From d0e18be3d15d44ee962de1b7769e50405dbf951b Mon Sep 17 00:00:00 2001 From: Miraty Date: Sun, 29 Aug 2021 17:39:12 +0200 Subject: [PATCH] Old Arch Linux system --- README.md | 3 + arch/about.md | 37 ++ arch/gemini.md | 2 + arch/gmnisrv.md | 53 ++ arch/installation.md | 30 + arch/knot.md | 8 + arch/maniver.md | 23 + arch/nginx.md | 7 + arch/niver-php.md | 30 + arch/openssh.md | 33 + arch/quota.md | 16 + install.md | 144 +++++ knot.conf | 27 + nginx/dhparam | 8 + nginx/inc/errors.conf | 71 +++ nginx/inc/fastcgi.conf | 26 + nginx/inc/intermediate.conf | 5 + nginx/inc/modern.conf | 3 + nginx/inc/niver-csp.conf | 1 + nginx/inc/security.conf | 24 + nginx/mimetypes/full.conf | 1003 ++++++++++++++++++++++++++++++ nginx/mimetypes/strict.conf | 39 ++ nginx/nginx.conf | 27 + nginx/sites/niver.atope.art.conf | 31 + php-fpm/errors.conf | 27 + php-fpm/niver.conf | 26 + share/banner.txt | 1 + share/knot.template | 2 + share/nginx/dns.template | 27 + share/nginx/onion.template | 9 + share/skel/about.txt | 5 + sshd_config | 88 +++ 32 files changed, 1836 insertions(+) create mode 100644 README.md create mode 100755 arch/about.md create mode 100755 arch/gemini.md create mode 100755 arch/gmnisrv.md create mode 100755 arch/installation.md create mode 100755 arch/knot.md create mode 100755 arch/maniver.md create mode 100755 arch/nginx.md create mode 100755 arch/niver-php.md create mode 100755 arch/openssh.md create mode 100755 arch/quota.md create mode 100755 install.md create mode 100755 knot.conf create mode 100755 nginx/dhparam create mode 100755 nginx/inc/errors.conf create mode 100755 nginx/inc/fastcgi.conf create mode 100755 nginx/inc/intermediate.conf create mode 100755 nginx/inc/modern.conf create mode 100755 nginx/inc/niver-csp.conf create mode 100755 nginx/inc/security.conf create mode 100755 nginx/mimetypes/full.conf create mode 100755 nginx/mimetypes/strict.conf create mode 100755 nginx/nginx.conf create mode 100755 nginx/sites/niver.atope.art.conf create mode 100755 php-fpm/errors.conf create mode 100755 php-fpm/niver.conf create mode 100755 share/banner.txt create mode 100755 share/knot.template create mode 100755 share/nginx/dns.template create mode 100755 share/nginx/onion.template create mode 100755 share/skel/about.txt create mode 100755 sshd_config diff --git a/README.md b/README.md new file mode 100644 index 0000000..8af8c66 --- /dev/null +++ b/README.md @@ -0,0 +1,3 @@ +# Niver configuration + +This repository contains configuration files required by Niver or it's dependencies. diff --git a/arch/about.md b/arch/about.md new file mode 100755 index 0000000..030b12a --- /dev/null +++ b/arch/about.md @@ -0,0 +1,37 @@ +# Niver + +## Features + +### Web interface + +* Login/register using a pseudo/password set +* Pages are lower than 10 KiB +* No JavaScript, no images, and CSS are optionnal +* Dark and light themes +* Free service running libre software + +### Hypertext + +* SFTP access +* HTTP and Gemini +* IPv4 and IPv6 +* TLS 1.2 & 1.3 +* DNS and Onion v3 (through Tor) access +* HTTP/1.1 and HTTP/2 +* Let's Encrypt certificates for HTTP +* All HTTP security headers + +### Nameserver + +* DNSSEC (with NSEC3) +* NS, A, AAAA, TXT, and CAA records + +### Registry + +* Glue record +* DNSSEC delegation with any modern cypher + +## Missing features + +* No internationalized domain name support (you can only use a small subset of ASCII in your domain name) +* No BIND-style plaintext configuration (you need to fill a form for every record you add or remove) diff --git a/arch/gemini.md b/arch/gemini.md new file mode 100755 index 0000000..7d5d90a --- /dev/null +++ b/arch/gemini.md @@ -0,0 +1,2 @@ +To generate a key/certificate pair with ed25519 expiring in 10 years +`openssl req -subj '/CN=domain' -new -newkey ED25519 -days 3650 -nodes -x509 -keyout domain.key -out domain.crt` diff --git a/arch/gmnisrv.md b/arch/gmnisrv.md new file mode 100755 index 0000000..61cddee --- /dev/null +++ b/arch/gmnisrv.md @@ -0,0 +1,53 @@ +# gmnisrv installation + +``` +# pacman -S make git pkgconf openssl scdoc +$ git clone https://git.sr.ht/~sircmpwn/gmnisrv # Download gmnisrv sources +$ mkdir gmnisrv/build +$ cd gmnisrv/build +$ ../configure --prefix=/usr # Check gmnisrv dependencies and setup files needed for building +$ make # Build gmnisrv +# make install # Install gmnisrv binary and manpages on the system +# useradd -U -r -s /usr/bin/nologin gmnisrv # Add the gmnisrv system user and group +# vim /etc/systemd/system/gmnisrv.service +``` + +``` +[Unit] +Description=A Gemini server +After=network.target +Wants=network.target + +[Service] +Type=simple +ExecStart=/usr/local/bin/gmnisrv +ExecStop= +#Restart=on-failure +User=gmnisrv +Group=gmnisrv +WorkingDirectory=/srv/ht + +[Install] +WantedBy=multi-user.target +``` +``` +# systemctl daemon-reload +# mkdir -p /srv/gemini/niver.atope.art +# echo "This is a testing Gemini capsule" > /srv/gemini/niver.atope.art/index.gmi +# mkdir /var/local/gmnisrv +# chmod -R 700 /var/local/gmnisrv +# chown -R gmnisrv:gmnisrv /var/local/gmnisrv +# vim /usr/local/etc/gmnisrv.ini +``` + +``` +# Space-separated list of hosts +listen=0.0.0.0:1965 [::]:1965 + +[:tls] +# Path to store certificates on disk +store=/var/local/gmnisrv + +[niver.atope.art] +root=/srv/gemini/niver.atope.art +``` diff --git a/arch/installation.md b/arch/installation.md new file mode 100755 index 0000000..b2e1dfc --- /dev/null +++ b/arch/installation.md @@ -0,0 +1,30 @@ +# Niver system installation + +Niver will use and need specific configuration for + +* Knot DNS +* OpenSSH +* Nginx +* Tor +* Gmnisrv +* PHP-FPM + +To do root-level actions, Niver will also use a privileged binary, written in Rust, called Maniver. + +Niver has been deployed on the following distributions : + +* Debian 10, using Nginx 1.14.2 and OpenSSH 7.9p1, and latest available version of Tor, Knot and gmnisrv using their official release channel. +* Arch Linux + +To provide all features: + +`# pacman -S tor knot openssh sudo nginx nginx-mod-headers-more certbot certbot-nginx php-fpm php-sqlite` + +Some tools you might find usefull to manage a server: + +`# pacman -S vnstat htop nload ufw vim man-db curl screen` + +[Gemini](gemini.md) +[Maniver](maniver.md) +[OpenSSH](openssh.md) +[Nginx](nginx.md) diff --git a/arch/knot.md b/arch/knot.md new file mode 100755 index 0000000..ced4f63 --- /dev/null +++ b/arch/knot.md @@ -0,0 +1,8 @@ +# Knot setup + +``` +# systemctl stop knot +# sudo -u knot knotc conf-import /usr/local/share/niver/knot.conf +# systemctl restart knot +# systemctl enable knot +``` diff --git a/arch/maniver.md b/arch/maniver.md new file mode 100755 index 0000000..a4fadcf --- /dev/null +++ b/arch/maniver.md @@ -0,0 +1,23 @@ +# Maniver + +## Installation + +``` +# pacman -S rustup git +$ rustup default stable +$ git clone https://code.antopie.org/miraty/maniver-dev +$ cd maniver-dev +$ cargo build --release +# cp ./target/release/maniver /usr/local/bin/ +``` + +## Update + +``` +$ rustup update +$ cd maniver-dev +$ cargo update +$ git pull +$ cargo build --release +# cp ./target/release/maniver /usr/local/bin/ +``` diff --git a/arch/nginx.md b/arch/nginx.md new file mode 100755 index 0000000..1d7eacc --- /dev/null +++ b/arch/nginx.md @@ -0,0 +1,7 @@ +# Nginx configuration setup + +Use the configuration provided. + +Niver require the module *Headers More*. + +On Arch Linux, install it with `pacman -Syu nginx-mod-headers-more`. diff --git a/arch/niver-php.md