - DAC_OVERRIDE + - SETGID + - SETUID + - NET_BIND_SERVICE + volumes: + - ./nginx.conf:/etc/nginx/nginx.conf:ro + - /etc/letsencrypt/archive/pastebin.terminaldweller.com/:/certs/:ro +networks: + privatebinnet: +volumes: + privatebin-vault: diff --git a/terminaldweller.com/privatebin/nginx.conf b/terminaldweller.com/privatebin/nginx.conf new file mode 100644 index 0000000..78b0bc5 --- /dev/null +++ b/terminaldweller.com/privatebin/nginx.conf @@ -0,0 +1,40 @@ +events { + worker_connections 1024; +} +http { + include /etc/nginx/mime.types; + server_tokens off; + limit_req_zone $binary_remote_addr zone=one:10m rate=30r/m; + server { + listen 443 ssl; + keepalive_timeout 60; + charset utf-8; + ssl_certificate /certs/fullchain1.pem; + ssl_certificate_key /certs/privkey1.pem; + ssl_ciphers HIGH:!aNULL:!MD5:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_protocols TLSv1.3; + ssl_session_cache shared:SSL:50m; + ssl_session_timeout 1d; + ssl_session_tickets off; + ssl_prefer_server_ciphers on; + # sendfile on; + tcp_nopush on; + add_header X-Content-Type-Options "nosniff" always; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header Content-Security-Policy "default-src 'none'; base-uri 'self'; form-action 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'unsafe-eval'; style-src 'self'; font-src 'self'; frame-ancestors 'none'; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads"; + add_header X-Frame-Options SAMEORIGIN always; + add_header X-XSS-Protection "1; mode=block" always; + # add_header Permissions-Policy "geolocation=(self),midi=(self),sync-xhr=(self),microphone=(self),camera=(self),magnetometer=(self),gyroscope=(self),fullscreen=(self),payment=(self),usb=(self)"; + add_header Referrer-Policy "no-referrer"; + fastcgi_hide_header X-Powered-By; + # resolver 9.9.9.9 208.67.222.222; + # ssl_stapling on; + # ssl_stapling_verify on; + ssl_trusted_certificate /certs/cert1.pem; + + error_page 401 403 404 /404.html; + location / { + proxy_pass http://privatebin:8080; + } + } +} |