
3 changed files with 155 additions and 13 deletions
@ -0,0 +1,151 @@ |
|||
# Meta |
|||
|
|||
*Meta* is a small Nginx/PHP tool displaying some informations in order to debug or satisfy your curiosity. |
|||
|
|||
## Use |
|||
|
|||
### Paths |
|||
|
|||
`/me` will redirect to `/<your-ip-address>` |
|||
`/<any-ip-address>` will print informations obtained from databases located in the `geolite2` directory |
|||
`/emoji` will print an emoji list |
|||
`/<anything-else>` will print *IP*, *TCP*, *TLS* and *HTTP* metadata |
|||
|
|||
### Domains |
|||
|
|||
`meta.4.niv.re` have working A (IPv4) and AAAA (IPv6) records |
|||
You can test IP version connectivity by forcing it throught |
|||
* `ipv4.meta.4.niv.re` only have the A record |
|||
* `ipv6.meta.4.niv.re` only have the AAAA record |
|||
|
|||
### Ports |
|||
|
|||
You can try to connect to a few other TCP ports than 443, using IPv6. |
|||
|
|||
## Installation |
|||
|
|||
### Nginx configuration |
|||
|
|||
``` |
|||
server { |
|||
listen 443 ssl http2; |
|||
listen [2a01:e0a:15c:2e40::65:535]:1 ssl http2; |
|||
listen [2a01:e0a:15c:2e40::65:535]:2 ssl http2; |
|||
listen [2a01:e0a:15c:2e40::65:535]:20 ssl http2; |
|||
listen [2a01:e0a:15c:2e40::65:535]:21 ssl http2; |
|||
listen [2a01:e0a:15c:2e40::65:535]:22 ssl http2; |
|||
listen [2a01:e0a:15c:2e40::65:535]:25 ssl http2; |
|||
listen [2a01:e0a:15c:2e40::65:535]:53 ssl http2; |
|||
listen [2a01:e0a:15c:2e40::65:535]:80 ssl http2; |
|||
listen [2a01:e0a:15c:2e40::65:535]:123 ssl http2; |
|||
listen [2a01:e0a:15c:2e40::65:535]:143 ssl http2; |
|||
listen [2a01:e0a:15c:2e40::65:535]:443 ssl http2; |
|||
listen [2a01:e0a:15c:2e40::65:535]:587 ssl http2; |
|||
listen [2a01:e0a:15c:2e40::65:535]:853 ssl http2; |
|||
listen [2a01:e0a:15c:2e40::65:535]:993 ssl http2; |
|||
listen [2a01:e0a:15c:2e40::65:535]:1194 ssl http2; |
|||
listen [2a01:e0a:15c:2e40::65:535]:1312 ssl http2; |
|||
listen [2a01:e0a:15c:2e40::65:535]:3478 ssl http2; |
|||
listen [2a01:e0a:15c:2e40::65:535]:5349 ssl http2; |
|||
listen [2a01:e0a:15c:2e40::65:535]:8448 ssl http2; |
|||
listen [2a01:e0a:15c:2e40::65:535]:9001 ssl http2; |
|||
listen [2a01:e0a:15c:2e40::65:535]:9030 ssl http2; |
|||
listen [2a01:e0a:15c:2e40::65:535]:16384 ssl http2; |
|||
listen [2a01:e0a:15c:2e40::65:535]:25565 ssl http2; |
|||
listen [2a01:e0a:15c:2e40::65:535]:32768 ssl http2; |
|||
listen [2a01:e0a:15c:2e40::65:535]:49152 ssl http2; |
|||
listen [2a01:e0a:15c:2e40::65:535]:65535 ssl http2; |
|||
|
|||
server_name meta.4.niv.re *.meta.4.niv.re; |
|||
|
|||
root /var/www/meta; |
|||
index index.php; |
|||
try_files $uri/ /; |
|||
|
|||
more_set_headers "Content-Security-Policy : default-src 'none'; frame-ancestors 'none'; form-action 'none';"; |
|||
more_set_headers "X-Content-Type-Options : nosniff"; |
|||
more_set_headers "X-XSS-Protection : 1; mode=block"; |
|||
more_set_headers "X-Download-Options : noopen"; |
|||
