nginxample
· 3.0 KiB · Text
Raw
# redirect http requests to https
server {
listen 80;
listen [::]:80;
server_name SUB.praze.net;
return 301 https://$host$request_uri;
}
server {
root /var/www/DIRECTORY;
charset utf-8;
# may need to include this line if php is involved
index index.php;
listen 443 ssl;
server_name SUB.praze.net;
ssl_certificate /etc/letsencrypt/live/SUB.praze.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/SUB.praze.net/privkey.pem;
# certbot settings, may not be required
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
location / {
add_header Access-Control-Allow-Origin "https://tre.praze.net";
# EITHER for eluding search engines
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
# OR
add_header X-Robots-Tag "nofollow, noarchive"
# EITHER for not sending referrer links
add_header Referrer-Policy "no-refer";
# OR
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Rating "RTA-5042-1996-1400-1577-RTA" always; # “restricted to adults”
# include these lines if it is a systemd service running on a port
proxy_pass http://127.0.0.1:PORT;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
}
# include this block if php is involved
location ~ [^/]\.php(/|$) {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_index index.php;
include fastcgi.conf;
# security headers may need to live here if so
}
location /favicon.ico {
alias /var/www/DIRECTORY/favicon.png;
}
location /PROTECTED {
auth_basic "Password required";
auth_basic_user_file /etc/apache2/.htpasswd;
}
# include this line if uploading big files
client_max_body_size 40M;
error_page 404 /SUBDIR/404.html;
# etc
# example redirects (including “permanent” makes it a 301 rather than a 302)
rewrite ^/OLD /NEW permanent;
rewrite ^/OLD/(.*)$ /NEW/$1?;
}
| 1 | # redirect http requests to https |
| 2 | server { |
| 3 | listen 80; |
| 4 | listen [::]:80; |
| 5 | server_name SUB.praze.net; |
| 6 | return 301 https://$host$request_uri; |
| 7 | } |
| 8 | |
| 9 | server { |
| 10 | root /var/www/DIRECTORY; |
| 11 | charset utf-8; |
| 12 | # may need to include this line if php is involved |
| 13 | index index.php; |
| 14 | |
| 15 | listen 443 ssl; |
| 16 | server_name SUB.praze.net; |
| 17 | ssl_certificate /etc/letsencrypt/live/SUB.praze.net/fullchain.pem; |
| 18 | ssl_certificate_key /etc/letsencrypt/live/SUB.praze.net/privkey.pem; |
| 19 | |
| 20 | # certbot settings, may not be required |
| 21 | ssl_session_cache shared:le_nginx_SSL:10m; |
| 22 | ssl_session_timeout 1440m; |
| 23 | ssl_session_tickets off; |
| 24 | ssl_protocols TLSv1.2 TLSv1.3; |
| 25 | ssl_prefer_server_ciphers off; |
| 26 | ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; |
| 27 | |
| 28 | location / { |
| 29 | |
| 30 | add_header Access-Control-Allow-Origin "https://tre.praze.net"; |
| 31 | # EITHER for eluding search engines |
| 32 | add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; |
| 33 | # OR |
| 34 | add_header X-Robots-Tag "nofollow, noarchive" |
| 35 | # EITHER for not sending referrer links |
| 36 | add_header Referrer-Policy "no-refer"; |
| 37 | # OR |
| 38 | add_header Referrer-Policy "strict-origin-when-cross-origin"; |
| 39 | add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; |
| 40 | add_header Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'" always; |
| 41 | add_header X-Frame-Options "SAMEORIGIN" always; |
| 42 | add_header X-Content-Type-Options "nosniff" always; |
| 43 | add_header Rating "RTA-5042-1996-1400-1577-RTA" always; # “restricted to adults” |
| 44 | |
| 45 | # include these lines if it is a systemd service running on a port |
| 46 | proxy_pass http://127.0.0.1:PORT; |
| 47 | proxy_set_header Host $host; |
| 48 | proxy_set_header Upgrade $http_upgrade; |
| 49 | proxy_set_header Connection "upgrade"; |
| 50 | proxy_set_header X-Forwarded-For $remote_addr; |
| 51 | proxy_set_header X-Forwarded-Proto $scheme; |
| 52 | } |
| 53 | |
| 54 | # include this block if php is involved |
| 55 | location ~ [^/]\.php(/|$) { |
| 56 | try_files $uri =404; |
| 57 | fastcgi_split_path_info ^(.+\.php)(/.+)$; |
| 58 | fastcgi_pass unix:/var/run/php/php-fpm.sock; |
| 59 | fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; |
| 60 | fastcgi_index index.php; |
| 61 | include fastcgi.conf; |
| 62 | |
| 63 | # security headers may need to live here if so |
| 64 | } |
| 65 | |
| 66 | location /favicon.ico { |
| 67 | alias /var/www/DIRECTORY/favicon.png; |
| 68 | } |
| 69 | |
| 70 | location /PROTECTED { |
| 71 | auth_basic "Password required"; |
| 72 | auth_basic_user_file /etc/apache2/.htpasswd; |
| 73 | } |
| 74 | |
| 75 | # include this line if uploading big files |
| 76 | client_max_body_size 40M; |
| 77 | |
| 78 | error_page 404 /SUBDIR/404.html; |
| 79 | # etc |
| 80 | |
| 81 | # example redirects (including “permanent” makes it a 301 rather than a 302) |
| 82 | rewrite ^/OLD /NEW permanent; |
| 83 | rewrite ^/OLD/(.*)$ /NEW/$1?; |
| 84 | } |