Add files via upload

blockips.conf

@@ -0,0 +1,22 @@
+allow 173.245.48.0/20;
+allow 103.21.244.0/22;
+allow 103.22.200.0/22;
+allow 103.31.4.0/22;
+allow 141.101.64.0/18;
+allow 108.162.192.0/18;
+allow 190.93.240.0/20;
+allow 188.114.96.0/20;
+allow 197.234.240.0/22;
+allow 198.41.128.0/17;
+allow 162.158.0.0/15;
+allow 104.16.0.0/12;
+allow 172.64.0.0/13;
+allow 131.0.72.0/22;
+allow 2400:cb00::/32;
+allow 2606:4700::/32;
+allow 2803:f800::/32;
+allow 2405:b500::/32;
+allow 2405:8100::/32;
+allow 2a06:98c0::/29;
+allow 2c0f:f248::/32;
+deny all;

default

@@ -0,0 +1,47 @@
+server {
+        listen       443 ssl http2 reuseport backlog=131072 fastopen=256;
+        listen       [::]:443 ssl http2 reuseport backlog=131072 fastopen=256;        
+	server_name  domain.me;
+	add_header Allow "GET" always; 
+	if ( $request_method !~ ^(GET)$ ) {
+		   return 444;
+	}
+	ssl_certificate /etc/ssl/domain.me.pem;
+	ssl_certificate_key /etc/ssl/domain.me.key;
+	ssl_dhparam /etc/ssl/dhparam.pem;
+	ssl_session_cache shared:le_nginx_SSL:1m;
+	ssl_session_cache shared:SSL:50m;
+	ssl_session_timeout 1d;
+	ssl_session_tickets off;
+	ssl_protocols TLSv1.3 TLSv1.2;
+	ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
+	ssl_ecdh_curve secp384r1;
+	ssl_early_data on;		
+	add_header Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'" always;
+	add_header Strict-Transport-Security 'max-age=63072000; includeSubdomains; preload' always;
+	add_header X-Robots-Tag "noindex, nofollow" always;	
+	add_header X-Content-Type-Options "nosniff" always;
+	add_header X-Frame-Options "SAMEORIGIN" always;
+	add_header X-Xss-Protection "1; mode=block" always;
+	resolver localhost valid=300s;
+	ssl_buffer_size 8k;
+	ssl_stapling on;
+	ssl_stapling_verify on;
+	ssl_prefer_server_ciphers on;
+        ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
+	location / {
+        	proxy_pass https://youtube.com;
+		limit_rate 1000k;
+		proxy_redirect off;
+        }		
+        location /v2ray {
+        	proxy_redirect off;			
+		proxy_buffering off;
+		proxy_http_version 1.1;
+        	proxy_pass https://localhost:8008;
+        	proxy_set_header Host $http_host;
+        	proxy_set_header Upgrade $http_upgrade;
+        	proxy_set_header Early-Data $ssl_early_data;
+		proxy_set_header Connection "upgrade";
+        }
+}

hosts_update

@@ -0,0 +1,11 @@
+#!/bin/sh
+# указываем адрес нужного списка
+URL="https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews-gambling/hosts" # Разные списки смотреть здесь: https://github.com/StevenBlack/hosts
+# удаляем старый список при обновлении
+rm /etc/unbound/unbound.conf.d/hosts-alternates.conf 
+# добавляем "server:" в начало нового списка
+echo "server:" > /etc/unbound/unbound.conf.d/hosts-alternates.conf
+# получаем список хостов, форматируем и добавляем
+curl $URL | grep '^0\.0\.0\.0' | awk '{print "local-zone: \""$2"\" redirect\nlocal-data: \""$2". IN A 0.0.0.0\"\nlocal-data: \""$2". IN AAAA ::0\""}' >> /etc/unbound/unbound.conf.d/hosts-alternates.conf
+# перезапускаем unbound
+systemctl restart unbound

hosts_update_custom

@@ -0,0 +1,27 @@
+#!/bin/sh
+# указываем адреса нужных списков, формируем из двух источников
+wget -N https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
+wget -N https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt
+wget -N https://raw.githubusercontent.com/Ultimate-Hosts-Blacklist/anudeepND_blacklist_ad_server/master/domains.list
+wget -N https://raw.githubusercontent.com/anudeepND/blacklist/master/CoinMiner.txt
+wget -N https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/whitelist.txt
+# извлекаем домены из списка hosts
+cat hosts | grep '^0\.0\.0\.0' | awk '{print $2}' > block
+# извлекаем домены из списка adservers.txt
+cat adservers.txt | grep '^0\.0\.0\.0' | awk '{print $2}' > mybase
+# извлекаем домены из списка CoinMiner.txt
+cat CoinMiner.txt | grep '^0\.0\.0\.0' | awk '{print $2}' > coinminer
+# сливаем два списка block и mybase в merged с сортировкой доменов по алфавиту
+cat block domains.list mybase coinminer /etc/unbound/myblacklist | sort -u > merged
+# сливаем два списка whitelist.txt и mywhitelist в whitelist с сортировкой доменов по алфавиту
+cat whitelist.txt /etc/unbound/mywhitelist | sort -u > whitelist
+# удаляем из merged домены белого списка whitelist
+comm -23 merged whitelist > merged_corr
+# удаляем старый список при обновлении
+rm /etc/unbound/unbound.conf.d/hosts-alternates.conf 
+# создаем список и добавляем "server:" в начало
+echo "server:" > /etc/unbound/unbound.conf.d/hosts-alternates.conf
+# формируем список вида local_zone: "domain" always_nxdomain
+awk '{print "local-zone: \""$1"\" always_nxdomain"}' merged_corr >> /etc/unbound/unbound.conf.d/hosts-alternates.conf
+# перезапускаем unbound
+systemctl restart unbound

