-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathnginx.conf.sample
132 lines (112 loc) · 5.04 KB
/
nginx.conf.sample
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
# copy to /etc/nginx/sites-available/transfer
# create symlink to /etc/nginx/sites-enabled/
# sudo nginx -t
server {
# If this is the only site:
#
# listen 80 default_server;
# listen [::]:80 default_server;
#
# otherwise:
listen 80;
server_name <DO.MA.IN>;
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response
# * make sure to setup your cert first
#
#return 301 https://$host$request_uri;
## webroot location for letsencrypt
location /.well-known/acme-challenge {
default_type "text/plain";
root /<PATH_TO_PROJ_ROOT>/assets/static/acme_challenge/;
}
# or serve over http:
#
# location /static/ {
# alias /<PATH_TO_PROJ_BASE>/assets/static/;
# }
#
# # The following provides support for using `X-Accel-Redirect` in application code.
# # The application can return a response containing the header `X-Accel-Redirect: /private/<update-id>`
# # and let nginx handle sending the file directly instead of shuffling the bytes
# # out of the application.
# location /private/ {
# internal;
# alias /<PATH_TO_PROJ_ROOT>/uploads/;
# }
#
# location / {
# include proxy_params;
# proxy_set_header X-Proxy-Nginx true;
# proxy_pass http://localhost:<PORT>/;
# }
}
server {
listen 443 ssl http2;
# If this is the only site
# listen [::]:443 ssl http2;
server_name <DO.MA.IN>;
### CERTS: See letsencrypt.info for generation tips
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /etc/letsencrypt/live/<DO.MA.IN>/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/<DO.MA.IN>/privkey.pem;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/<DO.MA.IN>/chain.pem;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 or 4096
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# intermediate configuration. tweak to your needs.
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
# Apply this once your certs are setup
#add_header Strict-Transport-Security max-age=15768000;
add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
#add_header Content-Security-Policy "default-src https:";
# Required whether requests are being buffered or not. A 413, too-large response
# will be sent for requests larger than `client_max_body_size`
client_max_body_size 200m;
#
# When `proxy_request_buffering on`, nginx will read the whole request to disk
# before sending the request to the proxied server.
# If enabling buffering, increase `upload_timeout_secs` in `config.ron` since
# the request will be delayed in getting to the app server.
proxy_request_buffering off;
#
# When `proxy_buffering off`, nginx will send proxied response data as it comes in instead of
# reading the entire response to an intermediate file.
proxy_buffering off;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
############################################
# webroot location for letsencrypt
location /.well-known/acme-challenge {
default_type "text/plain";
root /<PATH_TO_PROJ_ROOT>/assets/static/acme_challenge/;
}
location /static/ {
alias /<PATH_TO_PROJ_ROOT>/assets/static/;
}
# The following provides support for using `X-Accel-Redirect` in application code.
# The application can return a response containing the header `X-Accel-Redirect: /private/<update-id>`
# and let nginx handle sending the file directly instead of shuffling the bytes
# out of the application.
location /private/ {
internal;
alias /<PATH_TO_UPLOAD_DIR>/;
# e.g.
# alias /home/<user>/projects/transfer/transfer_uploads/;
}
location / {
include proxy_params;
proxy_set_header X-Proxy-Nginx true;
proxy_pass http://localhost:<PORT>/;
}
}