Skip to content

Instantly share code, notes, and snippets.

@InternalLoss

InternalLoss/legacy-nginx-ubuntu.md

Last active April 22, 2024 02:08
Show Gist options
  • Save InternalLoss/0a9e728b31eed72b380f55a4cc6deab6 to your computer and use it in GitHub Desktop.
Save InternalLoss/0a9e728b31eed72b380f55a4cc6deab6 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
legacy-nginx-ubuntu.md

There is no warranty or liability, this is my own setup notes!

  1. Install Ubuntu ${LATEST} LTS, update/upgrade all packages, don't install normal NGINX.
  2. Install legacy-nginx following instructions at https://github.com/rem-verse/legacy-nginx.
  3. Create a DS certificate using https://github.com/KaeruTeam/nds-constraint - ensure you concatenate nwc.crt, as Nginx doesn't let you add a chain file unlike Apache. (Also, maybe a Wii certificate using https://github.com/shutterbug2000/wii-ssl-bug - TODO ask Shutter if selfsigned is ok).
  4. Copy NGINX config to /usr/local/nginx/conf/nginx.conf.

Configs!

nginx.conf

load_module /usr/local/nginx/modules/ngx_stream_module.so;

events
{
	worker_connections 768; # Copied, should probably be worth working out a 'sane' default here?
}

stream
{
	# This server block will handle TLS 1.2/1.3 - assuming 1.0.2u has 1.3 support? - maybe have a normal website here?
	upstream https_default_backend
	{
		server 127.0.0.1:8443;
	}
	# This server block will handle any/all SSLv3 connections.
	upstream ds_backend
	{
		server 127.0.0.1:8003;
	}

	# Same idea, but for TLSv1
	upstream wii_backend
	{
		server 127.0.0.1:8010;
	}

	map $ssl_preread_protocol $upstream
	{
		default https_default_backend; # NB: This will also handle TLSv1.1 - which I hope your website isn't using!
		"TLSv1" wii_backend;
		"SSLv3" ds_backend;
	}

	server
	{
		listen 443;
		listen [::]:443;
		ssl_preread on;
		proxy_protocol on; # Passes along IP/etc, https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/
		proxy_pass $upstream;
	}

}

http
{
	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;
	include /usr/local/nginx/conf/mime.types;
	default_type application/octet-stream;
	ssl_prefer_server_ciphers on;
	gzip on;
	underscores_in_headers on;
	keepalive_requests 256;

	ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
	ssl_ciphers "ALL:!aNULL:";

	# load configs
	include /usr/local/nginx/conf.d/*.conf;
	include /usr/local/nginx/sites-enabled/*;
}

sites-available/dls1.conf

server
	{
		listen 127.0.0.1:8003 ssl proxy_protocol;

        # Remember, DS doesn't send SNI - this is more for your own peace of mind/NGINX SSL cert checking.
		server_name dls1.ilostmymind.xyz;

		ssl_certificate /usr/local/nginx/ssl/dls1-ds/server.crt;
		ssl_certificate_key /usr/local/nginx/ssl/dls1-ds/server.key;

		ssl_protocols SSLv3;
		ssl_ciphers "ALL:!aNULL:";
		underscores_in_headers on;
		keepalive_requests 256;

		location /
		{
			proxy_buffering off;
			proxy_pass http://127.0.0.1:9000;
			proxy_set_header X-Forwarded-For $proxy_protocol_addr;
			proxy_set_header X-Forwarded-Port $proxy_protocol_port;
			keepalive_requests 256;
		}
	}
server
	{
		listen 127.0.0.1:8010 ssl proxy_protocol;

        # Remember, DS doesn't send SNI - this is more for your own peace of mind/NGINX SSL cert checking.
		server_name dls1.ilostmymind.xyz;

		ssl_certificate /usr/local/nginx/ssl/dls1-wii/server.crt;
		ssl_certificate_key /usr/local/nginx/ssl/dls1-wii/server.key;

		ssl_protocols TLSv1;
		ssl_ciphers "ALL:!aNULL:";
		underscores_in_headers on;
		keepalive_requests 256;

		location /
		{
			proxy_buffering off;
			proxy_pass http://127.0.0.1:9000;
			proxy_set_header X-Forwarded-For $proxy_protocol_addr;
			proxy_set_header X-Forwarded-Port $proxy_protocol_port;
			keepalive_requests 256;
		}
	}

server {
	listen 80;
	listen [::]:80;

	server_name dls1.ilostmymind.xyz dls1.wiimmfi.de;

	location /
		{
			proxy_buffering off;
			proxy_pass http://127.0.0.1:9000;
			proxy_set_header X-Forwarded-For $proxy_protocol_addr;
			proxy_set_header X-Forwarded-Port $proxy_protocol_port;
			keepalive_requests 256;
		}

}

sites-available/gamestats.conf

server {
	listen 80;
	listen [::]:80;

	server_name gamestats.gs.wiimmfi.de gamestats2.gs.wiimmfi.de gamestats.gs.nintendowifi.net gamestats2.gs.nintendowifi.net *.gamestats.gs.wiimmfi.de *.gamestats2.gs.wiimmfi.de *.gamestats.gs.nintendowifi.net *.gamestats2.gs.nintendowifi.net;

	location /
		{
			proxy_buffering off;
			proxy_pass http://127.0.0.1:9090;
			proxy_set_header X-Forwarded-For $remote_addr;
			proxy_set_header X-Forwarded-Port $remote_port;
			keepalive_requests 256;
		}

		location /syachi2ds/
		{
			proxy_set_header Host gamestats2.gs.nintendowifi.net;
			proxy_buffering off;
			proxy_pass http://gamestats2.gs.pkmnclassic.net/syachi2ds/;
			proxy_set_header X-Forwarded-For $remote_addr;
			proxy_set_header X-Forwarded-Port $remote_port;
			keepalive_requests 256;
		}

		location /pokemondpds/
		{
			proxy_set_header Host gamestats2.gs.nintendowifi.net;
			proxy_buffering off;
			proxy_pass http://gamestats2.gs.pkmnclassic.net/pokemondpds/;
			proxy_set_header X-Forwarded-For $remote_addr;
			proxy_set_header X-Forwarded-Port $remote_port;
			keepalive_requests 256;
		}

		location /pokedungeonds/
		{
			proxy_set_header Host gamestats2.gs.nintendowifi.net;
			proxy_buffering off;
			proxy_pass http://gamestats2.gs.pkmnclassic.net/pokedungeonds/;
			proxy_set_header X-Forwarded-For $remote_addr;
			proxy_set_header X-Forwarded-Port $remote_port;
			keepalive_requests 256;
		}

		location /pokedngnwii/
		{
			proxy_set_header Host gamestats2.gs.nintendowifi.net;
			proxy_buffering off;
			proxy_pass http://gamestats2.gs.pkmnclassic.net/pokedngnwii/;
			proxy_set_header X-Forwarded-For $remote_addr;
			proxy_set_header X-Forwarded-Port $remote_port;
			keepalive_requests 256;
		}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment