server { listen 80; root /srv; access_log /dev/stdout; error_log /dev/stderr; keepalive_timeout 65; sendfile_max_chunk 1m; gzip_static off; gzip on; gzip_types *; # brotli brotli on; brotli_static on; # IP detection set_real_ip_from 0.0.0.0/0; real_ip_header X-Forwarded-For; index index.html; try_files $uri $uri/ =404; error_page 403 =404 /404.html; # Kick malicious clients sooner client_header_timeout 10s; client_body_timeout 10s; client_max_body_size 128k; reset_timedout_connection on; location = / { return 302 https://theorangeone.net; } # Inject plausible sub_filter "" ""; sub_filter_once on; sub_filter_last_modified on; # Set sensible headers add_header X-Frame-Options "SAMEORIGIN" always; add_header Referrer-Policy "no-referrer-when-downgrade" always; add_header X-Content-Type-Options "nosniff" always; add_header Content-Security-Policy "upgrade-insecure-requests; block-all-mixed-content" always; # Expose WebDAV on a sub-path location /.dav/ { alias /srv/; auth_basic_user_file /etc/nginx/.htpasswd; auth_basic "Restricted"; dav_methods PUT DELETE MKCOL COPY MOVE; dav_ext_methods PROPFIND OPTIONS; min_delete_depth 1; client_max_body_size 50m; client_body_temp_path /tmp; create_full_put_path on; } # Healthcheck endpoint location /.ping { access_log off; return 200; } js_import slides.js; location = /sitemap.xml { js_content slides.sitemap; } }