From 6762612f2c1c082f957dc5a8a7f265833ae0cdc6 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Sat, 12 Jun 2021 17:50:22 +0100
Subject: [PATCH 01/12] Test with no metadata alteration

---
 media.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/media.py b/media.py
index 14dd997d3..5194d30e6 100644
--- a/media.py
+++ b/media.py
@@ -113,11 +113,13 @@ def processMetaData(baseDir: str, nickname: str, domain: str,
     """Handles image metadata. This tries to spoof the metadata
     if possible, but otherwise just removes it
     """
+    copyfile(imageFilename, outputFilename)
+    
     # first remove the metadata
-    _removeMetaData(imageFilename, outputFilename)
+    # _removeMetaData(imageFilename, outputFilename)
 
     # now add some spoofed data to misdirect surveillance capitalists
-    _spoofMetaData(baseDir, nickname, domain, outputFilename, city)
+    # _spoofMetaData(baseDir, nickname, domain, outputFilename, city)
 
 
 def _isMedia(imageFilename: str) -> bool:

From 1a4a41057b49744109815edfbb68f524b69eea19 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Sat, 12 Jun 2021 17:57:57 +0100
Subject: [PATCH 02/12] Restore metadata handling

---
 media.py | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/media.py b/media.py
index 5194d30e6..14dd997d3 100644
--- a/media.py
+++ b/media.py
@@ -113,13 +113,11 @@ def processMetaData(baseDir: str, nickname: str, domain: str,
     """Handles image metadata. This tries to spoof the metadata
     if possible, but otherwise just removes it
     """
-    copyfile(imageFilename, outputFilename)
-    
     # first remove the metadata
-    # _removeMetaData(imageFilename, outputFilename)
+    _removeMetaData(imageFilename, outputFilename)
 
     # now add some spoofed data to misdirect surveillance capitalists
-    # _spoofMetaData(baseDir, nickname, domain, outputFilename, city)
+    _spoofMetaData(baseDir, nickname, domain, outputFilename, city)
 
 
 def _isMedia(imageFilename: str) -> bool:

From cf47c90e2ce954884115abb78f3c8c4585b46bcf Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Sat, 12 Jun 2021 18:32:14 +0100
Subject: [PATCH 03/12] Add expires header

---
 daemon.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/daemon.py b/daemon.py
index b1a63181c..c962c9a4b 100644
--- a/daemon.py
+++ b/daemon.py
@@ -613,6 +613,7 @@ class PubServer(BaseHTTPRequestHandler):
         self.send_header('Cache-Control', 'public')
         self.send_header('Referrer-Policy', 'origin')
         self.send_header('Accept-Ranges', 'none')
+        self.send_header('Expires', 'Sun, 12 Jun 2050 17:28:50 GMT')
 
     def _set_headers(self, fileFormat: str, length: int, cookie: str,
                      callingDomain: str) -> None:

From 7659ad2887129b580f09e5ac08959c1ba97d439d Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Sat, 12 Jun 2021 19:11:44 +0100
Subject: [PATCH 04/12] Remove expires header

---
 daemon.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/daemon.py b/daemon.py
index c962c9a4b..b1a63181c 100644
--- a/daemon.py
+++ b/daemon.py
@@ -613,7 +613,6 @@ class PubServer(BaseHTTPRequestHandler):
         self.send_header('Cache-Control', 'public')
         self.send_header('Referrer-Policy', 'origin')
         self.send_header('Accept-Ranges', 'none')
-        self.send_header('Expires', 'Sun, 12 Jun 2050 17:28:50 GMT')
 
     def _set_headers(self, fileFormat: str, length: int, cookie: str,
                      callingDomain: str) -> None:

From 38e7dd1898374dda00849474c46a0d6b99cba215 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Sat, 12 Jun 2021 21:16:31 +0100
Subject: [PATCH 05/12] Extra cache control

