tre revised this gist 1 day ago. Go to revision
1 file changed, 1 insertion, 1 deletion
nginxample
| @@ -76,7 +76,7 @@ server { | |||
| 76 | 76 | ||
| 77 | 77 | location /PROTECTED { | |
| 78 | 78 | auth_basic "Password required"; | |
| 79 | - | auth_basic_user_file /etc/apache2/.htpasswd; | |
| 79 | + | auth_basic_user_file /etc/apache2/.htpasswd; | |
| 80 | 80 | } | |
| 81 | 81 | ||
| 82 | 82 | # include this line if uploading big files | |
tre revised this gist 1 day ago. Go to revision
1 file changed, 5 insertions, 5 deletions
nginxample
| @@ -50,11 +50,11 @@ server { | |||
| 50 | 50 | ||
| 51 | 51 | # include these lines if it is a systemd service running on a port | |
| 52 | 52 | proxy_pass http://127.0.0.1:PORT; | |
| 53 | - | proxy_set_header Host $host; | |
| 54 | - | proxy_set_header Upgrade $http_upgrade; | |
| 55 | - | proxy_set_header Connection "upgrade"; | |
| 56 | - | proxy_set_header X-Forwarded-For $remote_addr; | |
| 57 | - | proxy_set_header X-Forwarded-Proto $scheme; | |
| 53 | + | proxy_set_header Host $host; | |
| 54 | + | proxy_set_header Upgrade $http_upgrade; | |
| 55 | + | proxy_set_header Connection "upgrade"; | |
| 56 | + | proxy_set_header X-Forwarded-For $remote_addr; | |
| 57 | + | proxy_set_header X-Forwarded-Proto $scheme; | |
| 58 | 58 | } | |
| 59 | 59 | ||
| 60 | 60 | # include this block if php is involved | |
tre revised this gist 1 day ago. Go to revision
1 file changed, 10 insertions, 6 deletions
nginxample
| @@ -31,14 +31,17 @@ server { | |||
| 31 | 31 | location / { | |
| 32 | 32 | ||
| 33 | 33 | add_header Access-Control-Allow-Origin "https://tre.praze.net"; | |
| 34 | + | ||
| 34 | 35 | # EITHER for eluding search engines | |
| 35 | 36 | add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; | |
| 36 | 37 | # OR | |
| 37 | - | add_header X-Robots-Tag "nofollow, noarchive" | |
| 38 | + | add_header X-Robots-Tag "nofollow, noarchive"; | |
| 39 | + | ||
| 38 | 40 | # EITHER for not sending referrer links | |
| 39 | 41 | add_header Referrer-Policy "no-refer"; | |
| 40 | 42 | # OR | |
| 41 | 43 | add_header Referrer-Policy "strict-origin-when-cross-origin"; | |
| 44 | + | ||
| 42 | 45 | add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; | |
| 43 | 46 | add_header Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'" always; | |
| 44 | 47 | add_header X-Frame-Options "SAMEORIGIN" always; | |
| @@ -47,11 +50,11 @@ server { | |||
| 47 | 50 | ||
| 48 | 51 | # include these lines if it is a systemd service running on a port | |
| 49 | 52 | proxy_pass http://127.0.0.1:PORT; | |
| 50 | - | proxy_set_header Host $host; | |
| 51 | - | proxy_set_header Upgrade $http_upgrade; | |
| 52 | - | proxy_set_header Connection "upgrade"; | |
| 53 | - | proxy_set_header X-Forwarded-For $remote_addr; | |
| 54 | - | proxy_set_header X-Forwarded-Proto $scheme; | |
| 53 | + | proxy_set_header Host $host; | |
| 54 | + | proxy_set_header Upgrade $http_upgrade; | |
| 55 | + | proxy_set_header Connection "upgrade"; | |
| 56 | + | proxy_set_header X-Forwarded-For $remote_addr; | |
| 57 | + | proxy_set_header X-Forwarded-Proto $scheme; | |
| 55 | 58 | } | |
| 56 | 59 | ||
| 57 | 60 | # include this block if php is involved | |
| @@ -66,6 +69,7 @@ server { | |||
| 66 | 69 | # security headers may need to live here if so | |
| 67 | 70 | } | |
| 68 | 71 | ||
| 72 | + | # this probably won’t work if it is running as a service, need to set the favicon in whatever way the software requires | |
| 69 | 73 | location /favicon.ico { | |
| 70 | 74 | alias /var/www/DIRECTORY/favicon.png; | |
| 71 | 75 | } | |
tre revised this gist 1 day ago. Go to revision
1 file changed, 3 insertions
nginxample
| @@ -12,6 +12,9 @@ server { | |||
| 12 | 12 | # may need to include this line if php is involved | |
| 13 | 13 | index index.php; | |
| 14 | 14 | ||
| 15 | + | # include this if using server-side includes | |
| 16 | + | ssi on; | |
| 17 | + | ||
