From 084c85e436de18936afae51a7f05aa2669df23c3 Mon Sep 17 00:00:00 2001
From: Magic_RB <magic_rb@redalder.org>
Date: Thu, 15 Jun 2023 23:06:47 +0200
Subject: [PATCH] Add terranix config for ingress-toothpick container

Signed-off-by: Magic_RB <magic_rb@redalder.org>
---
 .../containers/ingress-toothpick/default.nix  |  29 ++
 terranix/containers/ingress-toothpick/job.hcl | 259 +++++++++++++
 .../ingress-toothpick/upstreams.conf          | 340 ++++++++++++++++++
 3 files changed, 628 insertions(+)
 create mode 100644 terranix/containers/ingress-toothpick/default.nix
 create mode 100644 terranix/containers/ingress-toothpick/job.hcl
 create mode 100644 terranix/containers/ingress-toothpick/upstreams.conf

diff --git a/terranix/containers/ingress-toothpick/default.nix b/terranix/containers/ingress-toothpick/default.nix
new file mode 100644
index 0000000..d947245
--- /dev/null
+++ b/terranix/containers/ingress-toothpick/default.nix
@@ -0,0 +1,29 @@
+{ elib, secret, ... }:
+let
+  inherit (elib)
+    nfsVolume
+    nomadJob;
+
+  flake_host = "";
+  flake_rev = "";
+  flake_ref = "";
+  flake_sha = "";
+in
+{
+  resource."nomad_volume"."ingress-letsencrypt" = nfsVolume {
+    volume_name = "ingress-letsencrypt";
+    access_mode = "single-node-writer";
+    server = secret.network.ips.blowhole.ip;
+    share = "/var/nfs/ingress-letsencrypt";
+    mount_flags = [ "nolock" "hard" ];
+  };
+
+  resource."nomad_job"."ingress" = nomadJob {
+    jobspec = ./job.hcl;
+    vars = {
+      flake_ref = "${flake_host}?rev=${flake_rev}&ref=${flake_ref}";
+      flake_sha = flake_sha;
+      upstreams = "\${file(\"${./upstreams.conf}\")}";
+    };
+  };
+}
diff --git a/terranix/containers/ingress-toothpick/job.hcl b/terranix/containers/ingress-toothpick/job.hcl
new file mode 100644
index 0000000..7481a84
--- /dev/null
+++ b/terranix/containers/ingress-toothpick/job.hcl
@@ -0,0 +1,259 @@
+variable "flake_ref" {
+  type = string
+}
+
+variable "flake_sha" {
+  type = string
+}
+
+variable "upstreams" {
+  type = string
+}
+
+job "ingress" {
+  datacenters = [ "do-1" ]
+  region = "do-1"
+  type = "service"
+
+  group "ingress" {
+    count = 1
+
+    constraint {
+      attribute = "${attr.unique.hostname}"
+      value = "toothpick"
+    }
+
+    volume "ingress-letsencrypt" {
+      type = "csi"
+      source = "ingress-letsencrypt"
+      read_only = false
+
+      attachment_mode = "file-system"
+      access_mode     = "single-node-writer"
+    }
+
+    network {
+      mode = "bridge"
+      port "http" {
+        static = 80
+        to = 80
+        host_network = "public"
+      }
+
+      port "http-matrix" {
+        static = 8448
+        to = 8448
+        host_network = "public"
+      }
+
+      port "https" {
+        static = 443
+        to = 443
+        host_network = "public"
+      }
+
+      port "minecraft" {
+        static = 25565
+        to = 25565
+        host_network = "public"
+      }
+    }
+
+    service {
+      name = "ingress-toothpick"
+      port = "http"
+
+      connect {
+        sidecar_service {
+          proxy {
+            upstreams {
+              destination_name = "gitea"
+              local_bind_port  = 3000
+              datacenter = "homelab-1"
+
+              mesh_gateway {
+                mode = "local"
+              }
+            }
+
+            upstreams {
+              destination_name = "hydra"
+              local_bind_port  = 8666
+              datacenter = "homelab-1"
+
+              mesh_gateway {
+                mode = "local"
+              }
+            }
+
+            upstreams {
+              destination_name = "nextcloud"
+              local_bind_port  = 8777
+              datacenter = "homelab-1"
+
+              mesh_gateway {
+                mode = "local"
+              }
+            }
+
+            upstreams {
+              destination_name = "website"
+              local_bind_port  = 8080
+              datacenter = "homelab-1"
+
+              mesh_gateway {
+                mode = "local"
