added re

2020-03-18 19:16:20 -04:00
parent c98fa9cc79
commit 383369d50b
1 changed files with 88 additions and 0 deletions
--- a/aries/nginx/conf.d/repo.conf
+++ b/aries/nginx/conf.d/repo.conf
@@ -0,0 +1,88 @@
+server {
+        add_header Cache-Control "public";
+        add_header X-Frame-Options "DENY";
+        access_log /var/log/nginx/access.log; # main buffer=32k;
+        #access_log /var/log/nginx/cache.log cache;
+        error_log /var/log/nginx/error.log error;
+        expires 1h;
+        listen 443 ssl http2; #sndbuf=128k;
+        limit_req zone=gulag burst=1000 nodelay;
+        server_name repo.secmayl.com repo.manios.ca;
+        resolver 192.168.0.1;
+
+        proxy_redirect off;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Frame-Options SAMEORIGIN;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+        #proxy_cache webcache;
+        #proxy_cache_key $scheme$host$request_uri;
+        #proxy_cache_valid 200 301 302 304 120m;
+        #xproxy_cache_valid any 1m;
+
+        # ssl settings. use publicly trusted cert (let's encrypt) with public traffic
+#       ssl on;
+        ssl_certificate /root/.acme.sh/repo.secmayl.com/repo.secmayl.com.cer;
+        ssl_certificate_key /root/.acme.sh/repo.secmayl.com/repo.secmayl.com.key;
+
+        ssl_session_timeout 5m;
+        ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES128+EECDH:AES128+EDH;
+        ssl_ecdh_curve secp384r1;
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_prefer_server_ciphers on;
+        ssl_dhparam /usr/home/chucklz/certs/dh-4096.pem;
+
+        # Only allow GET, HEAD and POST request methods. Since this a proxy you may
+        # want to be more restrictive with your request methods. The calls are going
+        # to be passed to the back end server and nginx does not know what it
+        # normally accepts, so everything gets passed. If we only need to accept GET
+        # HEAD and POST then limit that here.
+        if ($request_method !~ ^(GET|HEAD|POST)$ ) {
+                return 403;
+        }
+
+        # user forum. This goes to a different server then the standard we cluster for example.
+        #location /forum/ {
+        #       proxy_pass http://192.168.1.201/forum/;
+        #}
+
+        ## Do not cache any requests using our cgi paths. The http_my_secret_header
+        ## is not used and is just a place holder if you need this function.
+        #location ~* (/cgi/||/authorized/|/restrict/) {
+        #       expires epoch;
+        #       proxy_no_cache 1;
+        #       proxy_cache_bypass $http_my_secret_header;
+        #       proxy_pass http://backend_web_servers;
+        #}
+
+        # acme challenge location
+        location ^~ /.well-known/acme-challenge/ {
+                root /usr/local/www/letsencrypt;
+        }
+
+        # hide dir on all requests
+        location = /.well-known/acme-challenge/ {
+                return 404;
+        }
+
+        # default htdocs
+        location / {
+                ## redirect host going to www to non-www hostname
+                #if ($host ~* ^(www\.example\.com)$ ) {
+                #       return 301 https://example.com$uri;
+                #}
+                #proxy_pass http://backend_web_servers;
+
+                proxy_redirect off;
+                proxy_set_header X-Forwarded-Host $http_host;
+                proxy_pass https://$host$request_uri;
+        }
+
+        ## All other errors get the generic error page
+        error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 495 496 497 500 501 502 503 504 505 506 507 /error_page.html;
+        #location  /error_page_example_com.html {
+        location /error_page.html {
+                internal;
+        }
+}