b/arch/niver-php.md new file mode 100755 index 0000000..da6e3ab --- /dev/null +++ b/arch/niver-php.md @@ -0,0 +1,30 @@ + +# Niver-PHP setup + +Use pools configurations provided along this documentation. + +To hide PHP presence, set in php.ini: +`expose_php = Off` + +``` +# useradd -U -r -s /usr/bin/nologin php-niver +# useradd -U -r -s /usr/bin/nologin php-errors +``` + +## Permission to manage system things as root + +Once you've [set up Maniver](maniver.md): +``` +# EDITOR=vim visudo +php-niver ALL=(root) NOPASSWD: /usr/local/bin/maniver +``` + +## Permission to manage Knot + +To add knot as an additional group for user php-niver: `# usermod -aG knot php-niver` + +New method: +``` +# chmod -R 770 /var/lib/knot +# chown -R php-niver:knot /var/lib/knot +``` diff --git a/arch/openssh.md b/arch/openssh.md new file mode 100755 index 0000000..8077eac --- /dev/null +++ b/arch/openssh.md @@ -0,0 +1,33 @@ +### SFTP setup + +``` +# groupadd ht +# echo "Ce compte n'est accessible qu'en SFTP, pas en SSH. +This account is only available over SFTP, not over SSH." > /etc/nologin.txt +# ssh-keygen -q -N "" -t ed25519 -f /etc/ssh/keys/ed25519 +# ssh-keygen -q -N "" -t rsa -b 3072 -f /etc/ssh/keys/rsa-3072 +# awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.safe +# mv /etc/ssh/moduli.safe /etc/ssh/moduli +``` + +To get the ASCII art and SHA-256 fingerprints: +``` +# ssh-keygen -vlf /etc/ssh/keys/ed25519.pub +# ssh-keygen -vlf /etc/ssh/keys/rsa-3072.pub +``` + +To generate SSHFP records: +``` +# ssh-keygen -r sftp.niver.4.niv.re -f /etc/ssh/ed25519.pub +# ssh-keygen -r sftp.niver.4.niv.re -f /etc/ssh/rsa-3072.pub +``` +Don't use the first record, which is SHA-1, use the second, which is SHA-256. +`SSHFP ` +For `pkey-algorithm`: +* `1` means RSA +* `2` means DSA (must not be used) +* `3` means ECDSA (should not be used) +* `4` means Ed25519 +For `hash-algorithm`: +* `1` means SHA-1 (must not be used) +* `2` means SHA-256 diff --git a/arch/quota.md b/arch/quota.md new file mode 100755 index 0000000..22283a5 --- /dev/null +++ b/arch/quota.md @@ -0,0 +1,16 @@ +# Quota setup + +``` +# pacman -S quota-tool +# dd if=/dev/zero of=/srv/ht.img count=4194304 # count is the size in octet +# mkfs.ext4 /srv/ht.img +# mkdir /srv/ht +# mount /srv/ht.img /srv/ht +``` + +``` +# quotacheck -gcum / +# quotaon -v / +``` + +UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx / ext4 rw,relatime,usrquota,grpquota 0 1 diff --git a/install.md b/install.md new file mode 100755 index 0000000..e167aa2 --- /dev/null +++ b/install.md @@ -0,0 +1,144 @@ +# Niver setup on Debian 11 (bullseye) + +``` +# apt install tor knot openssh-server sudo nginx certbot python3-certbot-nginx php7.4-fpm php-sqlite3 quota +``` + +## Create system users + +``` +# useradd -U -r -s /usr/sbin/nologin +``` + +## Twins + +``` +$ wget https://golang.org/dl/go1.16.7.linux-amd64.tar.gz -o go.tar.gz +$ tar -xf go.tar.gz +$ go/bin/go get code.rocketnine.space/tslocum/twins +$ cp go/bin/twins /usr/local/bin/ +``` + +## maniver + +Installation +``` +# apt install gcc git +$ git clone https://code.antopie.org/Niver/maniver && cd maniver +$ curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh +$ cargo build --release +# cp target/release/maniver /usr/local/bin/ +# chown root:php-niver /usr/local/bin/maniver +# chmod 750 /usr/local/bin/maniver +``` + +Update +``` +$ git fetch +$ rustup update +$ cargo update +$ cargo build --release +# cp target/release/maniver /usr/local/bin/ +``` + +## gmnisrv + +``` +# apt install git make pkg-config libssl-dev scdoc +$ git clone https://git.sr.ht/~sircmpwn/gmnisrv # Download gmnisrv sources +$ mkdir gmnisrv/build +$ cd gmnisrv/build +$ ../configure --prefix=/usr # Check gmnisrv dependencies and setup files needed for building +$ make # Build gmnisrv +# make install # Install gmnisrv binary and manpages on the system +# useradd -U -r -s /usr/sbin/nologin gmnisrv # Add the gmnisrv system user and group +# vim /etc/systemd/system/gmnisrv.service +``` + +``` +[Unit] +Description=Gmnisrv, a Gemini server +After=network.target +Wants=network.target + +[Service] +Type=simple +ExecStart=/usr/local/bin/gmnisrv +Restart=always +User=gmnisrv +Group=gmnisrv +WorkingDirectory=/srv/ht + +[Install] +WantedBy=multi-user.target +``` +``` +# systemctl daemon-reload +# mkdir -p /srv/gmi/niver.4.niv.re +# echo "This is a testing Gemini capsule" > /srv/gmi/niver.4.niv.re/index.gmi +# mkdir /var/lib/gemini +# chmod -R 700 /var/lib/gemini +# chown -R gmnisrv:gmnisrv /var/lib/gemini +# vim /etc/gmnisrv.ini +``` + +``` +# Space-separated list of hosts +listen=0.0.0.0:1965 [::]:1965 + +[:tls] +# Path to store certificates on disk +store=/var/lib/gemini + +[niver.4.niv.re] +root=/srv/gmi/niver.4.niv.re +``` + + +## SFTP + +``` +# groupadd ht +``` + +## Quota + +``` +# quotacheck -cm / +# vim /etc/fstab +``` + +UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx / ext4 usrquota,grpquota,errors=remount-ro 0 1 + +## Knot DNS + +``` +# sudo -u knot knotc conf-init +# sudo -u knot knotc conf-import +``` + +## Nginx + +Generate a self-signed certificate for default Nginx site. +``` +# openssl req -subj '/' -new -newkey RSA:3072 -days 3650 -nodes -x509 -keyout /etc/ssl/private/niver.key -out /etc/ssl/certs/niver.crt +``` + +## Niver-PHP + +``` +# chown -R root:root /usr/local/share/niver +# chmod -R u=rwX,go=rX /usr/local/share/niver +# mkdir /etc/nginx/ht +# chown -R php-niver:php-niver /etc/nginx/ht +# chmod -R 775 /etc/nginx/ht +``` + +Increase `session.gc_maxlifetime` in /etc/php/7.4/fpm/php.ini to avoid sessions being cleared too soon. + +## Tor + +This command only exist on Debian +``` +# tor-instance-create niver +``` diff --git a/knot.conf b/knot.conf new file mode 100755 index 0000000..69abfbd --- /dev/null +++ b/knot.conf @@ -0,0 +1,27 @@ +server: + rundir: "/run/knot" + user: "knot:knot" + listen: [ "0.0.0.0@53", "::@53" ] + +log: + - target: "/var/log/knot.log" + any: "debug" + +database: + storage: "/var/lib/knot" + +policy: + - id: "niver" + algorithm: "ed25519" + nsec3: "on" + +template: + - id: "niver" + storage: "/var/lib/knot/zones" + file: "%s.zone" + dnssec-signing: "on" + dnssec-policy: "niver" + +zone: + - domain: "niv.re." + template: "niver" diff --git a/nginx/dhparam b/nginx/dhparam new file mode 100755 index 0000000..088f967 --- /dev/null +++ b/nginx/dhparam @@ -0,0 +1,8 @@ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== +-----END DH PARAMETERS----- \ No newline at end of file diff --git a/nginx/inc/errors.conf b/nginx/inc/errors.conf new file mode 100755 index 0000000..91e1893 --- /dev/null +++ b/nginx/inc/errors.conf @@ -0,0 +1,71 @@ +recursive_error_pages on; +return 404; +# 403 Forbidden +error_page 403 @403; +location @403 { + root /srv/http/errors; + try_files /403.html =500; +} + +# 404 Not Found +error_page 404 @local404; +location @local404 { + try_files /404.html /404.md /404.gmi @niver404; +} +location @niver404 { + root /srv/http/errors; + try_files /404.php =500; + index 404.php; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass unix:/var/run/php-fpm/errors.sock; + include inc/fastcgi.conf; +} + +# 405 Method Not Allowed +error_page 405 @405; +location @405 { + root /srv/http/errors; + try_files /405.html =500; +} + +# 410 Gone +error_page 410 @410; +location @410 { + root /srv/http/errors; + try_files /410.html =500; +} + +# 418 I'm a teapot +error_page 418 @418; +location @418 { + root /srv/http/errors; + try_files /418.html =500; +} + +# 500 Internal Server Error +error_page 500 @500; +location @500 { + root /srv/http/errors; + try_files /500.html =500; +} + +# 502 Bad Gateway +error_page 502 @502; +location @502 { + root /srv/http/errors; + try_files /502.html =500; +} + +# 503 Service Unavailable +error_page 503 @503; +location @503 { + root /srv/http/errors; + try_files /503.html =500; +} + +# 504 Gateway Timeout +error_page 504 @504; +location @504 { + root /srv/http/errors; + try_files /504.html =500; +} diff --git a/nginx/inc/fastcgi.conf b/nginx/inc/fastcgi.conf new file mode 100755 index 0000000..091738c --- /dev/null +++ b/nginx/inc/fastcgi.conf @@ -0,0 +1,26 @@ + +fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; +fastcgi_param QUERY_STRING $query_string; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; + +fastcgi_param SCRIPT_NAME $fastcgi_script_name; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; +fastcgi_param REQUEST_SCHEME $scheme; +fastcgi_param HTTPS $https if_not_empty; + +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_NAME $server_name; + +# PHP only, required if PHP was built with --enable-force-cgi-redirect +fastcgi_param REDIRECT_STATUS 200; diff --git a/nginx/inc/intermediate.conf b/nginx/inc/intermediate.conf new file mode 100755 index 0000000..28cff96 --- /dev/null +++ b/nginx/inc/intermediate.conf @@ -0,0 +1,5 @@ +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; +ssl_dhparam /etc/nginx/dhparam; + +include inc/security.conf; diff --git a/nginx/inc/modern.conf b/nginx/inc/modern.conf new file mode 100755 index 0000000..6434e1b --- /dev/null +++ b/nginx/inc/modern.conf @@ -0,0 +1,3 @@ +ssl_protocols TLSv1.3; + +include inc/security.conf; diff --git a/nginx/inc/niver-csp.conf b/nginx/inc/niver-csp.conf new file mode 100755 index 0000000..1f2850f --- /dev/null +++ b/nginx/inc/niver-csp.conf @@ -0,0 +1 @@ +more_set_headers "Content-Security-Policy : default-src 'self'; object-src 'none';"; diff --git a/nginx/inc/security.conf b/nginx/inc/security.conf new file mode 100755 index 0000000..f4e4e5d --- /dev/null +++ b/nginx/inc/security.conf @@ -0,0 +1,24 @@ +more_set_headers "X-Content-Type-Options : nosniff"; +more_set_headers "X-XSS-Protection : 1; mode=block"; +more_set_headers "X-Download-Options : noopen"; +more_set_headers "X-Permitted-Cross-Domain-Policies : none"; +more_set_headers "X-Frame-Options : DENY"; +more_set_headers "Referrer-Policy : no-referrer"; +more_set_headers "Strict-Transport-Security : max-age=94608000; includeSubDomains; preload"; +#more_set_headers "Server : nginx Niver"; + +more_clear_headers Server; + +ssl_session_timeout 1d; +ssl_session_cache shared:SSL:50m; +ssl_session_tickets off; +ssl_prefer_server_ciphers off; +ssl_stapling on; +ssl_stapling_verify on; + +ssl_certificate /etc/letsencrypt/live/niver.atope.art/fullchain.pem; +ssl_certificate_key /etc/letsencrypt/live/niver.atope.art/privkey.pem; + +autoindex off; + +gzip off; diff --git a/nginx/mimetypes/full.conf b/nginx/mimetypes/full.conf new file mode 100755 index 0000000..d5b5a36 --- /dev/null +++ b/nginx/mimetypes/full.conf @@ -0,0 +1,1003 @@ +types { +application/A2L a2l; +application/AML aml; +application/andrew-inset ez; +application/ATF atf; +application/ATFX atfx; +application/ATXML atxml; +application/atom+xml atom; +application/atomcat+xml atomcat; +application/atomdeleted+xml atomdeleted; +application/atomsvc+xml atomsvc; +application/atsc-dwd+xml dwd; +application/atsc-held+xml held; +application/atsc-rsat+xml rsat; +application/auth-policy+xml apxml; +application/bacnet-xdd+zip xdd; +application/calendar+xml xcs; +application/cbor cbor; +application/cccex c3ex; +application/ccmp+xml ccmp; +application/ccxml+xml ccxml; +application/CDFX+XML cdfx; +application/cdmi-capability cdmia; +application/cdmi-container cdmic; +application/cdmi-domain cdmid; +application/cdmi-object cdmio; +application/cdmi-queue cdmiq; +application/CEA cea; +application/cellml+xml cellml cml; +application/clue_info+xml clue; +application/cms cmsc; +application/cpl+xml cpl; +application/csrattrs csrattrs; +application/dash+xml mpd; +application/dashdelta mpdd; +application/davmount+xml davmount; +application/DCD dcd; +application/dicom dcm; +application/DII dii; +application/DIT dit; +application/dskpp+xml xmls; +application/dssc+der dssc; +application/dssc+xml xdssc; +application/dvcs dvc; +application/ecmascript es; +application/efi efi; +application/emma+xml emma; +application/emotionml+xml emotionml; +application/epub+zip epub; +application/exi exi; +application/fastinfoset finf; +application/fdt+xml fdt; +application/font-tdpfr pfr; +application/geo+json geojson; +application/geopackage+sqlite3 gpkg; +application/gltf-buffer glbin glbuf; +application/gml+xml gml; +application/gzip gz tgz; +application/hyperstudio stk; +application/inkml+xml ink inkml; +application/ipfix ipfix; +application/its+xml its; +application/javascript js; +application/jrd+json jrd; +application/json json; +application/json-patch+json json-patch; +application/ld+json jsonld; +application/lgr+xml lgr; +application/link-format wlnk; +application/lost+xml lostxml; +application/lostsync+xml lostsyncxml; +application/lpf+zip lpf; +application/LXF lxf; +application/mac-binhex40 hqx; +application/mads+xml mads; +application/marc mrc; +application/marcxml+xml mrcx; +application/mathematica nb ma mb; +application/mathml+xml mml; +application/mbox mbox; +application/metalink4+xml meta4; +application/mets+xml mets; +application/MF4 mf4; +application/mmt-aei+xml maei; +application/mmt-usd+xml musd; +application/mods+xml mods; +application/mp21 m21 mp21; +application/msword doc; +application/mxf mxf; +application/n-quads nq; +application/n-triples nt; +application/ocsp-request orq; +application/ocsp-response ors; +application/octet-stream bin lha lzh exe class so dll img iso; +application/oda oda; +application/ODX odx; +application/oebps-package+xml opf; +application/ogg ogx; +application/oxps oxps; +application/p2p-overlay+xml relo; +application/pdf pdf; +application/PDX pdx; +application/pem-certificate-chain pem; +application/pgp-encrypted pgp; +application/pgp-signature sig; +application/pkcs10 p10; +application/pkcs12 p12 pfx; +application/pkcs7-mime p7m p7c; +application/pkcs7-signature p7s; +application/pkcs8 p8; +application/pkcs8-encrypted p8e; +application/pkix-cert cer; +application/pkix-crl crl; +application/pkix-pkipath pkipath; +application/pkixcmp pki; +application/pls+xml pls; +application/postscript ps eps ai; +application/provenance+xml provx; +application/prs.cww cw cww; +application/prs.hpub+zip hpub; +application/prs.nprend rnd rct; +application/prs.rdf-xml-crypt rdf-crypt; +application/prs.xsf+xml xsf; +application/pskc+xml pskcxml; +application/rdf+xml rdf; +application/route-apd+xml rapd; +application/route-s-tsid+xml sls; +application/route-usd+xml rusd; +application/reginfo+xml rif; +application/relax-ng-compact-syntax rnc; +application/resource-lists-diff+xml rld; +application/resource-lists+xml rl; +application/rfc+xml rfcxml; +application/rls-services+xml rs; +application/rpki-ghostbusters gbr; +application/rpki-manifest mft; +application/rpki-roa roa; +application/rtf rtf; +application/scim+json scim; +application/scvp-cv-request scq; +application/scvp-cv-response scs; +application/scvp-vp-request spq; +application/scvp-vp-response spp; +application/sdp sdp; +application/senml-etch+cbor