+              }
+            }
+
+            upstreams {
+              destination_name = "minecraft"
+              local_bind_port  = 2666
+              datacenter = "homelab-1"
+
+              mesh_gateway {
+                mode = "local"
+              }
+            }
+
+            upstreams {
+              destination_name = "reicio"
+              local_bind_port  = 8000
+              datacenter = "homelab-1"
+
+              mesh_gateway {
+                mode = "local"
+              }
+            }
+
+            upstreams {
+              destination_name = "matrix-synapse"
+              local_bind_port  = 6167
+              datacenter = "homelab-1"
+
+              mesh_gateway {
+                mode = "local"
+              }
+            }
+
+            upstreams {
+              destination_name = "matrix-synapse-client"
+              local_bind_port  = 6168
+              datacenter = "homelab-1"
+
+              mesh_gateway {
+                mode = "local"
+              }
+            }
+
+            upstreams {
+              destination_name = "matrix-synapse-federation-receiver"
+              local_bind_port  = 6169
+              datacenter = "homelab-1"
+
+              mesh_gateway {
+                mode = "local"
+              }
+            }
+
+            upstreams {
+              destination_name = "matrix-synapse-sync"
+              local_bind_port  = 6170
+              datacenter = "homelab-1"
+
+              mesh_gateway {
+                mode = "local"
+              }
+            }
+          }
+        }
+      }
+    }
+
+    task "nginx" {
+      driver = "docker"
+
+      volume_mount {
+        volume = "ingress-letsencrypt"
+        destination = "/etc/letsencrypt"
+        read_only = false
+      }
+
+      config {
+        nix_flake_ref = "${var.flake_ref}#nixngSystems.ingressToothpick.config.system.build.toplevel"
+        nix_flake_sha = var.flake_sha
+        entrypoint = [ "init" ]
+      }
+
+      resources {
+        cpu = 200
+        memory = 128
+      }
+
+      template {
+        data = <<EOF
+ssl_certificate_key /etc/letsencrypt/live/redalder.org/privkey.pem;
+ssl_certificate /etc/letsencrypt/live/redalder.org/fullchain.pem;
+
+ssl_session_cache shared:le_nginx_SSL:10m;
+ssl_session_timeout 1440m;
+ssl_session_tickets off;
+
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_prefer_server_ciphers off;
+
+ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
+EOF
+        destination   = "local/ssl.conf"
+        change_mode   = "signal"
+        change_signal = "SIGHUP"
+      }
+
+      template {
+        data = <<EOF
+proxy_set_header Host $host;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $scheme;
+EOF
+        destination   = "local/headers.conf"
+        change_mode   = "signal"
+        change_signal = "SIGHUP"
+      }
+
+      template {
+        data = <<EOF
+add_header X-Frame-Options "SAMEORIGIN";
+add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
+EOF
+        destination   = "local/security.conf"
+        change_mode   = "signal"
+        change_signal = "SIGHUP"
+      }
+
+      template {
+        data = <<EOF
+upstream minecraft {
+  server {{ env "NOMAD_UPSTREAM_ADDR_minecraft" }};
+}
+
+server {
+  listen 25565;
+
+  proxy_pass minecraft;
+}
+EOF
+        destination   = "local/streams.conf"
+        change_mode   = "signal"
+        change_signal = "SIGHUP"
+      }
+
+      template {
+        data = var.upstreams
+        destination   = "local/upstreams.conf"
+        change_mode   = "signal"
+        change_signal = "SIGHUP"
+      }
+    }
+  }
+}
diff --git a/terranix/containers/ingress-toothpick/upstreams.conf b/terranix/containers/ingress-toothpick/upstreams.conf
new file mode 100644
index 0000000..cb7f7b1
--- /dev/null
+++ b/terranix/containers/ingress-toothpick/upstreams.conf
@@ -0,0 +1,340 @@
+upstream gitea {
+  server {{ env "NOMAD_UPSTREAM_ADDR_gitea" }};
+}
+
+upstream hydra {
+  server {{ env "NOMAD_UPSTREAM_ADDR_hydra" }};
+}
+