---
 daemon.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/daemon.py b/daemon.py
index b1a63181c..5b0216b8e 100644
--- a/daemon.py
+++ b/daemon.py
@@ -610,6 +610,7 @@ class PubServer(BaseHTTPRequestHandler):
         self.send_header('X-Robots-Tag',
                          'noindex, nofollow, noarchive, nosnippet')
         self.send_header('X-Clacks-Overhead', 'GNU Natalie Nguyen')
+        self.send_header('Cache-Control', 'max-age=31536000')
         self.send_header('Cache-Control', 'public')
         self.send_header('Referrer-Policy', 'origin')
         self.send_header('Accept-Ranges', 'none')

From a9ab1873cd89d484141bedd1123cd46a80874bac Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Sat, 12 Jun 2021 22:09:10 +0100
Subject: [PATCH 06/12] Remove robots

---
 daemon.py | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/daemon.py b/daemon.py
index 5b0216b8e..4ce76fc38 100644
--- a/daemon.py
+++ b/daemon.py
@@ -607,13 +607,11 @@ class PubServer(BaseHTTPRequestHandler):
             self.send_header('Cookie', cookieStr)
         self.send_header('Host', callingDomain)
         self.send_header('InstanceID', self.server.instanceId)
-        self.send_header('X-Robots-Tag',
-                         'noindex, nofollow, noarchive, nosnippet')
+        # self.send_header('X-Robots-Tag',
+        #                  'noindex, nofollow, noarchive, nosnippet')
         self.send_header('X-Clacks-Overhead', 'GNU Natalie Nguyen')
         self.send_header('Cache-Control', 'max-age=31536000')
         self.send_header('Cache-Control', 'public')
-        self.send_header('Referrer-Policy', 'origin')
-        self.send_header('Accept-Ranges', 'none')
 
     def _set_headers(self, fileFormat: str, length: int, cookie: str,
                      callingDomain: str) -> None:

From f20fcdb30049fb7bc50e368cf04a62b450be7703 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Sat, 12 Jun 2021 22:14:00 +0100
Subject: [PATCH 07/12] Tidying

---
 daemon.py | 15 ---------------
 1 file changed, 15 deletions(-)

diff --git a/daemon.py b/daemon.py
index 4ce76fc38..91bbcca55 100644
--- a/daemon.py
+++ b/daemon.py
@@ -553,10 +553,6 @@ class PubServer(BaseHTTPRequestHandler):
         self.send_header('Host', callingDomain)
         self.send_header('WWW-Authenticate',
                          'title="Login to Epicyon", Basic realm="epicyon"')
-        # self.send_header('X-Robots-Tag',
-        #                  'noindex, nofollow, noarchive, nosnippet')
-        # self.send_header('Cache-Control', 'public')
-        # self.send_header('Referrer-Policy', 'origin')
         self.end_headers()
 
     def _logout_headers(self, fileFormat: str, length: int,
@@ -568,10 +564,6 @@ class PubServer(BaseHTTPRequestHandler):
         self.send_header('Host', callingDomain)
         self.send_header('WWW-Authenticate',
                          'title="Login to Epicyon", Basic realm="epicyon"')
-        # self.send_header('X-Robots-Tag',
-        #                  'noindex, nofollow, noarchive, nosnippet')
-        # self.send_header('Cache-Control', 'public')
-        # self.send_header('Referrer-Policy', 'origin')
         self.end_headers()
 
     def _logout_redirect(self, redirect: str, cookie: str,
@@ -586,10 +578,6 @@ class PubServer(BaseHTTPRequestHandler):
         self.send_header('Host', callingDomain)
         self.send_header('InstanceID', self.server.instanceId)
         self.send_header('Content-Length', '0')
-        # self.send_header('X-Robots-Tag',
-        #                  'noindex, nofollow, noarchive, nosnippet')
-        # self.send_header('Cache-Control', 'public')
-        # self.send_header('Referrer-Policy', 'origin')
         self.end_headers()
 