main.conf

@@ -0,0 +1,219 @@
+# Блок описания конфигурации DNS-сервера Unbound
+server:
+
+# Используемые для управления ресурсы
+directory: "/etc/unbound"
+pidfile: "/run/unbound.pid"
+
+# Имя пользователя, от которого запускается сервис
+username: unbound
+
+# Запускаем в несколько потоков (по одному на ядро процессора)
+num-threads: 1
+
+# Данные параметры соотносятся с числом потоков*2
+msg-cache-slabs: 2
+rrset-cache-slabs: 2
+infra-cache-slabs: 2
+key-cache-slabs: 2
+
+# Включаем оптимизацию быстрого перераспределения ресурсов
+so-reuseport: yes
+
+# Описываем параметры сетевого подключения, на котором сервис принимает запросы
+port: 53
+interface: 127.0.0.1
+interface: ::1
+
+# Указываем, с какого из интерфейсов высылать рекурсивные запросы и получать ответы на запросы
+outgoing-interface: <вписать сюда ipv4-адрес сервера>
+outgoing-interface: <вписать сюда ipv6-адрес сервера>
+# Т.к. Hetzner выдает вам не 1 ipv6 адрес, а подсеть /64, вам нужно отбросить маску /64
+# и вписать вместо нее 1. Адрес должен быть вида 2a00:7ad:45ef::1
+
+# Уточняем перечень протоколов, с которыми работаем
+do-ip4: yes
+do-ip6: yes
+do-udp: yes
+do-tcp: yes
+
+# Предпочтение отдаем ipv6
+prefer-ip6: yes
+
+# Перечисляем сети, рекурсивные запросы от которых обслуживаются (по умолчанию всё неразрешенное запрещено)
+access-control: 127.0.0.0/8 allow
+access-control: 10.0.0.0/8 allow
+access-control: fd42:42:42::/48 allow
+
+# Скрываем данные о программном обеспечении в ответах на запросы
+hide-identity: yes
+hide-version: yes
+hide-trustanchor: yes
+identity: "DNS"
+
+# Уровень детализации журнала событий (0 - только ошибки; 1 - операционная информация; 2 - детальная операционная информация; 3 - информация по каждому запросу; 4 - алгоритмическая информация; 5 - регистрирует идентификацию клиента на предмет отсутствия кеша)
+verbosity: 1
+
+# На период отладки полезно включить детальное журналирование запросов пользователей
+log-queries: no
+
+# Месторасположение файла журнала событий
+logfile: "/var/log/unbound.log"
+
+# Использовать в журнале человекопонятный формат метки времени
+log-time-ascii: yes
+
+# Предписываем не дублировать сообщения о событиях в системный журнал
+use-syslog: no
+
+# Указвыаем актуальный перечень корневых DNS-серверов
+root-hints: "/etc/unbound/root.hints"
+
+# The following line will configure unbound to perform cryptographic
+# DNSSEC validation using the root trust anchor.
+auto-trust-anchor-file: "/var/lib/unbound/root.key"
+
+# Module  configuration,  a list of module names separated by spaces, 
+# surround the string with quotes ("")
+module-config: "validator iterator"
+
+# Aggressive NSEC uses the DNSSEC NSEC chain to  synthesize  NXDOMAIN  
+# and  other  denials, using information from previous NXDOMAINs answers.  
+# Default is no. It helps  to  reduce  the  query rate  towards  targets  
+# that  get  a  very high nonexistent name lookup rate.
+aggressive-nsec: yes
+
+# Time  to  live  maximum  for  RRsets  and messages in the cache.
+cache-max-ttl: 21600
+
+# Time  to  live  minimum  for  RRsets  and messages in the cache.
+cache-min-ttl: 2600
+
+# If yes, Unbound  doesn't  insert  authority/additional  sections
+# into  response  messages  when  those sections are not required.
+minimal-responses: yes
+
+# If yes, message cache elements are prefetched before they expire
+# to keep the cache up to date.  Default is  no.
+prefetch: yes
+
+# Detect source interface on UDP queries and copy them to replies.
+interface-automatic: yes
+
+# Send  minimum  amount  of  information  to  upstream  servers to
+# enhance privacy.
+qname-minimisation: yes
+
+# If yes, Unbound rotates RRSet order in response (the random num-
+# ber  is  taken  from the query ID, for speed and thread safety).
+rrset-roundrobin: yes
+
+# Use  0x20-encoded  random  bits  in  the  query  to  foil  spoof
+# attempts.  This perturbs the lowercase and  uppercase  of  query
+# names  sent  to  authority servers and checks if the reply still
+# has the correct casing.
+use-caps-for-id: yes
+
+# Number of bytes size of the RRset cache. Default is 4 megabytes.