+upstream nextcloud {
+  server {{ env "NOMAD_UPSTREAM_ADDR_nextcloud" }};
+}
+
+upstream website {
+  server {{ env "NOMAD_UPSTREAM_ADDR_website" }};
+}
+
+upstream reicio {
+  server {{ env "NOMAD_UPSTREAM_ADDR_reicio" }};
+}
+
+upstream matrix-synapse {
+  server {{ env "NOMAD_UPSTREAM_ADDR_matrix_synapse" }};
+}
+
+upstream matrix-synapse-federation-receiver {
+  server {{ env "NOMAD_UPSTREAM_ADDR_matrix_synapse_federation_receiver" }};
+}
+
+upstream matrix-synapse-client {
+  server {{ env "NOMAD_UPSTREAM_ADDR_matrix_synapse_client" }};
+}
+
+upstream matrix-synapse-sync {
+  server {{ env "NOMAD_UPSTREAM_ADDR_matrix_synapse_sync" }};
+}
+
+upstream matrix-mautrix-facebook {
+  server {{ env "NOMAD_UPSTREAM_ADDR_matrix-mautrix-facebook" }};
+}
+
+server {
+  listen 443 ssl http2;
+
+  server_name _;
+
+  include /local/ssl.conf;
+
+  return 404;
+}
+
+server {
+  listen 443 ssl http2;
+
+  server_name gitea.redalder.org;
+
+  include /local/security.conf;
+  include /local/ssl.conf;
+
+  client_max_body_size 100M;
+
+  location / {
+    include /local/headers.conf;
+    proxy_pass http://gitea;
+  }
+}
+
+server {
+  listen 443 ssl http2;
+
+  server_name hydra.redalder.org;
+
+  include /local/security.conf;
+  include /local/ssl.conf;
+
+  location / {
+    include /local/headers.conf;
+    proxy_pass http://hydra;
+  }
+}
+
+server {
+  listen 443 ssl http2;
+
+  server_name redalder.org nixng.org;
+
+  include /local/security.conf;
+  include /local/ssl.conf;
+
+  location /nextcloud/ {
+    include /local/headers.conf;
+    proxy_pass http://nextcloud/;
+  }
+
+  location /reicio/ {
+    include /local/headers.conf;
+    proxy_pass http://reicio/;
+  }
+
+  location / {
+    include /local/headers.conf;
+    proxy_pass http://website;
+  }
+}
+
+server {
+  listen 443 ssl http2;
+  listen 8448 ssl http2;
+
+  server_name matrix.redalder.org;
+  merge_slashes off;
+
+  # sync
+  location ~ ^/_matrix/client/(r0|v3)/sync$|^/_matrix/client/(api/v1|r0|v3)/events$|^/_matrix/client/(api/v1|r0|v3)/initialSync$|^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$ {
+      # note: do not add a path (even a single /) after the port in `proxy_pass`,
+      # otherwise nginx will canonicalise the URI and cause signature verification
+      # errors.
+      proxy_pass http://matrix-synapse-sync;
+      proxy_set_header X-Forwarded-For $remote_addr;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header Host $host;
+
+      # Nginx by default only allows file uploads up to 1M in size
+      # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
+      client_max_body_size 50M;
+
+      # Synapse responses may be chunked, which is an HTTP/1.1 feature.
+      proxy_http_version 1.1;
+  }
+
+  # federation
+  location ~ ^/_matrix/federation/v1/event/|^/_matrix/federation/v1/state/|^/_matrix/federation/v1/state_ids/|^/_matrix/federation/v1/backfill/|^/_matrix/federation/v1/get_missing_events/|^/_matrix/federation/v1/publicRooms|^/_matrix/federation/v1/query/|^/_matrix/federation/v1/make_join/|^/_matrix/federation/v1/make_leave/|^/_matrix/federation/(v1|v2)/send_join/|^/_matrix/federation/(v1|v2)/send_leave/|^/_matrix/federation/(v1|v2)/invite/|^/_matrix/federation/v1/event_auth/|^/_matrix/federation/v1/timestamp_to_event/|^/_matrix/federation/v1/exchange_third_party_invite/|^/_matrix/federation/v1/user/devices/|^/_matrix/key/v2/query|^/_matrix/federation/v1/hierarchy/ {
+      # note: do not add a path (even a single /) after the port in `proxy_pass`,
+      # otherwise nginx will canonicalise the URI and cause signature verification
+      # errors.
+      proxy_pass http://matrix-synapse-federation-receiver;
+      proxy_set_header X-Forwarded-For $remote_addr;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header Host $host;
+
+      # Nginx by default only allows file uploads up to 1M in size
+      # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
+      client_max_body_size 50M;
+
+      # Synapse responses may be chunked, which is an HTTP/1.1 feature.