     def _set_headers_base(self, fileFormat: str, length: int, cookie: str,
@@ -607,8 +595,6 @@ class PubServer(BaseHTTPRequestHandler):
             self.send_header('Cookie', cookieStr)
         self.send_header('Host', callingDomain)
         self.send_header('InstanceID', self.server.instanceId)
-        # self.send_header('X-Robots-Tag',
-        #                  'noindex, nofollow, noarchive, nosnippet')
         self.send_header('X-Clacks-Overhead', 'GNU Natalie Nguyen')
         self.send_header('Cache-Control', 'max-age=31536000')
         self.send_header('Cache-Control', 'public')
@@ -616,7 +602,6 @@ class PubServer(BaseHTTPRequestHandler):
     def _set_headers(self, fileFormat: str, length: int, cookie: str,
                      callingDomain: str) -> None:
         self._set_headers_base(fileFormat, length, cookie, callingDomain)
-        # self.send_header('Cache-Control', 'public, max-age=0')
         self.end_headers()
 
     def _set_headers_head(self, fileFormat: str, length: int, etag: str,

From 0924a02ca81cd1aac107392f5ca0d21fe4d74c3a Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Sat, 12 Jun 2021 23:34:33 +0100
Subject: [PATCH 08/12] Check that registrations are open

---
 epicyon.py | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/epicyon.py b/epicyon.py
index c1dfa5794..0adaef6c3 100644
--- a/epicyon.py
+++ b/epicyon.py
@@ -900,9 +900,10 @@ else:
 
 # if this is the initial run then allow new registrations
 if not getConfigParam(baseDir, 'registration'):
-    setConfigParam(baseDir, 'registration', 'open')
-    setConfigParam(baseDir, 'maxRegistrations', str(maxRegistrations))
-    setConfigParam(baseDir, 'registrationsRemaining', str(maxRegistrations))
+    if args.registration.lower() == 'open':
+        setConfigParam(baseDir, 'registration', 'open')
+        setConfigParam(baseDir, 'maxRegistrations', str(maxRegistrations))
+        setConfigParam(baseDir, 'registrationsRemaining', str(maxRegistrations))
 
 if args.resetregistrations:
     setConfigParam(baseDir, 'registrationsRemaining', str(maxRegistrations))

From 1224540e2cbc4080474eb20babfed064fd93a080 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Sat, 12 Jun 2021 23:38:56 +0100
Subject: [PATCH 09/12] Max age of zero

---
 daemon.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/daemon.py b/daemon.py
index 91bbcca55..bec263466 100644
--- a/daemon.py
+++ b/daemon.py
@@ -596,7 +596,7 @@ class PubServer(BaseHTTPRequestHandler):
         self.send_header('Host', callingDomain)
         self.send_header('InstanceID', self.server.instanceId)
         self.send_header('X-Clacks-Overhead', 'GNU Natalie Nguyen')
-        self.send_header('Cache-Control', 'max-age=31536000')
+        self.send_header('Cache-Control', 'max-age=0')
         self.send_header('Cache-Control', 'public')
 
     def _set_headers(self, fileFormat: str, length: int, cookie: str,

From eada89fee816c35b39d7e8116a2d58f8f0f96381 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Sun, 13 Jun 2021 09:48:59 +0100
Subject: [PATCH 10/12] Replace paths for local avatars

---
 webapp_profile.py | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/webapp_profile.py b/webapp_profile.py
index 00ff979dc..17dd6930e 100644
--- a/webapp_profile.py
+++ b/webapp_profile.py
@@ -472,9 +472,7 @@ def htmlProfile(rssIconAtTop: bool,
         addEmojiToDisplayName(baseDir, httpPrefix,
                               nickname, domain,
                               profileJson['name'], True)
-    domainFull = domain
-    if port:
-        domainFull = domain + ':' + str(port)
+    domainFull = getFullDomain(domain, port)
     profileDescription = \
         addEmojiToDisplayName(baseDir, httpPrefix,
                               nickname, domain,
@@ -666,6 +664,11 @@ def htmlProfile(rssIconAtTop: bool,
         occupationName = getOccupationName(profileJson)
 
     avatarUrl = profileJson['icon']['url']
+    # use alternate path for local avatars to avoid any caching issues
+    if '://' + domainFull + '/accounts/avatars/' in avatarUrl:
+        avatarUrl = \
+            avatarUrl.replace('://' + domainFull + '/accounts/avatars/',
+                              '://' + domainFull + '/users/')
 