senml-etchc; +application/senml-etch+json senml-etchj; +application/senml+cbor senmlc; +application/senml+json senml; +application/senml+xml senmlx; +application/senml-exi senmle; +application/sensml+cbor sensmlc; +application/sensml+json sensml; +application/sensml+xml sensmlx; +application/sensml-exi sensmle; +application/sgml-open-catalog soc; +application/shf+xml shf; +application/sieve siv sieve; +application/simple-filter+xml cl; +application/smil+xml smil smi sml; +application/sparql-query rq; +application/sparql-results+xml srx; +application/sql sql; +application/srgs gram; +application/srgs+xml grxml; +application/sru+xml sru; +application/ssml+xml ssml; +application/stix+json stix; +application/swid+xml swidtag; +application/tamp-apex-update tau; +application/tamp-apex-update-confirm auc; +application/tamp-community-update tcu; +application/tamp-community-update-confirm cuc; +application/td+json jsontd; +application/tamp-error ter; +application/tamp-sequence-adjust tsa; +application/tamp-sequence-adjust-confirm sac; +application/tamp-update tur; +application/tamp-update-confirm tuc; +application/tei+xml tei teiCorpus odd; +application/thraud+xml tfi; +application/timestamp-query tsq; +application/timestamp-reply tsr; +application/timestamped-data tsd; +application/trig trig; +application/ttml+xml ttml; +application/urc-grpsheet+xml gsheet; +application/urc-ressheet+xml rsheet; +application/urc-targetdesc+xml td; +application/urc-uisocketdesc+xml uis; +application/vnd.1000minds.decision-model+xml 1km; +application/vnd.3gpp.pic-bw-large plb; +application/vnd.3gpp.pic-bw-small psb; +application/vnd.3gpp.pic-bw-var pvb; +application/vnd.3gpp2.sms sms; +application/vnd.3gpp2.tcap tcap; +application/vnd.3lightssoftware.imagescal imgcal; +application/vnd.3M.Post-it-Notes pwn; +application/vnd.accpac.simply.aso aso; +application/vnd.accpac.simply.imp imp; +application/vnd.acucobol acu; +application/vnd.acucorp atc acutc; +application/vnd.adobe.flash.movie swf; +application/vnd.adobe.formscentral.fcdt fcdt; +application/vnd.adobe.fxp fxp fxpl; +application/vnd.adobe.xdp+xml xdp; +application/vnd.adobe.xfdf xfdf; +application/vnd.afpc.modca list3820 listafp afp pseg3820; +application/vnd.afpc.modca-overlay ovl; +application/vnd.afpc.modca-pagesegment psg; +application/vnd.ahead.space ahead; +application/vnd.airzip.filesecure.azf azf; +application/vnd.airzip.filesecure.azs azs; +application/vnd.amazon.mobi8-ebook azw3; +application/vnd.americandynamics.acc acc; +application/vnd.amiga.ami ami; +application/vnd.android.ota ota; +application/vnd.anki apkg; +application/vnd.anser-web-certificate-issue-initiation cii; +application/vnd.anser-web-funds-transfer-initiation fti; +application/vnd.apple.installer+xml dist distz pkg mpkg; +application/vnd.apple.keynote keynote; +application/vnd.apple.mpegurl m3u8; +application/vnd.apple.numbers numbers; +application/vnd.apple.pages pages; +application/vnd.aristanetworks.swi swi; +application/vnd.artisan+json artisan; +application/vnd.astraea-software.iota iota; +application/vnd.audiograph aep; +application/vnd.autopackage package; +application/vnd.balsamiq.bmml+xml bmml; +application/vnd.banana-accounting ac2; +application/vnd.balsamiq.bmpr bmpr; +application/vnd.blueice.multipass mpm; +application/vnd.bluetooth.ep.oob ep; +application/vnd.bluetooth.le.oob le; +application/vnd.bmi bmi; +application/vnd.businessobjects rep; +application/vnd.cendio.thinlinc.clientconf tlclient; +application/vnd.chemdraw+xml cdxml; +application/vnd.chess-pgn pgn; +application/vnd.chipnuts.karaoke-mmd mmd; +application/vnd.cinderella cdy; +application/vnd.citationstyles.style+xml csl; +application/vnd.claymore cla; +application/vnd.cloanto.rp9 rp9; +application/vnd.clonk.c4group c4g c4d c4f c4p c4u; +application/vnd.cluetrust.cartomobile-config c11amc; +application/vnd.cluetrust.cartomobile-config-pkg c11amz; +application/vnd.coffeescript coffee; +application/vnd.collabio.xodocuments.document xodt; +application/vnd.collabio.xodocuments.document-template xott; +application/vnd.collabio.xodocuments.presentation xodp; +application/vnd.collabio.xodocuments.presentation-template xotp; +application/vnd.collabio.xodocuments.spreadsheet xods; +application/vnd.collabio.xodocuments.spreadsheet-template xots; +application/vnd.comicbook-rar cbr; +application/vnd.comicbook+zip cbz; +application/vnd.commerce-battelle ica icf icd ic0 ic1 ic2 ic3 ic4 ic5 ic6 ic7 ic8; +application/vnd.commonspace csp cst; +application/vnd.contact.cmsg cdbcmsg; +application/vnd.coreos.ignition+json ign ignition; +application/vnd.cosmocaller cmc; +application/vnd.crick.clicker clkx; +application/vnd.crick.clicker.keyboard clkk; +application/vnd.crick.clicker.palette clkp; +application/vnd.crick.clicker.template clkt; +application/vnd.crick.clicker.wordbank clkw; +application/vnd.criticaltools.wbs+xml wbs; +application/vnd.crypto-shade-file ssvc; +application/vnd.ctc-posml pml; +application/vnd.cups-ppd ppd; +application/vnd.curl curl; +application/vnd.dart dart; +application/vnd.data-vision.rdz rdz; +application/vnd.dbf dbf; +application/vnd.debian.binary-package deb udeb; +application/vnd.dece.data uvf uvvf uvd uvvd; +application/vnd.dece.ttml+xml uvt uvvt; +application/vnd.dece.unspecified uvx uvvx; +application/vnd.dece.zip uvz uvvz; +application/vnd.denovo.fcselayout-link fe_launch; +application/vnd.desmume.movie dsm; +application/vnd.dna dna; +application/vnd.document+json docjson; +application/vnd.doremir.scorecloud-binary-document scld; +application/vnd.dpgraph dpg mwc dpgraph; +application/vnd.dreamfactory dfac; +application/vnd.dtg.local.flash fla; +application/vnd.dvb.ait ait; +application/vnd.dvb.service svc; +application/vnd.dynageo geo; +application/vnd.dzr dzr; +application/vnd.ecowin.chart mag; +application/vnd.enliven nml; +application/vnd.epson.esf esf; +application/vnd.epson.msf msf; +application/vnd.epson.quickanime qam; +application/vnd.epson.salt slt; +application/vnd.epson.ssf ssf; +application/vnd.ericsson.quickcall qcall qca; +application/vnd.espass-espass+zip espass; +application/vnd.eszigno3+xml es3 et3; +application/vnd.etsi.asic-e+zip asice sce; +application/vnd.etsi.asic-s+zip asics; +application/vnd.etsi.timestamp-token tst; +application/vnd.exstream-empower+zip mpw; +application/vnd.exstream-package pub; +application/vnd.evolv.ecig.profile ecigprofile; +application/vnd.evolv.ecig.settings ecig; +application/vnd.evolv.ecig.theme ecigtheme; +application/vnd.ezpix-album ez2; +application/vnd.ezpix-package ez3; +application/vnd.fastcopy-disk-image dim; +application/vnd.fdf fdf; +application/vnd.fdsn.mseed msd mseed; +application/vnd.fdsn.seed seed dataless; +application/vnd.ficlab.flb+zip flb; +application/vnd.filmit.zfc zfc; +application/vnd.FloGraphIt gph; +application/vnd.fluxtime.clip ftc; +application/vnd.font-fontforge-sfd sfd; +application/vnd.framemaker fm; +application/vnd.frogans.fnc fnc; +application/vnd.frogans.ltf ltf; +application/vnd.fsc.weblaunch fsc; +application/vnd.fujitsu.oasys oas; +application/vnd.fujitsu.oasys2 oa2; +application/vnd.fujitsu.oasys3 oa3; +application/vnd.fujitsu.oasysgp fg5; +application/vnd.fujitsu.oasysprs bh2; +application/vnd.fujixerox.ddd ddd; +application/vnd.fujixerox.docuworks xdw; +application/vnd.fujixerox.docuworks.binder xbd; +application/vnd.fujixerox.docuworks.container xct; +application/vnd.fuzzysheet fzs; +application/vnd.genomatix.tuxedo