Last active 1 week ago

nginxample Raw
1# redirect http requests to https
2server {
3 listen 80;
4 listen [::]:80;
5 server_name SUB.praze.net;
6 return 301 https://$host$request_uri;
7}
8
9server {
10 root /var/www/DIRECTORY;
11 charset utf-8;
12 # may need to include this line if php is involved
13 index index.php;
14
15 # include this if using server-side includes
16 ssi on;
17
18 listen 443 ssl;
19 server_name SUB.praze.net;
20 ssl_certificate /etc/letsencrypt/live/SUB.praze.net/fullchain.pem;
21 ssl_certificate_key /etc/letsencrypt/live/SUB.praze.net/privkey.pem;
22
23 # certbot settings, may not be required
24 ssl_session_cache shared:le_nginx_SSL:10m;
25 ssl_session_timeout 1440m;
26 ssl_session_tickets off;
27 ssl_protocols TLSv1.2 TLSv1.3;
28 ssl_prefer_server_ciphers off;
29 ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
30
31 location / {
32
33 # make sure the http block in nginx.conf includes the following:
34 # map $http_origin $allowed_origin {
35 # default "";
36 # ~^https:\/\/([a-zA-Z0-9-]+\.)*praze.net$ $http_origin;
37 # }
38 add_header Access-Control-Allow-Origin $allowed_origin;
39
40 # EITHER for eluding search engines
41 add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
42 # OR
43 add_header X-Robots-Tag "nofollow, noarchive";
44
45 # EITHER for not sending referrer links
46 add_header Referrer-Policy "no-refer";
47 # OR
48 add_header Referrer-Policy "strict-origin-when-cross-origin";
49
50 add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
51 add_header Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'" always;
52 add_header X-Frame-Options "SAMEORIGIN" always;
53 add_header X-Content-Type-Options "nosniff" always;
54 add_header Rating "RTA-5042-1996-1400-1577-RTA" always; # “restricted to adults”
55
56 # include these lines if it is a systemd service running on a port
57 proxy_pass http://127.0.0.1:PORT;
58 proxy_set_header Host $host;
59 proxy_set_header Upgrade $http_upgrade;
60 proxy_set_header Connection "upgrade";
61 proxy_set_header X-Forwarded-For $remote_addr;
62 proxy_set_header X-Forwarded-Proto $scheme;
63 }
64
65 # include this block if php is involved
66 location ~ [^/]\.php(/|$) {
67 try_files $uri =404;
68 fastcgi_split_path_info ^(.+\.php)(/.+)$;
69 fastcgi_pass unix:/var/run/php/php-fpm.sock;
70 fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
71 fastcgi_index index.php;
72 include fastcgi.conf;
73
74 # security headers may need to live here if so
75 }
76
77 # this probably won’t work if it is running as a service, need to set the favicon in whatever way the software requires
78 location /favicon.ico {
79 alias /var/www/DIRECTORY/favicon.png;
80 }
81
82 location /PROTECTED {
83 auth_basic "Password required";
84 auth_basic_user_file /etc/apache2/.htpasswd;
85 }
86
87 # include this line if uploading big files
88 client_max_body_size 40M;
89
90 error_page 404 /SUBDIR/404.html;
91 # etc
92
93 # example redirects (including “permanent” makes it a 301 rather than a 302)
94 rewrite ^/OLD /NEW permanent;
95 rewrite ^/OLD/(.*)$ /NEW/$1?;
96 rewrite ^/(.*).png /$1.webp permanent;
97}