-
Notifications
You must be signed in to change notification settings - Fork 0
/
nginx.conf.example
137 lines (113 loc) · 6.24 KB
/
nginx.conf.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
server {
# When not a guest, we use the default ip explicitely to avoid listening to
# possible failover extra ips, which may be dedicated to some project. By
# not doing so, nginx would listen to all ips, and some clients not
# implementing the Server Name Indication (SNI) would not be able to access
# the dedicated project.
listen 123.123.123.123;
server_name example.com www.example.com;
server_tokens off; # don't show the version number, a security best practice
charset utf-8;
access_log /var/log/nginx/example.com.log;
error_log /var/log/nginx/example.com.error.log;
# Deny illegal Host headers, see http://stackoverflow.com/questions/15238506/djangos-suspiciousoperation-invalid-http-host-header
if ($host !~* ^(www.)?example.com$ ) {
return 444; # special code of nginx to just close the connection
}
# Only allow these requests methods (verbs)
if ($request_method !~ ^(GET|HEAD)$ ) {
return 444;
}
# For letsencrypt
location ~ /\.well-known {
default_type "text/plain";
root /home/example/example.com/;
allow all;
}
location / {
return 301 https://example.com$uri;
}
}
# Misc redirections e.g. https://www... to main site
server {
# See the reason for the explicit IP in a long comment above
listen 123.123.123.123:443 ssl;
server_name www.example.com;
server_tokens off; # don't show the version number, a security best practice
charset utf-8;
# Access and error log files.
access_log /var/log/nginx/example.com.log;
error_log /var/log/nginx/example.com.error.log;
# Deny illegal Host headers, see http://stackoverflow.com/questions/15238506/djangos-suspiciousoperation-invalid-http-host-header
if ($host !~* ^(www.)?example.com$ ) {
return 444; # special code of nginx to just close the connection
}
# Only allow these requests methods (verbs)
if ($request_method !~ ^(GET|HEAD)$ ) {
return 444;
}
# https://stackoverflow.com/questions/40966017/nginx-deny-access-of-a-directory-and-files-inside-it
location ~ /.hg/.*$ {
deny all;
}
location / {
return 301 https://example.com$uri;
}
ssl on;
# The reason for using a chained certificate is explained here:
# https://forum.startcom.org/viewtopic.php?f=15&t=2798
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# from https://mozilla.github.io/server-side-tls/ssl-config-generator/
######################################################################
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
}
# Everything below is for ssl, but when provisioning for the first time, and
# going to use letsencrypt, we need first a functioning nginx without
# certificates to be able to deal with the letsencrypt challenge.
server {
# See the reason for the explicit IP in a long comment above
listen 123.123.123.123:443 ssl;
server_name example.com;
server_tokens off; # don't show the version number, a security best practice
charset utf-8;
# Access and error log files.
access_log /var/log/nginx/example.com.log;
error_log /var/log/nginx/example.com.error.log;
# Deny illegal Host headers, see http://stackoverflow.com/questions/15238506/djangos-suspiciousoperation-invalid-http-host-header
if ($host !~* ^example.com$ ) {
return 444; # special code of nginx to just close the connection
}
# Only allow these requests methods (verbs)
if ($request_method !~ ^(GET|HEAD)$ ) {
return 444;
}
# https://stackoverflow.com/questions/40966017/nginx-deny-access-of-a-directory-and-files-inside-it
location ~ /.hg/.*$ {
deny all;
}
# =404 is needed to raise 404 if file does not exist.
location / {
root /home/example/example.com/;
try_files $uri $uri/index.html =404;
}
ssl on;
# The reason for using a chained certificate is explained here:
# https://forum.startcom.org/viewtopic.php?f=15&t=2798
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# from https://mozilla.github.io/server-side-tls/ssl-config-generator/
######################################################################
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
}
# vim: ft=nginx