nginxample - Opengist

nginxample · 3.2 KiB · Text Raw

# redirect http requests to https server { listen 80; listen [::]:80; server_name SUB.praze.net; return 301 https://$host$request_uri; } server { root /var/www/DIRECTORY; charset utf-8; # may need to include this line if php is involved index index.php; # include this if using server-side includes ssi on; listen 443 ssl; server_name SUB.praze.net; ssl_certificate /etc/letsencrypt/live/SUB.praze.net/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/SUB.praze.net/privkey.pem; # certbot settings, may not be required ssl_session_cache shared:le_nginx_SSL:10m; ssl_session_timeout 1440m; ssl_session_tickets off; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers off; ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; location / { add_header Access-Control-Allow-Origin "https://tre.praze.net"; # EITHER for eluding search engines add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; # OR add_header X-Robots-Tag "nofollow, noarchive"; # EITHER for not sending referrer links add_header Referrer-Policy "no-refer"; # OR add_header Referrer-Policy "strict-origin-when-cross-origin"; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header Rating "RTA-5042-1996-1400-1577-RTA" always; # “restricted to adults” # include these lines if it is a systemd service running on a port proxy_pass http://127.0.0.1:PORT; proxy_set_header Host $host; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; } # include this block if php is involved location ~ [^/]\.php(/|$) { try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:/var/run/php/php-fpm.sock; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_index index.php; include fastcgi.conf; # security headers may need to live here if so } # this probably won’t work if it is running as a service, need to set the favicon in whatever way the software requires location /favicon.ico { alias /var/www/DIRECTORY/favicon.png; } location /PROTECTED { auth_basic "Password required"; auth_basic_user_file /etc/apache2/.htpasswd; } # include this line if uploading big files client_max_body_size 40M; error_page 404 /SUBDIR/404.html; # etc # example redirects (including “permanent” makes it a 301 rather than a 302) rewrite ^/OLD /NEW permanent; rewrite ^/OLD/(.*)$ /NEW/$1?; }

1	# redirect http requests to https
2	server {
3	listen 80;
4	listen [::]:80;
5	server_name SUB.praze.net;
6	return 301 https://$host$request_uri;
7	}
8
9	server {
10	root /var/www/DIRECTORY;
11	charset utf-8;
12	# may need to include this line if php is involved
13	index index.php;
14
15	# include this if using server-side includes
16	ssi on;
17
18	listen 443 ssl;
19	server_name SUB.praze.net;
20	ssl_certificate /etc/letsencrypt/live/SUB.praze.net/fullchain.pem;
21	ssl_certificate_key /etc/letsencrypt/live/SUB.praze.net/privkey.pem;
22
23	# certbot settings, may not be required
24	ssl_session_cache shared:le_nginx_SSL:10m;
25	ssl_session_timeout 1440m;
26	ssl_session_tickets off;
27	ssl_protocols TLSv1.2 TLSv1.3;
28	ssl_prefer_server_ciphers off;
29	ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
30
31	location / {
32
33	add_header Access-Control-Allow-Origin "https://tre.praze.net";
34
35	# EITHER for eluding search engines
36	add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
37	# OR
38	add_header X-Robots-Tag "nofollow, noarchive";
39
40	# EITHER for not sending referrer links
41	add_header Referrer-Policy "no-refer";
42	# OR
43	add_header Referrer-Policy "strict-origin-when-cross-origin";
44
45	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
46	add_header Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'" always;
47	add_header X-Frame-Options "SAMEORIGIN" always;
48	add_header X-Content-Type-Options "nosniff" always;
49	add_header Rating "RTA-5042-1996-1400-1577-RTA" always; # “restricted to adults”
50
51	# include these lines if it is a systemd service running on a port
52	proxy_pass http://127.0.0.1:PORT;
53	proxy_set_header Host $host;
54	proxy_set_header Upgrade $http_upgrade;
55	proxy_set_header Connection "upgrade";
56	proxy_set_header X-Forwarded-For $remote_addr;
57	proxy_set_header X-Forwarded-Proto $scheme;
58	}
59
60	# include this block if php is involved
61	location ~ [^/]\.php(/\|$) {
62	try_files $uri =404;
63	fastcgi_split_path_info ^(.+\.php)(/.+)$;
64	fastcgi_pass unix:/var/run/php/php-fpm.sock;
65	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
66	fastcgi_index index.php;
67	include fastcgi.conf;
68
69	# security headers may need to live here if so
70	}
71
72	# this probably won’t work if it is running as a service, need to set the favicon in whatever way the software requires
73	location /favicon.ico {
74	alias /var/www/DIRECTORY/favicon.png;
75	}
76
77	location /PROTECTED {
78	auth_basic "Password required";
79	auth_basic_user_file /etc/apache2/.htpasswd;
80	}
81
82	# include this line if uploading big files
83	client_max_body_size 40M;
84
85	error_page 404 /SUBDIR/404.html;
86	# etc
87
88	# example redirects (including “permanent” makes it a 301 rather than a 302)
89	rewrite ^/OLD /NEW permanent;
90	rewrite ^/OLD/(.*)$ /NEW/$1?;
91	}