| 15 | 18 | listen 443 ssl; | |
| 16 | 19 | server_name SUB.praze.net; | |
| 17 | 20 | ssl_certificate /etc/letsencrypt/live/SUB.praze.net/fullchain.pem; | |
tre revised this gist 6 days ago. Go to revision
1 file changed, 84 insertions
nginxample(file created)
| @@ -0,0 +1,84 @@ | |||
| 1 | + | # redirect http requests to https | |
| 2 | + | server { | |
| 3 | + | listen 80; | |
| 4 | + | listen [::]:80; | |
| 5 | + | server_name SUB.praze.net; | |
| 6 | + | return 301 https://$host$request_uri; | |
| 7 | + | } | |
| 8 | + | ||
| 9 | + | server { | |
| 10 | + | root /var/www/DIRECTORY; | |
| 11 | + | charset utf-8; | |
| 12 | + | # may need to include this line if php is involved | |
| 13 | + | index index.php; | |
| 14 | + | ||
| 15 | + | listen 443 ssl; | |
| 16 | + | server_name SUB.praze.net; | |
| 17 | + | ssl_certificate /etc/letsencrypt/live/SUB.praze.net/fullchain.pem; | |
| 18 | + | ssl_certificate_key /etc/letsencrypt/live/SUB.praze.net/privkey.pem; | |
| 19 | + | ||
| 20 | + | # certbot settings, may not be required | |
| 21 | + | ssl_session_cache shared:le_nginx_SSL:10m; | |
| 22 | + | ssl_session_timeout 1440m; | |
| 23 | + | ssl_session_tickets off; | |
| 24 | + | ssl_protocols TLSv1.2 TLSv1.3; | |
| 25 | + | ssl_prefer_server_ciphers off; | |
| 26 | + | ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; | |
| 27 | + | ||
| 28 | + | location / { | |
| 29 | + | ||
| 30 | + | add_header Access-Control-Allow-Origin "https://tre.praze.net"; | |
| 31 | + | # EITHER for eluding search engines | |
| 32 | + | add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; | |
| 33 | + | # OR | |
| 34 | + | add_header X-Robots-Tag "nofollow, noarchive" | |
| 35 | + | # EITHER for not sending referrer links | |
| 36 | + | add_header Referrer-Policy "no-refer"; | |
| 37 | + | # OR | |
| 38 | + | add_header Referrer-Policy "strict-origin-when-cross-origin"; | |
| 39 | + | add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; | |
| 40 | + | add_header Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'" always; | |
| 41 | + | add_header X-Frame-Options "SAMEORIGIN" always; | |
| 42 | + | add_header X-Content-Type-Options "nosniff" always; | |
| 43 | + | add_header Rating "RTA-5042-1996-1400-1577-RTA" always; # “restricted to adults” | |
| 44 | + | ||
| 45 | + | # include these lines if it is a systemd service running on a port | |
| 46 | + | proxy_pass http://127.0.0.1:PORT; | |
| 47 | + | proxy_set_header Host $host; | |
| 48 | + | proxy_set_header Upgrade $http_upgrade; | |
| 49 | + | proxy_set_header Connection "upgrade"; | |
| 50 | + | proxy_set_header X-Forwarded-For $remote_addr; | |
| 51 | + | proxy_set_header X-Forwarded-Proto $scheme; | |
| 52 | + | } | |
| 53 | + | ||
| 54 | + | # include this block if php is involved | |
| 55 | + | location ~ [^/]\.php(/|$) { | |
| 56 | + | try_files $uri =404; | |
| 57 | + | fastcgi_split_path_info ^(.+\.php)(/.+)$; | |
| 58 | + | fastcgi_pass unix:/var/run/php/php-fpm.sock; | |
| 59 | + | fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |
| 60 | + | fastcgi_index index.php; | |
| 61 | + | include fastcgi.conf; | |
| 62 | + | ||
| 63 | + | # security headers may need to live here if so | |
| 64 | + | } | |
| 65 | + | ||
| 66 | + | location /favicon.ico { | |
| 67 | + | alias /var/www/DIRECTORY/favicon.png; | |
| 68 | + | } | |
| 69 | + | ||
| 70 | + | location /PROTECTED { | |
| 71 | + | auth_basic "Password required"; | |
| 72 | + | auth_basic_user_file /etc/apache2/.htpasswd; | |
| 73 | + | } | |
| 74 | + | ||
| 75 | + | # include this line if uploading big files | |
| 76 | + | client_max_body_size 40M; | |
| 77 | + | ||
| 78 | + | error_page 404 /SUBDIR/404.html; | |
| 79 | + | # etc | |
| 80 | + | ||
| 81 | + | # example redirects (including “permanent” makes it a 301 rather than a 302) | |
| 82 | + | rewrite ^/OLD /NEW permanent; | |
| 83 | + | rewrite ^/OLD/(.*)$ /NEW/$1?; | |
| 84 | + | } | |