+# A  plain  number  is  in bytes, append 'k', 'm' or 'g' for kilo-
+# bytes, megabytes or gigabytes (1024*1024 bytes in a megabyte).
+rrset-cache-size: 100m
+
+# Number  of  bytes  size  of  the  message  cache.  Default  is 4
+# megabytes.
+msg-cache-size: 50m
+
+# Set the SO_RCVBUF socket option to get more  buf-
+# fer space on UDP port 53 incoming queries.
+so-rcvbuf: 4m
+
+# Set the SO_SNDBUF socket option to get more buf-
+# fer space on UDP port 53 outgoing queries.
+so-sndbuf: 4m
+
+# Enable  ratelimiting  of queries sent to nameserver for performing
+# recursion.
+ratelimit: 1000
+
+# Enable or disable whether the  unbound  server  forks  into  the
+# background  as  a daemon.  Set the value to no when unbound runs
+# as systemd service.  Default is yes.
+do-daemonize: no
+
+# Harden against algorithm downgrade when multiple algorithms  are
+# advertised  in  the  DS record.  If no, allows the weakest algo-
+# rithm to validate the zone.
+harden-algo-downgrade: yes
+
+# Will  trust  glue  only  if  it is within the servers authority.
+harden-glue: yes
+
+# Number of hosts for which  information  is  cached.  
+infra-cache-numhosts: 10000
+
+# Number of ports to open. This number of file descriptors can  be
+# opened  per  thread.
+outgoing-range: 950
+
+# The number of queries that every thread will service  simultane-
+# ously.
+num-queries-per-thread: 512
+
+# Instruct  the  validator to remove data from the additional sec-
+# tion of secure messages that are not signed  properly.
+val-clean-additional: yes
+
+# Number  of  incoming TCP buffers to allocate per thread. Default
+# is 10. If set to 0, or if do-tcp is "no", no  TCP  queries  from
+# clients  are  accepted. For larger installations increasing this
+# value is a good idea.
+incoming-num-tcp: 100
+
+# Number of outgoing TCP buffers to allocate per  thread.  Default
+# is  10.  If  set  to  0, or if do-tcp is "no", no TCP queries to
+# authoritative  servers  are  done.   For  larger   installations
+# increasing this value is a good idea.
+outgoing-num-tcp: 100
+
+# Number of bytes size to advertise as the EDNS reassembly  buffer
+# size.   This  is  the  value put into datagrams over UDP towards
+# peers.  The actual buffer size is determined by  msg-buffer-size
+# (both  for  TCP  and  UDP).
+edns-buffer-size: 1232
+
+# If  yes,  deny  queries  of  type  ANY  with  an empty response.
+# Default is no.  If disabled, unbound responds with a short  list
+# of  resource records if some can be found in the cache and makes
+# the upstream type ANY query if there are none.
+deny-any: yes
+
+# Set the target fetch policy used by unbound to determine  if  it
+# should  fetch nameserver target addresses opportunistically. The
+# policy is described per dependency depth.
+# The number of values determines  the  maximum  dependency  depth
+# that  unbound  will  pursue in answering a query.  A value of -1
+# means to fetch all targets opportunistically for that dependency
+# depth.  A  value  of 0 means to fetch on demand only. A positive
+# value fetches that many targets opportunistically.
+# Enclose the list between quotes ("") and put spaces between num-
+# bers.   The default is "3 2 1 0 0". Setting all zeroes, "0 0 0 0
+# 0" gives behaviour closer to that of BIND 9, while  setting  "-1
+# -1  -1  -1  -1" gives behaviour rumoured to be closer to that of
+# BIND 8.
+target-fetch-policy: "2 1 0 0 0 0"
+
+# If  null or "", no file is used. Set it to the certificate bun-
+# dle file, for example "/etc/pki/tls/certs/ca-bundle.crt".  These
+# certificates  are  used  for  authenticating connections made to
+# outside peers.  For example auth-zone urls, and  also  DNS  over
+# TLS connections.
+tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+
+forward-zone:
+  name: "."
+  forward-tls-upstream: yes  
+  # Cloudflare DNS
+  forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
+  forward-addr: 1.1.1.1@853#cloudflare-dns.com
+  forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
+  forward-addr: 1.0.0.1@853#cloudflare-dns.com