txd; +application/vnd.geocube+xml g3 g³; +application/vnd.geogebra.file ggb; +application/vnd.geogebra.tool ggt; +application/vnd.geometry-explorer gex gre; +application/vnd.geonext gxt; +application/vnd.geoplan g2w; +application/vnd.geospace g3w; +application/vnd.gmx gmx; +application/vnd.google-earth.kml+xml kml; +application/vnd.google-earth.kmz kmz; +application/vnd.grafeq gqf gqs; +application/vnd.groove-account gac; +application/vnd.groove-help ghf; +application/vnd.groove-identity-message gim; +application/vnd.groove-injector grv; +application/vnd.groove-tool-message gtm; +application/vnd.groove-tool-template tpl; +application/vnd.groove-vcard vcg; +application/vnd.hal+xml hal; +application/vnd.HandHeld-Entertainment+xml zmm; +application/vnd.hbci hbci hbc kom upa pkd bpd; +application/vnd.hdt hdt; +application/vnd.hhe.lesson-player les; +application/vnd.hp-HPGL hpgl; +application/vnd.hp-hpid hpi hpid; +application/vnd.hp-hps hps; +application/vnd.hp-jlyt jlt; +application/vnd.hp-PCL pcl; +application/vnd.hydrostatix.sof-data sfd-hdstx; +application/vnd.hzn-3d-crossword x3d; +application/vnd.ibm.electronic-media emm; +application/vnd.ibm.MiniPay mpy; +application/vnd.ibm.rights-management irm; +application/vnd.ibm.secure-container sc; +application/vnd.iccprofile icc icm; +application/vnd.ieee.1905 1905.1; +application/vnd.igloader igl; +application/vnd.imagemeter.folder+zip imf; +application/vnd.imagemeter.image+zip imi; +application/vnd.immervision-ivp ivp; +application/vnd.immervision-ivu ivu; +application/vnd.ims.imsccv1p1 imscc; +application/vnd.insors.igm igm; +application/vnd.intercon.formnet xpw xpx; +application/vnd.intergeo i2g; +application/vnd.intu.qbo qbo; +application/vnd.intu.qfx qfx; +application/vnd.ipunplugged.rcprofile rcprofile; +application/vnd.irepository.package+xml irp; +application/vnd.is-xpr xpr; +application/vnd.isac.fcs fcs; +application/vnd.jam jam; +application/vnd.jcp.javame.midlet-rms rms; +application/vnd.jisp jisp; +application/vnd.joost.joda-archive joda; +application/vnd.kahootz ktz ktr; +application/vnd.kde.karbon karbon; +application/vnd.kde.kchart chrt; +application/vnd.kde.kformula kfo; +application/vnd.kde.kivio flw; +application/vnd.kde.kontour kon; +application/vnd.kde.kpresenter kpr kpt; +application/vnd.kde.kspread ksp; +application/vnd.kde.kword kwd kwt; +application/vnd.kenameaapp htke; +application/vnd.kidspiration kia; +application/vnd.Kinar kne knp sdf; +application/vnd.koan skp skd skm skt; +application/vnd.kodak-descriptor sse; +application/vnd.las.las+json lasjson; +application/vnd.las.las+xml lasxml; +application/vnd.llamagraphics.life-balance.desktop lbd; +application/vnd.llamagraphics.life-balance.exchange+xml lbe; +application/vnd.logipipe.circuit+zip lcs lca; +application/vnd.loom loom; +application/vnd.lotus-1-2-3 123 wk4 wk3 wk1; +application/vnd.lotus-approach apr vew; +application/vnd.lotus-freelance prz pre; +application/vnd.lotus-notes nsf ntf ndl ns4 ns3 ns2 nsh nsg; +application/vnd.lotus-organizer or3 or2 org; +application/vnd.lotus-screencam scm; +application/vnd.lotus-wordpro lwp sam; +application/vnd.macports.portpkg portpkg; +application/vnd.mapbox-vector-tile mvt; +application/vnd.marlin.drm.mdcf mdc; +application/vnd.maxmind.maxmind-db mmdb; +application/vnd.mcd mcd; +application/vnd.medcalcdata mc1; +application/vnd.mediastation.cdkey cdkey; +application/vnd.MFER mwf; +application/vnd.mfmp mfm; +application/vnd.micrografx.flo flo; +application/vnd.micrografx.igx igx; +application/vnd.mif mif; +application/vnd.Mobius.DAF daf; +application/vnd.Mobius.DIS dis; +application/vnd.Mobius.MBK mbk; +application/vnd.Mobius.MQY mqy; +application/vnd.Mobius.MSL msl; +application/vnd.Mobius.PLC plc; +application/vnd.Mobius.TXF txf; +application/vnd.mophun.application mpn; +application/vnd.mophun.certificate mpc; +application/vnd.mozilla.xul+xml xul; +application/vnd.ms-3mfdocument 3mf; +application/vnd.ms-artgalry cil; +application/vnd.ms-asf asf; +application/vnd.ms-cab-compressed cab; +application/vnd.ms-excel xls xlm xla xlc xlt xlw; +application/vnd.ms-excel.template.macroEnabled.12 xltm; +application/vnd.ms-excel.addin.macroEnabled.12 xlam; +application/vnd.ms-excel.sheet.binary.macroEnabled.12 xlsb; +application/vnd.ms-excel.sheet.macroEnabled.12 xlsm; +application/vnd.ms-fontobject eot; +application/vnd.ms-htmlhelp chm; +application/vnd.ms-ims ims; +application/vnd.ms-lrm lrm; +application/vnd.ms-officetheme thmx; +application/vnd.ms-powerpoint ppt pps pot; +application/vnd.ms-powerpoint.addin.macroEnabled.12 ppam; +application/vnd.ms-powerpoint.presentation.macroEnabled.12 pptm; +application/vnd.ms-powerpoint.slide.macroEnabled.12 sldm; +application/vnd.ms-powerpoint.slideshow.macroEnabled.12 ppsm; +application/vnd.ms-powerpoint.template.macroEnabled.12 potm; +application/vnd.ms-project mpp mpt; +application/vnd.ms-tnef tnef tnf; +application/vnd.ms-word.document.macroEnabled.12 docm; +application/vnd.ms-word.template.macroEnabled.12 dotm; +application/vnd.ms-works wcm wdb wks wps; +application/vnd.ms-wpl wpl; +application/vnd.ms-xpsdocument xps; +application/vnd.msa-disk-image msa; +application/vnd.mseq mseq; +application/vnd.multiad.creator crtr; +application/vnd.multiad.creator.cif cif; +application/vnd.musician mus; +application/vnd.muvee.style msty; +application/vnd.mynfc taglet; +application/vnd.nervana entity request bkm kcm; +application/vnd.nimn nimn; +application/vnd.nitf nitf; +application/vnd.neurolanguage.nlu nlu; +application/vnd.nintendo.nitro.rom nds; +application/vnd.nintendo.snes.rom sfc smc; +application/vnd.noblenet-directory nnd; +application/vnd.noblenet-sealer nns; +application/vnd.noblenet-web nnw; +application/vnd.nokia.n-gage.ac+xml ac; +application/vnd.nokia.n-gage.data ngdat; +application/vnd.nokia.n-gage.symbian.install n-gage; +application/vnd.nokia.radio-preset rpst; +application/vnd.nokia.radio-presets rpss; +application/vnd.novadigm.EDM edm; +application/vnd.novadigm.EDX edx; +application/vnd.novadigm.EXT ext; +application/vnd.oasis.opendocument.chart odc; +application/vnd.oasis.opendocument.chart-template otc; +application/vnd.oasis.opendocument.database odb; +application/vnd.oasis.opendocument.formula odf; +application/vnd.oasis.opendocument.graphics odg; +application/vnd.oasis.opendocument.graphics-template otg; +application/vnd.oasis.opendocument.image odi; +application/vnd.oasis.opendocument.image-template oti; +application/vnd.oasis.opendocument.presentation odp; +application/vnd.oasis.opendocument.presentation-template otp; +application/vnd.oasis.opendocument.spreadsheet ods; +application/vnd.oasis.opendocument.spreadsheet-template ots; +application/vnd.oasis.opendocument.text odt; +application/vnd.oasis.opendocument.text-master odm; +application/vnd.oasis.opendocument.text-template ott; +application/vnd.oasis.opendocument.text-web oth; +application/vnd.olpc-sugar xo; +application/vnd.oma.dd2+xml dd2; +application/vnd.onepager tam; +application/vnd.onepagertamp tamp; +application/vnd.onepagertamx tamx; +application/vnd.onepagertat tat; +application/vnd.onepagertatp tatp; +application/vnd.onepagertatx tatx; +application/vnd.openblox.game+xml obgx; +application/vnd.openblox.game-binary obg; +application/vnd.openeye.oeb oeb; +application/vnd.openofficeorg.extension oxt; +application/vnd.openstreetmap.data+xml