ghzhost
diff --git a/‎.prettierrc.cjs‎
Lines changed: 1 addition & 0 deletions b/‎.prettierrc.cjs‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎install/deb/nginx/0rtt-anti-replay.conf‎
Lines changed: 39 additions & 0 deletions b/‎install/deb/nginx/0rtt-anti-replay.conf‎
Lines changed: 39 additions & 0 deletions
diff --git a/‎install/deb/nginx/nginx.conf‎
Lines changed: 2 additions & 0 deletions b/‎install/deb/nginx/nginx.conf‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎install/deb/nginx/phpmyadmin.inc‎
Lines changed: 3 additions & 2 deletions b/‎install/deb/nginx/phpmyadmin.inc‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎install/deb/nginx/phppgadmin.inc‎
Lines changed: 3 additions & 2 deletions b/‎install/deb/nginx/phppgadmin.inc‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎install/deb/nginx/status.conf‎
Lines changed: 3 additions & 2 deletions b/‎install/deb/nginx/status.conf‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎install/deb/nginx/unassigned.inc‎
Lines changed: 7 additions & 5 deletions b/‎install/deb/nginx/unassigned.inc‎
Lines changed: 7 additions & 5 deletions
diff --git a/‎install/deb/nginx/webmail.inc‎
Lines changed: 0 additions & 15 deletions b/‎install/deb/nginx/webmail.inc‎
Lines changed: 0 additions & 15 deletions
diff --git a/‎install/deb/templates/mail/nginx/default.stpl‎
Lines changed: 50 additions & 43 deletions b/‎install/deb/templates/mail/nginx/default.stpl‎
Lines changed: 50 additions & 43 deletions
diff --git a/‎install/deb/templates/mail/nginx/default.tpl‎
Lines changed: 41 additions & 38 deletions b/‎install/deb/templates/mail/nginx/default.tpl‎
Lines changed: 41 additions & 38 deletions
@@ -31,6 +31,7 @@ module.exports = {
 			files: ['**/nginx/*.inc', '**/nginx/*.conf'],
 			options: {
 				parser: 'nginx',
+				wrapParameters: false,
 			},
 		},
 	],
 
@@ -0,0 +1,39 @@
+# Implement TLS 1.3 0-RTT anti-replay for NGINX
+
+# Requires: NGINX directive "ssl_early_data" on
+
+# Usage:
+
+# Make sure these "map" blocks are included in "http" block
+# Put the following two lines in SSL "server" block, before any "location" blocks
+
+# if ($anti_replay = 307) { return 307 https://$host$request_uri; }
+# if ($anti_replay = 425) { return 425; }
+
+# Pass "Early-Data" header to backend/upstream
+# Only for 0-RTT requests from clients that understand 425 status code (RFC 8470)
+
+# fastcgi_param HTTP_EARLY_DATA $rfc_early_data if_not_empty;
+# proxy_set_header Early-Data $rfc_early_data;
+
+# Copyright © myrevery
+# Copyright © 7677333 (An anagram of a Anonymous Cybersecurity Research Team)
+
+map "$request_method:$is_args" $ar_idempotent {
+	default 0;
+	"~^GET:$|^(HEAD|OPTIONS|TRACE):\?*$" 1;
+}
+
+map $http_user_agent $ar_support_425 {
+	default 0;
+	"~Firefox/((58|59)|([6-9]\d)|([1-9]\d{2,}))\.\d+" 1;
+}
+
+map "$ssl_early_data:$ar_idempotent:$ar_support_425" $anti_replay {
+	1:0:0 307;
+	1:0:1 425;
+}
+
+map "$ssl_early_data:$ar_support_425" $rfc_early_data {
+	1:1 1;
+}
@@ -4,6 +4,7 @@ worker_processes     auto;
 worker_rlimit_nofile 65535;
 error_log            /var/log/nginx/error.log;
 pid                  /run/nginx.pid;
+include              /etc/nginx/conf.d/main/*.conf;
 include              /etc/nginx/modules-enabled/*.conf;
 
 # Worker config
@@ -48,6 +49,7 @@ http {
 	# Proxy settings
 	proxy_redirect                  off;
 	proxy_set_header                Host $host;
+	proxy_set_header                Early-Data $rfc_early_data;
 	proxy_set_header                X-Real-IP $remote_addr;
 	proxy_set_header                X-Forwarded-For $proxy_add_x_forwarded_for;
 	proxy_pass_header               Set-Cookie;
 
