Initial commit

2026-05-09 17:28:23 +02:00
commit 9d73f82529
5575 changed files with 281989 additions and 0 deletions
@@ -0,0 +1,267 @@
+# ============================================
+# Epicnabbo.nl — Max Performance Nginx Config
+# ============================================
+
+# Upstream: Roadrunner (Octane)
+upstream octane {
+    server 127.0.0.1:8000;
+    keepalive 64;
+}
+
+# Redirect HTTP → HTTPS
+server {
+    listen 80;
+    listen [::]:80;
+    server_name epicnabbo.nl www.epicnabbo.nl;
+
+    # Cloudflare flexible SSL passthrough
+    # If using Cloudflare Full SSL, uncomment the 443 block below
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/atomcms/public;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+# Main HTTPS server
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name epicnabbo.nl www.epicnabbo.nl;
+
+    # SSL
+    ssl_certificate /etc/ssl/certs/epicnabbo.nl.crt;
+    ssl_certificate_key /etc/ssl/private/epicnabbo.nl.key;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
+    ssl_prefer_server_ciphers off;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 1d;
+    ssl_session_tickets off;
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    # Root
+    root /var/www/atomcms/public;
+    index index.php;
+
+    # Security headers
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+    # Hide Nginx version
+    server_tokens off;
+
+    # Client limits
+    client_max_body_size 20m;
+    client_body_timeout 30s;
+    client_header_timeout 10s;
+    keepalive_timeout 15s;
+    send_timeout 10s;
+
+    # Gzip compression
+    gzip on;
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_comp_level 6;
+    gzip_min_length 256;
+    gzip_types
+        text/plain
+        text/css
+        text/javascript
+        application/json
+        application/javascript
+        application/x-javascript
+        application/xml
+        application/xml+rss
+        application/atom+xml
+        image/svg+xml
+        font/opentype
+        font/ttf
+        font/woff
+        font/woff2;
+
+    # Brotli compression (if module installed)
+    # brotli on;
+    # brotli_comp_level 6;
+    # brotli_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml;
+
+    # ============================================
+    # STATIC ASSETS — Aggressive caching
+    # ============================================
+
+    # Versioned assets (immutable — cache 1 year)
+    location ~* \.(css|js)\.(.+)\.(css|js)$ {
+        expires 1y;
+        add_header Cache-Control "public, immutable";
+        access_log off;
+        try_files $uri =404;
+    }
+
+    # Images, fonts, icons — cache 1 year
+    location ~* \.(jpg|jpeg|png|gif|ico|svg|webp|avif|woff|woff2|ttf|otf|eot)$ {
+        expires 1y;
+        add_header Cache-Control "public, immutable";
+        access_log off;
+        try_files $uri =404;
+    }
+
+    # Gamedata / Habbo assets (symlinked)
+    location /gamedata/ {
+        expires 7d;
+        add_header Cache-Control "public";
+        access_log off;
+        try_files $uri =404;
+    }
+
+    # Storage files (avatars, badges, photos)
+    location /storage/ {
+        expires 30d;
+        add_header Cache-Control "public";
+        access_log off;
+        try_files $uri =404;
+    }
+
+    # ============================================
+    # SECURITY — Block sensitive paths
+    # ============================================
+
+    # Block dotfiles (.env, .git, etc.)
+    location ~ /\. {
+        deny all;
+        access_log off;
+        log_not_found off;
+    }
+
+    # Block composer/vendor
+    location ~ /vendor/ {
+        deny all;
+        access_log off;
+        log_not_found off;
+    }
+
+    # Block storage (except public)
+    location ~ ^/storage/logs/ {
+        deny all;
+    }
+
+    # Block database files
+    location ~ \.(sql|sqlite|sqlite3)$ {
+        deny all;
+    }
+
+    # ============================================
+    # HEALTH CHECK
+    # ============================================
+
+    location /health {
+        access_log off;
+        return 200 "OK";
+        add_header Content-Type text/plain;
+    }
+
+    # ============================================
+    # FAVICON & ROBOTS
+    # ============================================
+
+    location = /favicon.ico {
+        expires 1y;
+        access_log off;
+        log_not_found off;
+        try_files $uri =404;
+    }
+
+    location = /robots.txt {
+        expires 1d;
+        access_log off;
+        log_not_found off;
+        try_files $uri =404;
+    }
+
+    # ============================================
+    # MAIN — Proxy to Octane (Roadrunner)
+    # ============================================
+
+    location / {
+        # Proxy to Octane
+        proxy_http_version 1.1;
+        proxy_set_header Connection "";
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Port $server_port;
+
+        # Cloudflare real IP
+        proxy_set_header CF-Connecting-IP $http_cf_connecting_ip;
+
+        # Timeouts
+        proxy_connect_timeout 10s;
+        proxy_send_timeout 30s;
+        proxy_read_timeout 30s;
+
+        # Buffering
+        proxy_buffering on;
+        proxy_buffer_size 4k;
+        proxy_buffers 8 4k;
+
+        # Pass to Octane upstream
+        proxy_pass http://octane;
+
+        # No caching for dynamic content
+        add_header Cache-Control "no-cache, no-store, must-revalidate";
+        add_header Pragma "no-cache";
+        add_header Expires "0";
+
+        # Security headers (repeated for proxy responses)
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header X-Content-Type-Options "nosniff" always;
+    }
+
+    # ============================================
+    # WEBSOCKETS (for game rooms, radio, etc.)
+    # ============================================
+
+    location /ws {
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        proxy_connect_timeout 7d;
+        proxy_send_timeout 7d;
+        proxy_read_timeout 7d;
+
+        proxy_pass http://octane;
+    }
+
+    # ============================================
+    # FALLBACK — PHP-FPM (if Octane is down)
+    # ============================================
+    # Uncomment this block and comment out the Octane
+    # proxy above if you need to fall back to PHP-FPM.
+    #
+    # location ~ \.php$ {
+    #     fastcgi_pass unix:/run/php/php8.5-fpm.sock;
+    #     fastcgi_index index.php;
+    #     fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
+    #     include fastcgi_params;
+    #
+    #     fastcgi_buffer_size 128k;
+    #     fastcgi_buffers 4 256k;
+    #     fastcgi_busy_buffers_size 256k;
+    #
+    #     fastcgi_read_timeout 60s;
+    # }
+}