+      proxy_http_version 1.1;
+  }
+
+  # inbound federation requests
+  location ~ ^/_matrix/federation/v1/send/ {
+      # note: do not add a path (even a single /) after the port in `proxy_pass`,
+      # otherwise nginx will canonicalise the URI and cause signature verification
+      # errors.
+      proxy_pass http://matrix-synapse-federation-receiver;
+      proxy_set_header X-Forwarded-For $remote_addr;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header Host $host;
+
+      # Nginx by default only allows file uploads up to 1M in size
+      # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
+      client_max_body_size 50M;
+
+      # Synapse responses may be chunked, which is an HTTP/1.1 feature.
+      proxy_http_version 1.1;
+  }
+
+  # client api
+  location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/createRoom$|^/_matrix/client/(api/v1|r0|v3|unstable)/publicRooms$|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/joined_members$|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/context/.*$|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/members$|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state$|^/_matrix/client/v1/rooms/.*/hierarchy$|^/_matrix/client/(v1|unstable)/rooms/.*/relations/|^/_matrix/client/v1/rooms/.*/threads$|^/_matrix/client/unstable/org.matrix.msc2716/rooms/.*/batch_send$|^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$|^/_matrix/client/(r0|v3|unstable)/account/3pid$|^/_matrix/client/(r0|v3|unstable)/account/whoami$|^/_matrix/client/(r0|v3|unstable)/devices$|^/_matrix/client/versions$|^/_matrix/client/(api/v1|r0|v3|unstable)/voip/turnServer$|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/event/|^/_matrix/client/(api/v1|r0|v3|unstable)/joined_rooms$|^/_matrix/client/v1/rooms/.*/timestamp_to_event$|^/_matrix/client/(api/v1|r0|v3|unstable/.*)/rooms/.*/aliases|^/_matrix/client/(api/v1|r0|v3|unstable)/search$|^/_matrix/client/(r0|v3|unstable)/user/.*/filter(/|$) {
+      # note: do not add a path (even a single /) after the port in `proxy_pass`,
+      # otherwise nginx will canonicalise the URI and cause signature verification
+      # errors.
+      proxy_pass http://matrix-synapse-client;
+      proxy_set_header X-Forwarded-For $remote_addr;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header Host $host;
+
+      # Nginx by default only allows file uploads up to 1M in size
+      # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
+      client_max_body_size 50M;
+
+      # Synapse responses may be chunked, which is an HTTP/1.1 feature.
+      proxy_http_version 1.1;
+  }
+
+  # encryption
+  location ~ ^/_matrix/client/(r0|v3|unstable)/keys/query$|^/_matrix/client/(r0|v3|unstable)/keys/changes$|^/_matrix/client/(r0|v3|unstable)/keys/claim$|^/_matrix/client/(r0|v3|unstable)/room_keys/|^/_matrix/client/(r0|v3|unstable)/keys/upload/ {
+      # note: do not add a path (even a single /) after the port in `proxy_pass`,
+      # otherwise nginx will canonicalise the URI and cause signature verification
+      # errors.
+      proxy_pass http://matrix-synapse-client;
+      proxy_set_header X-Forwarded-For $remote_addr;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header Host $host;
+
+      # Nginx by default only allows file uploads up to 1M in size
+      # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
+      client_max_body_size 50M;
+
+      # Synapse responses may be chunked, which is an HTTP/1.1 feature.
+      proxy_http_version 1.1;
+  }
+
+  # registration login
+  location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/login$|^/_matrix/client/(r0|v3|unstable)/register$|^/_matrix/client/(r0|v3|unstable)/register/available$|^/_matrix/client/v1/register/m.login.registration_token/validity$|^/_matrix/client/(r0|v3|unstable)/password_policy$ {
+      # note: do not add a path (even a single /) after the port in `proxy_pass`,
+      # otherwise nginx will canonicalise the URI and cause signature verification
+      # errors.
+      proxy_pass http://matrix-synapse-client;
+      proxy_set_header X-Forwarded-For $remote_addr;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header Host $host;
+
+      # Nginx by default only allows file uploads up to 1M in size
+      # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
+      client_max_body_size 50M;
+
+      # Synapse responses may be chunked, which is an HTTP/1.1 feature.