@@ -13,10 +13,11 @@ location /%pma_alias% {
 
 	location ~ ^/%pma_alias%/(.*\.php)$ {
 		alias         /usr/share/phpmyadmin/$1;
-		fastcgi_pass  127.0.0.1:9000;
+		include       /etc/nginx/fastcgi_params;
 		fastcgi_index index.php;
-		include       fastcgi_params;
+		fastcgi_param HTTP_EARLY_DATA $rfc_early_data if_not_empty;
 		fastcgi_param SCRIPT_FILENAME $request_filename;
+		fastcgi_pass  127.0.0.1:9000;
 	}
 
 	location /%pma_alias%/(.+\.(jpg|jpeg|gif|css|png|webp|js|ico|html|xml|txt))$ {
 
@@ -3,9 +3,10 @@ location /%pga_alias% {
 
 	location ~ ^/%pga_alias%/(.*\.php)$ {
 		alias         /usr/share/phppgadmin/$1;
-		fastcgi_pass  127.0.0.1:9000;
+		include       /etc/nginx/fastcgi_params;
 		fastcgi_index index.php;
-		include       fastcgi_params;
+		fastcgi_param HTTP_EARLY_DATA $rfc_early_data if_not_empty;
 		fastcgi_param SCRIPT_FILENAME $request_filename;
+		fastcgi_pass  127.0.0.1:9000;
 	}
 }
@@ -1,10 +1,11 @@
 server {
-	listen                  127.0.0.1:8084 default;
+	listen                  127.0.0.1:8084 default_server;
 	server_name             _;
 	server_name_in_redirect off;
 
 	location / {
 		stub_status on;
 		access_log  off;
+		error_log   /dev/null;
 	}
-}
+}
@@ -1,11 +1,11 @@
 server {
-	listen      directIP:80 default;
+	listen      directIP:80 default_server;
 	server_name _;
+	access_log  off;
+	error_log   /dev/null;
 
 	location / {
-		access_log /dev/null;
-		error_log  /dev/null;
-		root       /var/www/html;
+		root /var/www/html;
 
 		location /phpmyadmin/ {
 			alias  /var/www/document_errors/;
@@ -34,8 +34,10 @@ server {
 }
 
 server {
-	listen              directIP:443 ssl http2 default;
+	listen              directIP:443 default_server ssl;
 	server_name         _;
+	access_log          off;
+	error_log           /dev/null;
 	ssl_certificate     /usr/local/hestia/ssl/certificate.crt;
 	ssl_certificate_key /usr/local/hestia/ssl/certificate.key;
 	return              301 http://$host$request_uri;
 
