diff --git a/xb-00-01/nginx/youtube-local.conf b/xb-00-01/nginx/youtube-local.conf new file mode 100644 index 0000000..81e34c8 --- /dev/null +++ b/xb-00-01/nginx/youtube-local.conf @@ -0,0 +1,70 @@ +# Inferencium - xb-00-01 +# Nginx - Configuration - youtube-local +# Version: 0.1.0 + +# Copyright 2025 Jake Winters +# SPDX-License-Identifier: BSD-3-Clause + + +# Server (unencrypted) +## Redirect from this server block to an encrypted server block if TLS is required +server { + # General + server_name yt.inferencium.internal; + ## IPv4 + listen 80; + ## IPv6 + listen [::]:80; + + # Location + location / { + return 301 https://$server_name$request_uri; + } +} + + +# Server (TLS) +server { + # General + server_name yt.inferencium.internal; + http2 on; + ## IPv4 + listen 443 ssl; + ## IPv6 + listen [::]:443 ssl; + + # Location + location / { + proxy_pass http://localhost:8080; + } + + # Security + ssl_trusted_certificate /etc/ssl/inferencium.internal/fullchain.pem; + ssl_certificate /etc/ssl/inferencium.internal/chain.pem; + ssl_certificate_key /etc/ssl/inferencium.internal/privkey.pem; + ssl_protocols TLSv1.3; + ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256"; + ssl_conf_command Ciphersuites "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"; + ssl_conf_command Options PrioritizeChaCha; + ssl_prefer_server_ciphers on; + ssl_ecdh_curve X25519:secp256r1; + ssl_stapling on; + ssl_stapling_verify on; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; + ssl_session_cache shared:ssl_session_cache:10m; + ssl_session_tickets off; + + ## Headers + include /etc/nginx/include/header-security-nocsp.conf; + + client_max_body_size 16m; + ignore_invalid_headers off; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +} +