nginxample - Opengist

Revision 3b2be6c82eb59406e65b4e15e22ace03086db708

nginxample · 3.1 KiB · Text Raw

# redirect http requests to https server { listen 80; listen [::]:80; server_name SUB.praze.net; return 301 https://$host$request_uri; } server { root /var/www/DIRECTORY; charset utf-8; # may need to include this line if php is involved index index.php; # include this if using server-side includes ssi on; listen 443 ssl; server_name SUB.praze.net; ssl_certificate /etc/letsencrypt/live/SUB.praze.net/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/SUB.praze.net/privkey.pem; # certbot settings, may not be required ssl_session_cache shared:le_nginx_SSL:10m; ssl_session_timeout 1440m; ssl_session_tickets off; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers off; ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; location / { add_header Access-Control-Allow-Origin "https://tre.praze.net"; # EITHER for eluding search engines add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; # OR add_header X-Robots-Tag "nofollow, noarchive" # EITHER for not sending referrer links add_header Referrer-Policy "no-refer"; # OR add_header Referrer-Policy "strict-origin-when-cross-origin"; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header Rating "RTA-5042-1996-1400-1577-RTA" always; # “restricted to adults” # include these lines if it is a systemd service running on a port proxy_pass http://127.0.0.1:PORT; proxy_set_header Host $host; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; } # include this block if php is involved location ~ [^/]\.php(/|$) { try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:/var/run/php/php-fpm.sock; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_index index.php; include fastcgi.conf; # security headers may need to live here if so } location /favicon.ico { alias /var/www/DIRECTORY/favicon.png; } location /PROTECTED { auth_basic "Password required"; auth_basic_user_file /etc/apache2/.htpasswd; } # include this line if uploading big files client_max_body_size 40M; error_page 404 /SUBDIR/404.html; # etc # example redirects (including “permanent” makes it a 301 rather than a 302) rewrite ^/OLD /NEW permanent; rewrite ^/OLD/(.*)$ /NEW/$1?; }

1	# redirect http requests to https
2	server {
3	listen 80;
4	listen [::]:80;
5	server_name SUB.praze.net;
6	return 301 https://$host$request_uri;
7	}
8
9	server {
10	root /var/www/DIRECTORY;
11	charset utf-8;
12	# may need to include this line if php is involved
13	index index.php;
14
15	# include this if using server-side includes
16	ssi on;
17
18	listen 443 ssl;
19	server_name SUB.praze.net;
20	ssl_certificate /etc/letsencrypt/live/SUB.praze.net/fullchain.pem;
21	ssl_certificate_key /etc/letsencrypt/live/SUB.praze.net/privkey.pem;
22
23	# certbot settings, may not be required
24	ssl_session_cache shared:le_nginx_SSL:10m;
25	ssl_session_timeout 1440m;
26	ssl_session_tickets off;
27	ssl_protocols TLSv1.2 TLSv1.3;
28	ssl_prefer_server_ciphers off;
29	ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
30
31	location / {
32
33	add_header Access-Control-Allow-Origin "https://tre.praze.net";
34	# EITHER for eluding search engines
35	add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
36	# OR
37	add_header X-Robots-Tag "nofollow, noarchive"
38	# EITHER for not sending referrer links
39	add_header Referrer-Policy "no-refer";
40	# OR
41	add_header Referrer-Policy "strict-origin-when-cross-origin";
42	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
43	add_header Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'" always;
44	add_header X-Frame-Options "SAMEORIGIN" always;
45	add_header X-Content-Type-Options "nosniff" always;
46	add_header Rating "RTA-5042-1996-1400-1577-RTA" always; # “restricted to adults”
47
48	# include these lines if it is a systemd service running on a port
49	proxy_pass http://127.0.0.1:PORT;
50	proxy_set_header Host $host;
51	proxy_set_header Upgrade $http_upgrade;
52	proxy_set_header Connection "upgrade";
53	proxy_set_header X-Forwarded-For $remote_addr;
54	proxy_set_header X-Forwarded-Proto $scheme;
55	}
56
57	# include this block if php is involved
58	location ~ [^/]\.php(/\|$) {
59	try_files $uri =404;
60	fastcgi_split_path_info ^(.+\.php)(/.+)$;
61	fastcgi_pass unix:/var/run/php/php-fpm.sock;
62	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
63	fastcgi_index index.php;
64	include fastcgi.conf;
65
66	# security headers may need to live here if so
67	}
68
69	location /favicon.ico {
70	alias /var/www/DIRECTORY/favicon.png;
71	}
72
73	location /PROTECTED {
74	auth_basic "Password required";
75	auth_basic_user_file /etc/apache2/.htpasswd;
76	}
77
78	# include this line if uploading big files
79	client_max_body_size 40M;
80
81	error_page 404 /SUBDIR/404.html;
82	# etc
83
84	# example redirects (including “permanent” makes it a 301 rather than a 302)
85	rewrite ^/OLD /NEW permanent;
86	rewrite ^/OLD/(.*)$ /NEW/$1?;
87	}