osm; +application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; +application/vnd.openxmlformats-officedocument.presentationml.slide sldx; +application/vnd.openxmlformats-officedocument.presentationml.slideshow ppsx; +application/vnd.openxmlformats-officedocument.presentationml.template potx; +application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; +application/vnd.openxmlformats-officedocument.spreadsheetml.template xltx; +application/vnd.openxmlformats-officedocument.wordprocessingml.document docx; +application/vnd.openxmlformats-officedocument.wordprocessingml.template dotx; +application/vnd.osa.netdeploy ndc; +application/vnd.osgeo.mapguide.package mgp; +application/vnd.osgi.dp dp; +application/vnd.osgi.subsystem esa; +application/vnd.oxli.countgraph oxlicg; +application/vnd.palm prc pdb pqa oprc; +application/vnd.panoply plp; +application/vnd.patentdive dive; +application/vnd.pawaafile paw; +application/vnd.pg.format str; +application/vnd.pg.osasli ei6; +application/vnd.piaccess.application-license pil; +application/vnd.picsel efif; +application/vnd.pmi.widget wg; +application/vnd.pocketlearn plf; +application/vnd.powerbuilder6 pbd; +application/vnd.preminet preminet; +application/vnd.previewsystems.box box vbox; +application/vnd.proteus.magazine mgz; +application/vnd.psfs psfs; +application/vnd.publishare-delta-tree qps; +application/vnd.pvi.ptid1 ptid; +application/vnd.qualcomm.brew-app-res bar; +application/vnd.Quark.QuarkXPress qxd qxt qwd qwt qxl qxb; +application/vnd.quobject-quoxdocument quox quiz; +application/vnd.rainstor.data tree; +application/vnd.rar rar; +application/vnd.realvnc.bed bed; +application/vnd.recordare.musicxml mxl; +application/vnd.rig.cryptonote cryptonote; +application/vnd.route66.link66+xml link66; +application/vnd.sailingtracker.track st; +application/vnd.sar SAR; +application/vnd.scribus scd sla slaz; +application/vnd.sealed.3df s3df; +application/vnd.sealed.csf scsf; +application/vnd.sealed.doc sdoc sdo s1w; +application/vnd.sealed.eml seml sem; +application/vnd.sealed.mht smht smh; +application/vnd.sealed.ppt sppt s1p; +application/vnd.sealed.tiff stif; +application/vnd.sealed.xls sxls sxl s1e; +application/vnd.sealedmedia.softseal.html stml s1h; +application/vnd.sealedmedia.softseal.pdf spdf spd s1a; +application/vnd.seemail see; +application/vnd.sema sema; +application/vnd.semd semd; +application/vnd.semf semf; +application/vnd.shade-save-file ssv; +application/vnd.shana.informed.formdata ifm; +application/vnd.shana.informed.formtemplate itp; +application/vnd.shana.informed.interchange iif; +application/vnd.shana.informed.package ipk; +application/vnd.shp shp; +application/vnd.shx shx; +application/vnd.sigrok.session sr; +application/vnd.SimTech-MindMapper twd twds; +application/vnd.smaf mmf; +application/vnd.smart.notebook notebook; +application/vnd.smart.teacher teacher; +application/vnd.snesdev-page-table ptrom pt; +application/vnd.software602.filler.form+xml fo; +application/vnd.software602.filler.form-xml-zip zfo; +application/vnd.solent.sdkm+xml sdkm sdkd; +application/vnd.spotfire.dxp dxp; +application/vnd.spotfire.sfs sfs; +application/vnd.sqlite3 sqlite sqlite3; +application/vnd.stepmania.package smzip; +application/vnd.stepmania.stepchart sm; +application/vnd.sun.wadl+xml wadl; +application/vnd.sus-calendar sus susp; +application/vnd.syncml+xml xsm; +application/vnd.syncml.dm+wbxml bdm; +application/vnd.syncml.dm+xml xdm; +application/vnd.syncml.dmddf+xml ddf; +application/vnd.tao.intent-module-archive tao; +application/vnd.tcpdump.pcap pcap cap dmp; +application/vnd.theqvd qvd; +application/vnd.think-cell.ppttc+json ppttc; +application/vnd.tml vfr viaframe; +application/vnd.tmobile-livetv tmo; +application/vnd.trid.tpt tpt; +application/vnd.triscape.mxs mxs; +application/vnd.trueapp tra; +application/vnd.ufdl ufdl ufd frm; +application/vnd.uiq.theme utz; +application/vnd.umajin umj; +application/vnd.unity unityweb; +application/vnd.uoml+xml uoml uo; +application/vnd.uri-map urim urimap; +application/vnd.valve.source.material vmt; +application/vnd.vcx vcx; +application/vnd.vd-study mxi study-inter model-inter; +application/vnd.vectorworks vwx; +application/vnd.veryant.thin istc isws; +application/vnd.ves.encrypted VES; +application/vnd.vidsoft.vidconference vsc; +application/vnd.visio vsd vst vsw vss; +application/vnd.visionary vis; +application/vnd.vsf vsf; +application/vnd.wap.sic sic; +application/vnd.wap.slc slc; +application/vnd.wap.wbxml wbxml; +application/vnd.wap.wmlc wmlc; +application/vnd.wap.wmlscriptc wmlsc; +application/vnd.webturbo wtb; +application/vnd.wfa.p2p p2p; +application/vnd.wfa.wsc wsc; +application/vnd.wmc wmc; +application/vnd.wolfram.mathematica.package m; +application/vnd.wolfram.player nbp; +application/vnd.wordperfect wpd; +application/vnd.wqd wqd; +application/vnd.wt.stf stf; +application/vnd.wv.csp+wbxml wv; +application/vnd.xara xar; +application/vnd.xfdl xfdl xfd; +application/vnd.xmpie.cpkg cpkg; +application/vnd.xmpie.dpkg dpkg; +application/vnd.xmpie.ppkg ppkg; +application/vnd.xmpie.xlim xlim; +application/vnd.yamaha.hv-dic hvd; +application/vnd.yamaha.hv-script hvs; +application/vnd.yamaha.hv-voice hvp; +application/vnd.yamaha.openscoreformat osf; +application/vnd.yamaha.smaf-audio saf; +application/vnd.yamaha.smaf-phrase spf; +application/vnd.yaoweme yme; +application/vnd.yellowriver-custom-menu cmp; +application/vnd.zul zir zirz; +application/vnd.zzazz.deck+xml zaz; +application/voicexml+xml vxml; +application/voucher-cms+json vcj; +application/watcherinfo+xml wif; +application/widget wgt; +application/wsdl+xml wsdl; +application/wspolicy+xml wspolicy; +application/xcap-att+xml xav; +application/xcap-caps+xml xca; +application/xcap-diff+xml xdf; +application/xcap-el+xml xel; +application/xcap-error+xml xer; +application/xcap-ns+xml xns; +application/xhtml+xml xhtml xhtm xht; +application/xliff+xml xlf; +application/xml-dtd dtd; +application/xop+xml xop; +application/xslt+xml xsl xslt; +application/xv+xml mxml xhvml xvml xvm; +application/yang yang; +application/yin+xml yin; +application/zip zip; +application/zstd zst; +audio/32kadpcm 726; +audio/aac adts aac ass; +audio/ac3 ac3; +audio/AMR amr; +audio/AMR-WB awb; +audio/asc acn; +audio/ATRAC-ADVANCED-LOSSLESS aal; +audio/ATRAC-X atx; +audio/ATRAC3 at3 aa3 omg; +audio/basic au snd; +audio/dls dls; +audio/EVRC evc; +audio/EVRCB evb; +audio/EVRCNW enw; +audio/EVRCWB evw; +audio/iLBC lbc; +audio/L16 l16; +audio/mhas mhas; +audio/mobile-xmf mxmf; +audio/mp4 m4a; +audio/mpeg mp3 mpga mp1 mp2; +audio/ogg oga ogg opus spx; +audio/prs.sid sid psid; +audio/qcelp qcp; +audio/SMV smv; +audio/usac loas xhe; +audio/vnd.audikoz koz; +audio/vnd.dece.audio uva uvva; +audio/vnd.digital-winds eol; +audio/vnd.dolby.mlp mlp; +audio/vnd.dts dts; +audio/vnd.dts.hd dtshd; +audio/vnd.everad.plj plj; +audio/vnd.lucent.voice lvp; +audio/vnd.ms-playready.media.pya pya; +audio/vnd.nortel.vbk vbk; +audio/vnd.nuera.ecelp4800 ecelp4800; +audio/vnd.nuera.ecelp7470 ecelp7470; +audio/vnd.nuera.ecelp9600 ecelp9600; +audio/vnd.presonus.multitrack multitrack; +audio/vnd.rip rip; +audio/vnd.sealedmedia.softseal.mpeg smp3 smp s1m; +font/collection ttc; +font/otf otf; +font/ttf ttf; +font/woff woff; +font/woff2 woff2; +image/aces exr; +image/avci avci; +image/avcs avcs; +image/bmp bmp dib; +image/cgm cgm; +image/dicom-rle drle; +image/emf emf; +image/fits fits fit fts; +image/heic heic; +image/heic-sequence heics; +image/heif heif; +image/heif-sequence