1  # SPDX-License-Identifier: AGPL-3.0-or-later
 2  # SPDX-FileCopyrightText: 2025 Chris Barry <chris@barry.im>
 3  # reseed.onion.im.conf - Nginx configuration for reseed.onion.im
 4  
 5  limit_req_zone $binary_remote_addr zone=perip:10m rate=1r/s;
 6  
 7  server {
 8    server_name reseed.onion.im;
 9  
10    listen 80;
11    listen [::]:80;
12    listen 443 ssl;
13    listen [::]:443 ssl;
14  
15    http2 on;
16  
17    ssl_protocols TLSv1.3 TLSv1.2;
18    ssl_prefer_server_ciphers on;
19    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES128+EECDH:AES128+EDH";
20    ssl_ecdh_curve secp384r1;
21    ssl_session_cache shared:SSL:10m;
22    ssl_session_tickets off;
23    ssl_stapling on;
24    ssl_stapling_verify on;
25    ssl_certificate     /etc/letsencrypt/live/reseed.onion.im/fullchain.pem;
26    ssl_certificate_key /etc/letsencrypt/live/reseed.onion.im/privkey.pem;
27    ssl_dhparam         /etc/letsencrypt/ssl-dhparams.pem;
28  
29    server_tokens off;
30  
31    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; ";
32    add_header X-Frame-Options "DENY";
33  
34    root /usr/share/nginx/www;
35    index index.php index.html index.htm;
36  
37    location = /index.html {
38      root /srv/reseed.onion.im;
39      limit_req zone=perip burst=5 nodelay;
40      limit_req_status 429;
41    }
42  
43    location = / {
44      root /srv/reseed.onion.im;
45      limit_req zone=perip burst=5 nodelay;
46      limit_req_status 429;
47      try_files /index.html =404;
48    }
49  
50    location = /i2pseeds.su3 {
51      proxy_pass http://localhost:8443/i2pseeds.su3;
52      proxy_set_header X-Forwarded-For $remote_addr;
53      limit_req zone=perip burst=3 nodelay;
54      limit_req_status 429;
55    }
56  
57    location / {
58      return 404;
59    }
60  
61    error_page 404 /404.html;
62    error_page 500 502 503 504 /50x.html;
63  
64    location = /50x.html {
65      root /usr/share/nginx/www;
66    }
67  }