more_set_headers "X-Permitted-Cross-Domain-Policies : none"; |
|||
more_set_headers "X-Frame-Options : DENY"; |
|||
more_set_headers "Referrer-Policy : no-referrer"; |
|||
more_set_headers "Strict-Transport-Security : max-age=94608000; includeSubDomains; preload"; |
|||
more_clear_headers Server; |
|||
|
|||
ssl_prefer_server_ciphers off; |
|||
|
|||
ssl_session_timeout 1d; |
|||
ssl_session_cache shared:SSL:50m; |
|||
ssl_session_tickets off; |
|||
|
|||
ssl_early_data off; |
|||
|
|||
ssl_stapling on; |
|||
ssl_stapling_verify on; |
|||
|
|||
ssl_protocols TLSv1.2 TLSv1.3; |
|||
ssl_ciphers TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384; |
|||
|
|||
ssl_ecdh_curve X25519:X448; |
|||
|
|||
ssl_certificate /etc/letsencrypt/live/meta.4.niv.re/fullchain.pem; |
|||
ssl_certificate_key /etc/letsencrypt/live/meta.4.niv.re/privkey.pem; |
|||
|
|||
error_log /var/log/nginx/meta.4.niv.re-error.log info; |
|||
access_log off; |
|||
|
|||
location ~ \.php$ { |
|||
fastcgi_split_path_info ^(.+\.php)(/.+)$; |
|||
fastcgi_pass unix:/var/run/php/meta.sock; |
|||
include inc/fastcgi.conf; |
|||
fastcgi_param SSL_CURVES $ssl_curves; |
|||
fastcgi_param SSL_CIPHERS $ssl_ciphers; |
|||
fastcgi_param SSL_CIPHER $ssl_cipher; |
|||
fastcgi_param SSL_PROTOCOL $ssl_protocol; |
|||
fastcgi_param SSL_SESSION_ID $ssl_session_id; |
|||
fastcgi_param NGINX_VERSION $nginx_version; |
|||
fastcgi_param TCPINFO_RTT $tcpinfo_rtt; |
|||
fastcgi_param TCPINFO_RTTVAR $tcpinfo_rttvar; |
|||
fastcgi_param TCPINFO_SND_CWND $tcpinfo_snd_cwnd; |
|||
fastcgi_param TCPINFO_RCV_SPACE $tcpinfo_rcv_space; |
|||
fastcgi_param CONNECTION $connection; |
|||
fastcgi_param CONNECTION_REQUESTS $connection_requests; |
|||
fastcgi_param REQUEST $request; |
|||
} |
|||
|
|||
location ~ emojis.txt { |
|||
charset utf-8; |
|||
} |
|||
} |
|||
``` |
|||
|
|||
### Might be useful |
|||
|
|||
``` |
|||
ip addr add 2a01:e0a:15c:2e40::65:535 dev eno1 |
|||
ufw allow in proto tcp to 2a01:e0a:15c:2e40::65:535 port 1:65535 |
|||
certbot certonly --nginx --key-type rsa --rsa-key-size 3072 -d *.meta.4.niv.re -d meta.4.niv.re |
|||
``` |
|||
|
|||
`/etc/network/interfaces`: |
|||
|
|||
``` |
|||
iface eno1 inet6 static |
|||
address 2a01:e0a:15c:2e40::65:535 |
|||
``` |
|||
|
|||
## Ressources |
|||
|
|||
Nginx variable list: <https://nginx.org/docs/varindex.html> |
|||
|
|||
PHP $_SERVER list: <https://www.php.net/manual/reserved.variables.server.php> |
|||
|
|||
### HTTP headers |
|||
|
|||
https://en.wikipedia.org/wiki/List_of_HTTP_header_fields |
|||
https://developer.mozilla.org/docs/Web/HTTP/Headers |
|||
https://datatracker.ietf.org/doc/html/rfc7231 |
|||
|
|||
## Free software |
|||
|
|||
*Meta* is published under **AGPLv3+** (see `LICENSE`), it's source code is available at <https://code.antopie.org/miraty/meta>. `db-reader` and `geolite2` directories contents have their own license. |
Loading…
Reference in new issue