+      proxy_http_version 1.1;
+  }
+
+  # event sending
+  location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/redact|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/send|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state/|^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)$|^/_matrix/client/(api/v1|r0|v3|unstable)/join/|^/_matrix/client/(api/v1|r0|v3|unstable)/knock/|^/_matrix/client/(api/v1|r0|v3|unstable)/profile/ {
+      # note: do not add a path (even a single /) after the port in `proxy_pass`,
+      # otherwise nginx will canonicalise the URI and cause signature verification
+      # errors.
+      proxy_pass http://matrix-synapse-client;
+      proxy_set_header X-Forwarded-For $remote_addr;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header Host $host;
+
+      # Nginx by default only allows file uploads up to 1M in size
+      # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
+      client_max_body_size 50M;
+
+      # Synapse responses may be chunked, which is an HTTP/1.1 feature.
+      proxy_http_version 1.1;
+  }
+
+  # account data
+  location ~ ^/_matrix/client/(r0|v3|unstable)/.*/tags|^/_matrix/client/(r0|v3|unstable)/.*/account_data {
+      # note: do not add a path (even a single /) after the port in `proxy_pass`,
+      # otherwise nginx will canonicalise the URI and cause signature verification
+      # errors.
+      proxy_pass http://matrix-synapse;
+      proxy_set_header X-Forwarded-For $remote_addr;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header Host $host;
+
+      # Nginx by default only allows file uploads up to 1M in size
+      # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
+      client_max_body_size 50M;
+
+      # Synapse responses may be chunked, which is an HTTP/1.1 feature.
+      proxy_http_version 1.1;
+  }
+
+  # receipts requests
+  location ~ ^/_matrix/client/(r0|v3|unstable)/rooms/.*/receipt|^/_matrix/client/(r0|v3|unstable)/rooms/.*/read_markers {
+      # note: do not add a path (even a single /) after the port in `proxy_pass`,
+      # otherwise nginx will canonicalise the URI and cause signature verification
+      # errors.
+      proxy_pass http://matrix-synapse;
+      proxy_set_header X-Forwarded-For $remote_addr;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header Host $host;
+
+      # Nginx by default only allows file uploads up to 1M in size
+      # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
+      client_max_body_size 50M;
+
+      # Synapse responses may be chunked, which is an HTTP/1.1 feature.
+      proxy_http_version 1.1;
+  }
+
+  # presence requests
+  location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/presence/ {
+      # note: do not add a path (even a single /) after the port in `proxy_pass`,
+      # otherwise nginx will canonicalise the URI and cause signature verification
+      # errors.
+      proxy_pass http://matrix-synapse;
+      proxy_set_header X-Forwarded-For $remote_addr;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header Host $host;
+
+      # Nginx by default only allows file uploads up to 1M in size
+      # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
+      client_max_body_size 50M;
+
+      # Synapse responses may be chunked, which is an HTTP/1.1 feature.
+      proxy_http_version 1.1;
+  }
+
+  # user directory search
+  location ~ ^/_matrix/client/(r0|v3|unstable)/user_directory/search$ {
+      # note: do not add a path (even a single /) after the port in `proxy_pass`,
+      # otherwise nginx will canonicalise the URI and cause signature verification
+      # errors.
+      proxy_pass http://matrix-synapse-client;
+      proxy_set_header X-Forwarded-For $remote_addr;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header Host $host;
+
+      # Nginx by default only allows file uploads up to 1M in size
+      # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
+      client_max_body_size 50M;
+
+      # Synapse responses may be chunked, which is an HTTP/1.1 feature.
+      proxy_http_version 1.1;
+  }
+
+  # the rest
+  location ~ ^(/.well-known|/_matrix|/_synapse/client) {
+      # note: do not add a path (even a single /) after the port in `proxy_pass`,
+      # otherwise nginx will canonicalise the URI and cause signature verification
+      # errors.
+      proxy_pass http://matrix-synapse;
+      proxy_set_header X-Forwarded-For $remote_addr;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header Host $host;
+
+      # Nginx by default only allows file uploads up to 1M in size
+      # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
+      client_max_body_size 50M;
+
+      # Synapse responses may be chunked, which is an HTTP/1.1 feature.
+      proxy_http_version 1.1;
+  }
+
+  location /mufb/ {
+      proxy_pass http://matrix-mautrix-facebook$request_uri;
+      proxy_set_header Host $http_host;
+      proxy_buffering off;
+  }
+
+  location / {
+    return 404;
+  }
+
+  include /local/security.conf;
+  include /local/ssl.conf;
+}
\ No newline at end of file