     # get pinned post content
     accountDir = baseDir + '/accounts/' + nickname + '@' + domain

From c6660f6d33084876161e132971fdc33efd6ec8ac Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Sun, 13 Jun 2021 10:01:22 +0100
Subject: [PATCH 11/12] Line length

---
 epicyon.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/epicyon.py b/epicyon.py
index 0adaef6c3..762e43d7d 100644
--- a/epicyon.py
+++ b/epicyon.py
@@ -903,7 +903,8 @@ if not getConfigParam(baseDir, 'registration'):
     if args.registration.lower() == 'open':
         setConfigParam(baseDir, 'registration', 'open')
         setConfigParam(baseDir, 'maxRegistrations', str(maxRegistrations))
-        setConfigParam(baseDir, 'registrationsRemaining', str(maxRegistrations))
+        setConfigParam(baseDir, 'registrationsRemaining',
+                       str(maxRegistrations))
 
 if args.resetregistrations:
     setConfigParam(baseDir, 'registrationsRemaining', str(maxRegistrations))

From 0aa62520778f29484a3dc971d654548d2fb46ccf Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Sun, 13 Jun 2021 10:15:32 +0100
Subject: [PATCH 12/12] Update documentation for cache

---
 README.md             |   8 ++-
 gemini/EN/install.gmi |  29 ++------
 website/EN/index.html | 163 +++++++++++++++++++-----------------------
 3 files changed, 83 insertions(+), 117 deletions(-)

diff --git a/README.md b/README.md
index d3aa297e1..7beb9a1bc 100644
--- a/README.md
+++ b/README.md
@@ -179,8 +179,12 @@ server {
         proxy_buffers 16 32k;
         proxy_busy_buffers_size 64k;
         proxy_redirect off;
-        proxy_request_buffering on;
-        proxy_buffering on;
+        proxy_request_buffering off;
+        proxy_buffering off;
+        location ~ ^/accounts/(avatars|headers)/(.*).(png|jpg|gif|webp|svg) {
+          expires 1d;
+          proxy_pass http://localhost:7156;
+        }
         proxy_pass http://localhost:7156;
     }
 }
diff --git a/gemini/EN/install.gmi b/gemini/EN/install.gmi
index 5b42d03fd..23f342289 100644
--- a/gemini/EN/install.gmi
+++ b/gemini/EN/install.gmi
@@ -125,8 +125,6 @@ And paste the following:
             proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
             proxy_set_header X-Forward-Proto http;
             proxy_set_header X-Nginx-Proxy true;
-     	    expires epoch;
-            proxy_no_cache 1;
             proxy_temp_file_write_size 64k;
             proxy_connect_timeout 10080s;
             proxy_send_timeout 10080;
@@ -135,28 +133,11 @@ And paste the following:
             proxy_buffers 16 32k;
             proxy_busy_buffers_size 64k;
             proxy_redirect off;
-            proxy_request_buffering on;
-            proxy_buffering on;
-	    proxy_cache my_cache;
-	    proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504;
-	    location ~ ^/(icons|images|media|emoji)/(.*)/(.*).(png|jpg|gif|webp|mp3|ogv|ogg|mp4) {
-	    	expires 7d;
-                proxy_pass http://localhost:7156;
-            }
-            location ~ ^/icons/(.*)/(like|repeat|calendar)(.*).(png|jpg|gif|webp|mp3|ogv|ogg|mp4) {
-                expires epoch;
-                proxy_no_cache 1;
-                proxy_pass http://localhost:7156;
-            }
-            location ~ ^/icons/(like|repeat|calendar)(.*).(png|jpg|gif|webp|mp3|ogv|ogg|mp4) {
-                expires epoch;
-                proxy_no_cache 1;
-                proxy_pass http://localhost:7156;
-            }
-            location ~ ^/users/(.*)/(image|banner).png {
-                expires epoch;
-                proxy_no_cache 1;
-                proxy_pass http://localhost:7156;
+            proxy_request_buffering off;
+            proxy_buffering off;
+	    location ~ ^/accounts/(avatars|headers)/(.*).(png|jpg|gif|webp|svg) {
+              expires 1d;
+              proxy_pass http://localhost:7156;
             }
             proxy_pass http://localhost:7156;
         }
diff --git a/website/EN/index.html b/website/EN/index.html
index 37da861a8..45f5f41e6 100644
--- a/website/EN/index.html
+++ b/website/EN/index.html
@@ -1374,101 +1374,82 @@
                        inactive=60m use_temp_path=off;
 
       server {<br>
-      listen 80;<br>
-      listen [::]:80;<br>
-      server_name YOUR_DOMAIN;<br>
-      access_log /dev/null;<br>
-      error_log /dev/null;<br>
-      client_max_body_size 31m;<br>
-      client_body_buffer_size 128k;<br>
-      <br>
-      limit_conn conn_limit_per_ip 10;<br>
-      limit_req zone=req_limit_per_ip burst=10 nodelay;<br>
-      <br>
-      index index.html;<br>
-      rewrite ^ https://$server_name$request_uri? permanent;<br>
+        listen 80;<br>
+        listen [::]:80;<br>
+        server_name YOUR_DOMAIN;<br>
+        access_log /dev/null;<br>
+        error_log /dev/null;<br>
+        client_max_body_size 31m;<br>
+        client_body_buffer_size 128k;<br>
+        <br>
+        limit_conn conn_limit_per_ip 10;<br>
+        limit_req zone=req_limit_per_ip burst=10 nodelay;<br>
+        <br>
+        index index.html;<br>
+        rewrite ^ https://$server_name$request_uri? permanent;<br>
       }<br>
       <br>
       server {<br>
-      listen 443 ssl;<br>
-      server_name YOUR_DOMAIN;<br>
-      <br>
-      ssl_stapling off;<br>
-      ssl_stapling_verify off;<br>
-      ssl on;<br>
-      ssl_certificate /etc/letsencrypt/live/YOUR_DOMAIN/fullchain.pem;<br>
-      ssl_certificate_key /etc/letsencrypt/live/YOUR_DOMAIN/privkey.pem;<br>
-      #ssl_dhparam /etc/ssl/certs/YOUR_DOMAIN.dhparam;<br>
-      <br>
-      ssl_session_cache  builtin:1000  shared:SSL:10m;<br>
-      ssl_session_timeout 60m;<br>
-      ssl_prefer_server_ciphers on;<br>
-      ssl_protocols TLSv1.2 TLSv1.3;<br>
-      ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';<br>
-      add_header X-Frame-Options DENY;<br>
-      add_header X-Content-Type-Options nosniff;<br>
-      add_header X-XSS-Protection "1; mode=block";<br>
-      add_header X-Download-Options noopen;<br>
-      add_header X-Permitted-Cross-Domain-Policies none;<br>
-      <br>
-      add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";<br>
-      add_header Strict-Transport-Security max-age=15768000;<br>
-      <br>
-      access_log /dev/null;<br>
-      error_log /dev/null;<br>
-      <br>
-      index index.html;<br>
-      <br>
-      location /newsmirror {<br>
-        root /var/www/YOUR_DOMAIN;<br>
-        try_files $uri =404;<br>
-      }<br>
-      <br>
-      location / {<br>
-      proxy_http_version 1.1;<br>
-      client_max_body_size 31M;<br>
-      proxy_set_header Upgrade $http_upgrade;<br>
-      proxy_set_header Connection "upgrade";<br>
-      proxy_set_header Host $http_host;<br>
-      proxy_set_header X-Real-IP $remote_addr;<br>
-      proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;<br>
-      proxy_set_header X-Forward-Proto http;<br>
-      proxy_set_header X-Nginx-Proxy true;<br>
-      expires epoch;<br>
-      proxy_no_cache 1;<br>
-      proxy_temp_file_write_size 64k;<br>
-      proxy_connect_timeout 10080s;<br>
-      proxy_send_timeout 10080;<br>
-      proxy_read_timeout 10080;<br>
-      proxy_buffer_size 64k;<br>
-      proxy_buffers 16 32k;<br>
-      proxy_busy_buffers_size 64k;<br>
-      proxy_redirect off;<br>
-      proxy_request_buffering on;<br>
-      proxy_buffering on;<br>
-      proxy_cache my_cache;<br>
-      proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504;<br>
-      location ~ ^/(icons|images|media|emoji)/(.*)/(.*).(png|jpg|gif|webp|mp3|ogv|ogg|mp4) {<br>