@@ -1,45 +1,52 @@
 server {
-    listen      %ip%:%proxy_ssl_port% ssl http2;
-    server_name %domain_idn% %alias_idn%;
-    root        /var/lib/roundcube;
-    index       index.php index.html index.htm;
-    access_log /var/log/nginx/domains/%domain%.log combined;
-    error_log  /var/log/nginx/domains/%domain%.error.log error;
-
-    ssl_certificate     %ssl_pem%;
-    ssl_certificate_key %ssl_key%;
-    ssl_stapling on;
-    ssl_stapling_verify on;
-
-    location ~ /\.(?!well-known\/) {
-        deny all;
-        return 404;
-    }
-
-    location ~ ^/(README.md|config|temp|logs|bin|SQL|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
-        deny all;
-        return 404;
-    }
-
-    location / {
-        proxy_pass https://%ip%:%web_ssl_port%;
-        try_files $uri $uri/ =404;
-        alias /var/lib/roundcube/;
-        location ~* ^.+\.(ogg|ogv|svg|svgz|swf|eot|otf|woff|woff2|mov|mp3|mp4|webm|flv|ttf|rss|atom|jpg|jpeg|gif|png|webp|ico|bmp|mid|midi|wav|rtf|css|js|jar)$ {
-            expires 7d;
-            fastcgi_hide_header "Set-Cookie";
-        }
-    }
-
-    location /error/ {
-        alias /var/www/document_errors/;
-    }
-
-    location @fallback {
-        proxy_pass https://%ip%:%web_ssl_port%;
-    }
-
-    proxy_hide_header Upgrade;
-
-    include %home%/%user%/conf/mail/%root_domain%/%proxy_system%.ssl.conf_*;
+	listen      %ip%:%proxy_ssl_port% ssl;
+	server_name %domain_idn% %alias_idn%;
+	root        /var/lib/roundcube;
+	index       index.php index.html index.htm;
+	access_log  /var/log/nginx/domains/%domain%.log combined;
+	error_log   /var/log/nginx/domains/%domain%.error.log error;
+
+	ssl_certificate     %ssl_pem%;
+	ssl_certificate_key %ssl_key%;
+	ssl_stapling        on;
+	ssl_stapling_verify on;
+
+	# TLS 1.3 0-RTT anti-replay
+	if ($anti_replay = 307) { return 307 https://$host$request_uri; }
+	if ($anti_replay = 425) { return 425; }
+
+	location ~ /\.(?!well-known\/) {
+		deny all;
+		return 404;
+	}
+
+	location ~ ^/(README.md|config|temp|logs|bin|SQL|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
+		deny all;
+		return 404;
+	}
+
+	location / {
+		alias /var/lib/roundcube/;
+
+		try_files $uri $uri/ =404;
+
+		proxy_pass https://%ip%:%web_ssl_port%;
+
+		location ~* ^.+\.(ogg|ogv|svg|svgz|swf|eot|otf|woff|woff2|mov|mp3|mp4|webm|flv|ttf|rss|atom|jpg|jpeg|gif|png|webp|ico|bmp|mid|midi|wav|rtf|css|js|jar)$ {
+			expires 7d;
+			fastcgi_hide_header "Set-Cookie";
+		}
+	}
+
+	location @fallback {
+		proxy_pass https://%ip%:%web_ssl_port%;
+	}
+
+	location /error/ {
+		alias /var/www/document_errors/;
+	}
+
+	proxy_hide_header Upgrade;
+
+	include %home%/%user%/conf/mail/%root_domain%/%proxy_system%.ssl.conf_*;
 }
@@ -1,40 +1,43 @@
 server {
-    listen      %ip%:%proxy_port%;
-    server_name %domain_idn% %alias_idn%;
-    root        /var/lib/roundcube;
-    index       index.php index.html index.htm;
-    access_log /var/log/nginx/domains/%domain%.log combined;
-    error_log  /var/log/nginx/domains/%domain%.error.log error;
-
-    include %home%/%user%/conf/mail/%root_domain%/nginx.forcessl.conf*;
-
-    location ~ /\.(?!well-known\/) {
-        deny all;
-        return 404;
-    }
-
-    location ~ ^/(README.md|config|temp|logs|bin|SQL|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
-        deny all;
-        return 404;
-    }
-
-    location / {
-        proxy_pass http://%ip%:%web_port%;
-        try_files $uri $uri/ =404;
-        alias /var/lib/roundcube/;
-        location ~* ^.+\.(ogg|ogv|svg|svgz|swf|eot|otf|woff|woff2|mov|mp3|mp4|webm|flv|ttf|rss|atom|jpg|jpeg|gif|png|webp|ico|bmp|mid|midi|wav|rtf|css|js|jar)$ {
-            expires 7d;
-            fastcgi_hide_header "Set-Cookie";
-        }
-    }
-
-    location /error/ {
-        alias /var/www/document_errors/;
-    }
-
-    location @fallback {
-        proxy_pass http://%ip%:%web_port%;
-    }
-
-    include %home%/%user%/conf/mail/%root_domain%/%proxy_system%.conf_*;
+	listen      %ip%:%proxy_port%;
+	server_name %domain_idn% %alias_idn%;
+	root        /var/lib/roundcube;
+	index       index.php index.html index.htm;
+	access_log  /var/log/nginx/domains/%domain%.log combined;
+	error_log   /var/log/nginx/domains/%domain%.error.log error;
+
+	include %home%/%user%/conf/mail/%root_domain%/nginx.forcessl.conf*;
+
+	location ~ /\.(?!well-known\/) {
+		deny all;
+		return 404;
+	}
+
+	location ~ ^/(README.md|config|temp|logs|bin|SQL|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
+		deny all;
+		return 404;
+	}
+
+	location / {
+		alias /var/lib/roundcube/;
+
+		try_files $uri $uri/ =404;
+
+		proxy_pass http://%ip%:%web_port%;
+
+		location ~* ^.+\.(ogg|ogv|svg|svgz|swf|eot|otf|woff|woff2|mov|mp3|mp4|webm|flv|ttf|rss|atom|jpg|jpeg|gif|png|webp|ico|bmp|mid|midi|wav|rtf|css|js|jar)$ {
+			expires 7d;
+			fastcgi_hide_header "Set-Cookie";
+		}
+	}
+
+	location @fallback {
+		proxy_pass http://%ip%:%web_port%;
+	}
+
+	location /error/ {
+		alias /var/www/document_errors/;
+	}
+
+	include %home%/%user%/conf/mail/%root_domain%/%proxy_system%.conf_*;
 }
Original file line number	Diff line number	Diff line change
`@@ -3,9 +3,10 @@ location /%pga_alias% {`
`3`	`3`
`4`	`4`	`location ~ ^/%pga_alias%/(.*\.php)$ {`
`5`	`5`	`alias /usr/share/phppgadmin/$1;`
`6`		`- fastcgi_pass 127.0.0.1:9000;`
	`6`	`+ include /etc/nginx/fastcgi_params;`
`7`	`7`	`fastcgi_index index.php;`
`8`		`- include fastcgi_params;`
	`8`	`+ fastcgi_param HTTP_EARLY_DATA $rfc_early_data if_not_empty;`
`9`	`9`	`fastcgi_param SCRIPT_FILENAME $request_filename;`
	`10`	`+ fastcgi_pass 127.0.0.1:9000;`
`10`	`11`	`}`
`11`	`12`	`}`