88 lines
3.5 KiB
Plaintext
88 lines
3.5 KiB
Plaintext
|
server {
|
||
|
|
add_header Cache-Control "public";
|
||
|
|
add_header X-Frame-Options "DENY";
|
||
|
|
access_log /var/log/nginx/access.log; # main buffer=32k;
|
||
|
|
#access_log /var/log/nginx/cache.log cache;
|
||
|
|
error_log /var/log/nginx/error.log error;
|
||
|
|
expires 1h;
|
||
|
|
listen 443 ssl http2; #sndbuf=128k;
|
||
|
|
limit_req zone=gulag burst=1000 nodelay;
|
||
|
|
server_name repo.secmayl.com repo.manios.ca;
|
||
|
|
resolver 192.168.0.1;
|
||
|
|
|
||
|
|
proxy_redirect off;
|
||
|
|
proxy_set_header Host $host;
|
||
|
|
proxy_set_header X-Real-IP $remote_addr;
|
||
|
|
proxy_set_header X-Frame-Options SAMEORIGIN;
|
||
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||
|
|
|
||
|
|
#proxy_cache webcache;
|
||
|
|
#proxy_cache_key $scheme$host$request_uri;
|
||
|
|
#proxy_cache_valid 200 301 302 304 120m;
|
||
|
|
#xproxy_cache_valid any 1m;
|
||
|
|
|
||
|
|
# ssl settings. use publicly trusted cert (let's encrypt) with public traffic
|
||
|
|
# ssl on;
|
||
|
|
ssl_certificate /root/.acme.sh/repo.secmayl.com/repo.secmayl.com.cer;
|
||
|
|
ssl_certificate_key /root/.acme.sh/repo.secmayl.com/repo.secmayl.com.key;
|
||
|
|
|
||
|
|
ssl_session_timeout 5m;
|
||
|
|
ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES128+EECDH:AES128+EDH;
|
||
|
|
ssl_ecdh_curve secp384r1;
|
||
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||
|
|
ssl_prefer_server_ciphers on;
|
||
|
|
ssl_dhparam /usr/home/chucklz/certs/dh-4096.pem;
|
||
|
|
|
||
|
|
# Only allow GET, HEAD and POST request methods. Since this a proxy you may
|
||
|
|
# want to be more restrictive with your request methods. The calls are going
|
||
|
|
# to be passed to the back end server and nginx does not know what it
|
||
|
|
# normally accepts, so everything gets passed. If we only need to accept GET
|
||
|
|
# HEAD and POST then limit that here.
|
||
|
|
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
|
||
|
|
return 403;
|
||
|
|
}
|
||
|
|
|
||
|
|
# user forum. This goes to a different server then the standard we cluster for example.
|
||
|
|
#location /forum/ {
|
||
|
|
# proxy_pass http://192.168.1.201/forum/;
|
||
|
|
#}
|
||
|
|
|
||
|
|
## Do not cache any requests using our cgi paths. The http_my_secret_header
|
||
|
|
## is not used and is just a place holder if you need this function.
|
||
|
|
#location ~* (/cgi/||/authorized/|/restrict/) {
|
||
|
|
# expires epoch;
|
||
|
|
# proxy_no_cache 1;
|
||
|
|
# proxy_cache_bypass $http_my_secret_header;
|
||
|
|
# proxy_pass http://backend_web_servers;
|
||
|
|
#}
|
||
|
|
|
||
|
|
# acme challenge location
|
||
|
|
location ^~ /.well-known/acme-challenge/ {
|
||
|
|
root /usr/local/www/letsencrypt;
|
||
|
|
}
|
||
|
|
|
||
|
|
# hide dir on all requests
|
||
|
|
location = /.well-known/acme-challenge/ {
|
||
|
|
return 404;
|
||
|
|
}
|
||
|
|
|
||
|
|
# default htdocs
|
||
|
|
location / {
|
||
|
|
## redirect host going to www to non-www hostname
|
||
|
|
#if ($host ~* ^(www\.example\.com)$ ) {
|
||
|
|
# return 301 https://example.com$uri;
|
||
|
|
#}
|
||
|
|
#proxy_pass http://backend_web_servers;
|
||
|
|
|
||
|
|
proxy_redirect off;
|
||
|
|
proxy_set_header X-Forwarded-Host $http_host;
|
||
|
|
proxy_pass https://$host$request_uri;
|
||
|
|
}
|
||
|
|
|
||
|
|
## All other errors get the generic error page
|
||
|
|
error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 495 496 497 500 501 502 503 504 505 506 507 /error_page.html;
|
||
|
|
#location /error_page_example_com.html {
|
||
|
|
location /error_page.html {
|
||
|
|
internal;
|
||
|
|
}
|
||
|
|
}
|