heifs; +image/hej2k hej2; +image/hsj2 hsj2; +image/gif gif; +image/ief ief; +image/jls jls; +image/jp2 jp2 jpg2; +image/jph jph; +image/jphc jhc; +image/jpeg jpg jpeg jpe jfif; +image/jpm jpm jpgm; +image/jpx jpx jpf; +image/jxr jxr; +image/jxrA jxra; +image/jxrS jxrs; +image/jxs jxs; +image/jxsc jxsc; +image/jxsi jxsi; +image/jxss jxss; +image/ktx ktx; +image/png png; +image/prs.btif btif btf; +image/prs.pti pti; +image/svg+xml svg svgz; +image/t38 t38; +image/tiff tiff tif; +image/tiff-fx tfx; +image/vnd.adobe.photoshop psd; +image/vnd.airzip.accelerator.azv azv; +image/vnd.dece.graphic uvi uvvi uvg uvvg; +image/vnd.djvu djvu djv; +image/vnd.dwg dwg; +image/vnd.dxf dxf; +image/vnd.fastbidsheet fbs; +image/vnd.fpx fpx; +image/vnd.fst fst; +image/vnd.fujixerox.edmics-mmr mmr; +image/vnd.fujixerox.edmics-rlc rlc; +image/vnd.globalgraphics.pgb pgb; +image/vnd.microsoft.icon ico; +image/vnd.mozilla.apng apng; +image/vnd.ms-modi mdi; +image/vnd.radiance hdr rgbe xyze; +image/vnd.sealed.png spng spn s1n; +image/vnd.sealedmedia.softseal.gif sgif sgi s1g; +image/vnd.sealedmedia.softseal.jpg sjpg sjp s1j; +image/vnd.tencent.tap tap; +image/vnd.valve.source.texture vtf; +image/vnd.wap.wbmp wbmp; +image/vnd.xiff xif; +image/vnd.zbrush.pcx pcx; +image/wmf wmf; +message/global u8msg; +message/global-delivery-status u8dsn; +message/global-disposition-notification u8mdn; +message/global-headers u8hdr; +message/rfc822 eml mail art; +model/gltf-binary glb; +model/gltf+json gltf; +model/iges igs iges; +model/mesh msh mesh silo; +model/mtl mtl; +model/obj obj; +model/stl stl; +model/vnd.collada+xml dae; +model/vnd.dwf dwf; +model/vnd.gdl gdl gsm win dor lmp rsm msm ism; +model/vnd.gtw gtw; +model/vnd.moml+xml moml; +model/vnd.mts mts; +model/vnd.opengex ogex; +model/vnd.parasolid.transmit.binary x_b xmt_bin; +model/vnd.parasolid.transmit.text x_t xmt_txt; +model/vnd.usdz+zip usdz; +model/vnd.valve.source.compiled-map bsp; +model/vnd.vtu vtu; +model/vrml wrl vrml; +model/x3d+xml x3db; +model/x3d-vrml x3dv x3dvz; +multipart/vnd.bint.med-plus bmed; +multipart/voice-message vpm; +text/cache-manifest appcache manifest; +text/calendar ics ifb; +text/css css; +text/csv csv; +text/csv-schema csvs; +text/dns soa zone; +text/html html htm; +text/jcr-cnd cnd; +text/markdown markdown md; +text/mizar miz; +text/n3 n3; +text/plain txt asc text pm el c h cc hh cxx hxx f90 conf log; +text/provenance-notation provn; +text/prs.fallenstein.rst rst; +text/prs.lines.tag tag dsc; +text/richtext rtx; +text/sgml sgml sgm; +text/tab-separated-values tsv; +text/troff t tr roff; +text/turtle ttl; +text/uri-list uris uri; +text/vcard vcf vcard; +text/vnd.a a; +text/vnd.abc abc; +text/vnd.ascii-art ascii; +text/vnd.debian.copyright copyright; +text/vnd.DMClientScript dms; +text/vnd.dvb.subtitle sub; +text/vnd.esmertec.theme-descriptor jtd; +text/vnd.ficlab.flt flt; +text/vnd.fly fly; +text/vnd.fmi.flexstor flx; +text/vnd.graphviz gv dot; +text/vnd.hgl hgl; +text/vnd.in3d.3dml 3dml 3dm; +text/vnd.in3d.spot spot spo; +text/vnd.ms-mediapackage mpf; +text/vnd.net2phone.commcenter.command ccc; +text/vnd.senx.warpscript mc2; +text/vnd.si.uricatalogue uric; +text/vnd.sun.j2me.app-descriptor jad; +text/vnd.sosi sos; +text/vnd.trolltech.linguist ts; +text/vnd.wap.si si; +text/vnd.wap.sl sl; +text/vnd.wap.wml wml; +text/vnd.wap.wmlscript wmls; +text/vtt vtt; +text/xml xml xsd rng; +text/xml-external-parsed-entity ent; +video/3gpp 3gp 3gpp; +video/3gpp2 3g2 3gpp2; +video/iso.segment m4s; +video/mj2 mj2 mjp2; +video/mp4 mp4 mpg4 m4v; +video/mpeg mpeg mpg mpe m1v m2v; +video/ogg ogv; +video/quicktime mov qt; +video/vnd.dece.hd uvh uvvh; +video/vnd.dece.mobile uvm uvvm; +video/vnd.dece.mp4 uvu uvvu; +video/vnd.dece.pd uvp uvvp; +video/vnd.dece.sd uvs uvvs; +video/vnd.dece.video uvv uvvv; +video/vnd.dvb.file dvb; +video/vnd.fvt fvt; +video/vnd.mpegurl mxu m4u; +video/vnd.ms-playready.media.pyv pyv; +video/vnd.nokia.interleaved-multimedia nim; +video/vnd.radgamettools.bink bik bk2; +video/vnd.radgamettools.smacker smk; +video/vnd.sealed.mpeg1 smpg s11; +video/vnd.sealed.mpeg4 s14; +video/vnd.sealed.swf sswf ssw; +video/vnd.sealedmedia.softseal.mov smov smo s1q; +video/vnd.youtube.yt yt; +video/vnd.vivo viv; +application/mac-compactpro cpt; +application/metalink+xml metalink; +application/owl+xml owx; +application/rss+xml rss; +application/vnd.android.package-archive apk; +application/vnd.oma.dd+xml dd; +application/vnd.oma.drm.content dcf; +application/vnd.oma.drm.dcf o4a o4v; +application/vnd.oma.drm.message dm; +application/vnd.oma.drm.rights+wbxml drc; +application/vnd.oma.drm.rights+xml dr; +application/vnd.sun.xml.calc sxc; +application/vnd.sun.xml.calc.template stc; +application/vnd.sun.xml.draw sxd; +application/vnd.sun.xml.draw.template std; +application/vnd.sun.xml.impress sxi; +application/vnd.sun.xml.impress.template sti; +application/vnd.sun.xml.math sxm; +application/vnd.sun.xml.writer sxw; +application/vnd.sun.xml.writer.global sxg; +application/vnd.sun.xml.writer.template stw; +application/vnd.symbian.install sis; +application/vnd.wap.mms-message mms; +application/x-annodex anx; +application/x-bcpio bcpio; +application/x-bittorrent torrent; +application/x-bzip2 bz2; +application/x-cdlink vcd; +application/x-chrome-extension crx; +application/x-cpio cpio; +application/x-csh csh; +application/x-director dcr dir dxr; +application/x-dvi dvi; +application/x-futuresplash spl; +application/x-gtar gtar; +application/x-hdf hdf; +application/x-java-archive jar; +application/x-java-jnlp-file jnlp; +application/x-java-pack200 pack; +application/x-killustrator kil; +application/x-latex latex; +application/x-netcdf nc cdf; +application/x-perl pl; +application/x-rpm rpm; +application/x-sh sh; +application/x-shar shar; +application/x-stuffit sit; +application/x-sv4cpio sv4cpio; +application/x-sv4crc sv4crc; +application/x-tar tar; +application/x-tcl tcl; +application/x-tex tex; +application/x-texinfo texinfo texi; +application/x-troff-man man 1 2 3 4 5 6 7 8; +application/x-troff-me me; +application/x-troff-ms ms; +application/x-ustar ustar; +application/x-wais-source src; +application/x-xpinstall xpi; +application/x-xspf+xml xspf; +application/x-xz xz; +audio/midi mid midi kar; +audio/x-aiff aif aiff aifc; +audio/x-annodex axa; +audio/x-flac flac; +audio/x-matroska mka; +audio/x-mod mod ult uni m15 mtm 669 med; +audio/x-mpegurl m3u; +audio/x-ms-wax wax; +audio/x-ms-wma wma; +audio/x-pn-realaudio ram rm; +audio/x-realaudio ra; +audio/x-s3m s3m; +audio/x-stm stm; +audio/x-wav wav; +chemical/x-xyz xyz; +image/webp webp; +image/x-cmu-raster ras; +image/x-portable-anymap pnm; +image/x-portable-bitmap pbm; +image/x-portable-graymap pgm; +image/x-portable-pixmap ppm; +image/x-rgb rgb; +image/x-targa tga; +image/x-xbitmap xbm; +image/x-xpixmap xpm; +image/x-xwindowdump xwd; +text/html-sandboxed sandboxed; +text/x-pod pod; +text/x-setext etx; +video/webm webm; +video/x-annodex axv; +video/x-flv flv; +video/x-javafx fxm; +video/x-matroska mkv; +video/x-matroska-3d mk3d; +video/x-ms-asf asx; +video/x-ms-wm wm; +video/x-ms-wmv wmv; +video/x-ms-wmx wmx; +video/x-ms-wvx wvx; +video/x-msvideo avi; +video/x-sgi-movie movie; +x-conference/x-cooltalk ice; +x-epoc/x-sisx-app sisx; +} diff --git a/nginx/mimetypes/strict.conf b/nginx/mimetypes/strict.conf new file mode 100755 index 0000000..a3ee994 --- /dev/null +++ b/nginx/mimetypes/strict.conf @@ -0,0 +1,39 @@ +types { + text/plain