-          expires 7d;<br>
+        listen 443 ssl;<br>
+        server_name YOUR_DOMAIN;<br>
+        <br>
+        ssl_stapling off;<br>
+        ssl_stapling_verify off;<br>
+        ssl on;<br>
+        ssl_certificate /etc/letsencrypt/live/YOUR_DOMAIN/fullchain.pem;<br>
+        ssl_certificate_key /etc/letsencrypt/live/YOUR_DOMAIN/privkey.pem;<br>
+        #ssl_dhparam /etc/ssl/certs/YOUR_DOMAIN.dhparam;<br>
+        <br>
+        ssl_session_cache  builtin:1000  shared:SSL:10m;<br>
+        ssl_session_timeout 60m;<br>
+        ssl_prefer_server_ciphers on;<br>
+        ssl_protocols TLSv1.2 TLSv1.3;<br>
+        ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';<br>
+        add_header X-Frame-Options DENY;<br>
+        add_header X-Content-Type-Options nosniff;<br>
+        add_header X-XSS-Protection "1; mode=block";<br>
+        add_header X-Download-Options noopen;<br>
+        add_header X-Permitted-Cross-Domain-Policies none;<br>
+        <br>
+        add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";<br>
+        add_header Strict-Transport-Security max-age=15768000;<br>
+        <br>
+        access_log /dev/null;<br>
+        error_log /dev/null;<br>
+        <br>
+        index index.html;<br>
+        <br>
+        location /newsmirror {<br>
+          root /var/www/YOUR_DOMAIN;<br>
+          try_files $uri =404;<br>
+        }<br>
+        <br>
+        location / {<br>
+          proxy_http_version 1.1;<br>
+          client_max_body_size 31M;<br>
+          proxy_set_header Upgrade $http_upgrade;<br>
+          proxy_set_header Connection "upgrade";<br>
+          proxy_set_header Host $http_host;<br>
+          proxy_set_header X-Real-IP $remote_addr;<br>
+          proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;<br>
+          proxy_set_header X-Forward-Proto http;<br>
+          proxy_set_header X-Nginx-Proxy true;<br>
+          proxy_temp_file_write_size 64k;<br>
+          proxy_connect_timeout 10080s;<br>
+          proxy_send_timeout 10080;<br>
+          proxy_read_timeout 10080;<br>
+          proxy_buffer_size 64k;<br>
+          proxy_buffers 16 32k;<br>
+          proxy_busy_buffers_size 64k;<br>
+          proxy_redirect off;<br>
+          proxy_request_buffering off;<br>
+          proxy_buffering off;<br>
+          location ~ ^/accounts/(avatars|headers)/(.*).(png|jpg|gif|webp|svg) {<br>
+            expires 1d;<br>
+            proxy_pass http://localhost:7156;<br>
+          }<br>
           proxy_pass http://localhost:7156;<br>
-      }<br>
-      location ~ ^/icons/(.*)/(like|repeat|calendar)(.*).(png|jpg|gif|webp|mp3|ogv|ogg|mp4) {<br>
-          expires epoch;<br>
-          proxy_no_cache 1;<br>
-          proxy_pass http://localhost:7156;<br>
-      }<br>
-      location ~ ^/icons/(like|repeat|calendar)(.*).(png|jpg|gif|webp|mp3|ogv|ogg|mp4) {<br>
-          expires epoch;<br>
-          proxy_no_cache 1;<br>
-          proxy_pass http://localhost:7156;<br>
-      }<br>
-      location ~ ^/users/(.*)/(image|banner).(png|jpg|gif|webp|mp3|ogv|ogg|mp4) {<br>
-          expires epoch;<br>
-          proxy_no_cache 1;<br>
-          proxy_pass http://localhost:7156;<br>
-      }<br>
-      proxy_pass http://localhost:7156;<br>
-      }<br>
+        }<br>
       }
     </div>