txt; + text/gemini gmi; + text/markdown md; + text/html html; + text/css css; + text/xml xml; + text/csv csv; + text/javascript js; + + application/xhtml+xml xhtml; + application/atom+xml atom; + application/rss+xml rss; + + application/json json; + application/gzip gz; + application/zip zip; + application/epub+zip epub; + application/pdf pdf; + + font/woff woff; + font/woff2 woff2; + + image/png png; + image/tiff tif tiff; + image/gif gif; + image/jpeg jpeg jpg; + image/svg+xml svg svgz; + image/webp webp; + + audio/mpeg mp3; + audio/ogg ogg oga opus spx; + audio/webm weba; + audio/flac flac; + + video/webm webm; + video/mp4 mp4; + video/ogg ogv; +} diff --git a/nginx/nginx.conf b/nginx/nginx.conf new file mode 100755 index 0000000..fd192a4 --- /dev/null +++ b/nginx/nginx.conf @@ -0,0 +1,27 @@ +load_module "/usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so"; +worker_processes auto; + +events {} +http { + include mimetypes/strict.conf; + default_type application/octet-stream; + + #types_hash_bucket_size 128; # Default: 64 + #types_hash_max_size 1024; # Default: 1024 + + sendfile on; + #tcp_nopush on; + + gzip_static on; + + include sites/*.conf; + include inc/security.conf; + + server_tokens off; + + #map $http_accept_language $lang { + # default en; + # ~en en; + # ~fr fr; + #} +} diff --git a/nginx/sites/niver.atope.art.conf b/nginx/sites/niver.atope.art.conf new file mode 100755 index 0000000..cd0bfbc --- /dev/null +++ b/nginx/sites/niver.atope.art.conf @@ -0,0 +1,31 @@ +server { + listen 443 ssl http2 default_server; + listen [::]:443 ssl http2 default_server; + server_name niver.atope.art; + + root /srv/http/niver; + index index.php index.html index.htm; + try_files $uri $uri/ @extensionless-php; # $uri.html + index index.php; + + include inc/modern.conf; + include inc/errors.conf; + + error_log /var/log/nginx/niver.atope.art-error.log; + access_log /var/log/nginx/niver.atope.art-access.log; + + more_set_headers "Content-Security-Policy : default-src 'none'; style-src 'self';"; + + location ~ \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass unix:/var/run/php-fpm/niver.sock; + #fastcgi_index index.php; + include inc/fastcgi.conf; + try_files $uri =404; + } + + location @extensionless-php { + rewrite ^(.*)$ $1.php last; + } + +} diff --git a/php-fpm/errors.conf b/php-fpm/errors.conf new file mode 100755 index 0000000..4dffa9c --- /dev/null +++ b/php-fpm/errors.conf @@ -0,0 +1,27 @@ +[errors] + +user = php-$pool +group = php-$pool + +listen = /run/php-fpm/$pool.sock + +listen.owner = http +listen.group = http + +pm = dynamic +pm.max_children = 5 +pm.start_servers = 2 +pm.min_spare_servers = 1 +pm.max_spare_servers = 3 + +access.log = /var/log/php/$pool-access.log + +chdir = /srv/http/$pool +;chroot = /srv/http/$pool + +catch_workers_output = yes +decorate_workers_output = yes + +clear_env = yes + +security.limit_extensions = .php diff --git a/php-fpm/niver.conf b/php-fpm/niver.conf new file mode 100755 index 0000000..818fc01 --- /dev/null +++ b/php-fpm/niver.conf @@ -0,0 +1,26 @@ +[niver] + +user = php-$pool +group = knot + +listen = /run/php-fpm/$pool.sock + +listen.owner = http +listen.group = http + +pm = dynamic +pm.max_children = 5 +pm.start_servers = 2 +pm.min_spare_servers = 1 +pm.max_spare_servers = 3 + +access.log = /var/log/php/$pool-access.log + +chdir = /srv/http/$pool + +catch_workers_output = yes +decorate_workers_output = yes + +clear_env = yes + +security.limit_extensions = .php diff --git a/share/banner.txt b/share/banner.txt new file mode 100755 index 0000000..89e4041 --- /dev/null +++ b/share/banner.txt @@ -0,0 +1 @@ +SFTP Access for Niver users diff --git a/share/knot.template b/share/knot.template new file mode 100755 index 0000000..bfe6d1f --- /dev/null +++ b/share/knot.template @@ -0,0 +1,2 @@ +DOMAIN 3600 SOA ns1.atope.art. hostmaster.antopie.org. 1 21600 7200 3628800 3600 +DOMAIN 86400 NS ns1.atope.art. diff --git a/share/nginx/dns.template b/share/nginx/dns.template new file mode 100755 index 0000000..b446b93 --- /dev/null +++ b/share/nginx/dns.template @@ -0,0 +1,27 @@ +server { + listen 80; + listen [::]:80; + server_name DOMAIN; + return 301 https://DOMAIN$request_uri; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name DOMAIN; + root /srv/hyper/USER/hyper/DIR; + + ssl_certificate /etc/letsencrypt/live/host.atope.art/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/host.atope.art/privkey.pem; + + access_log /var/log/nginx/DOMAIN-access.log; + error_log /var/log/nginx/DOMAIN-error.log; + + include /etc/nginx/inc/intermediate.conf.inc; + + default_type text/plain; + + location / { + try_files $uri $uri.html $uri/ =404; + } +} diff --git a/share/nginx/onion.template b/share/nginx/onion.template new file mode 100755 index 0000000..854f7b7 --- /dev/null +++ b/share/nginx/onion.template @@ -0,0 +1,9 @@ +server { + listen [::1]:80; + server_name DOMAIN; + root /srv/hyper/USER/hyper/DIR; + + location / { + try_files $uri $uri.html $uri/ =404; + } +} diff --git a/share/skel/about.txt b/share/skel/about.txt new file mode 100755 index 0000000..821f18a --- /dev/null +++ b/share/skel/about.txt @@ -0,0 +1,5 @@ +Ceci est le dossier personnel des utilisataires de Niver. +Vous pouvez téléverser votre site dans un sous-dossier d'ht/. + +This is the personnal directory for Niver users. +You can upload your site into a subdirectory of ht/. diff --git a/sshd_config b/sshd_config new file mode 100755 index 0000000..f4b2e6d --- /dev/null +++ b/sshd_config @@ -0,0 +1,88 @@ +# Potiron + +LogLevel INFO # The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. +#VersionAddendum Niver +AllowGroups root ht +Subsystem sftp /usr/lib/ssh/sftp-server + +## Network + +AddressFamily any +ListenAddress 0.0.0.0 +ListenAddress :: +Port 22 + +## Cryptography + +HostKey /etc/ssh/keys/ed25519 +HostKey /etc/ssh/keys/rsa-3072 + +Ciphers chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr +HostKeyAlgorithms ssh-ed25519,rsa-sha2-256,rsa-sha2-512 +KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 +MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com + +## Sessions + +PermitRootLogin prohibit-password +StrictModes yes +MaxAuthTries 6 +MaxSessions 1 +MaxStartups 3:20:200 +LoginGraceTime 3m +PrintMotd yes + +## Disable everything + +PermitTTY no +PermitTunnel no + +AllowTcpForwarding no +X11Forwarding no +AllowAgentForwarding no +AllowStreamLocalForwarding no +DisableForwarding yes # Disables all forwarding features, including X11, ssh-agent(1), TCP and StreamLocal. + +PermitUserRC no +PermitUserEnvironment no +IgnoreRhosts yes +AuthorizedKeysFile none + +AuthenticationMethods none +PubkeyAuthentication no +PasswordAuthentication no +KbdInteractiveAuthentication no +PermitEmptyPasswords no +ChallengeResponseAuthentication no + +UsePAM no + +## Enable usefull features + +### Administrator access +Match Group root + + #### Authentication + PubkeyAuthentication yes + AuthenticationMethods publickey + AuthorizedKeysFile .ssh/authorized_keys + + #### Allow the use of a terminal + PermitTTY yes + +### SFTP access +Match Group ht + + #### Authentication + PasswordAuthentication yes + AuthenticationMethods password + #AuthorizedKeysFile keys + + #### Chroot to the home directory + ChrootDirectory %h # %h is home directory, %u is username + + #### Only SFTP can be used + ForceCommand internal-sftp + + #### Print a message before login + Banner /usr/local/share/niver/banner.txt