From 383369d50bc2469dfa8c84f81e5c5510a46c868c Mon Sep 17 00:00:00 2001 From: nicholasmanios Date: Wed, 18 Mar 2020 19:16:20 -0400 Subject: [PATCH] added re --- aries/nginx/conf.d/repo.conf | 88 ++++++++++++++++++++++++++++++++++++ 1 file changed, 88 insertions(+) create mode 100644 aries/nginx/conf.d/repo.conf diff --git a/aries/nginx/conf.d/repo.conf b/aries/nginx/conf.d/repo.conf new file mode 100644 index 0000000..082c9fc --- /dev/null +++ b/aries/nginx/conf.d/repo.conf @@ -0,0 +1,88 @@ +server { + add_header Cache-Control "public"; + add_header X-Frame-Options "DENY"; + access_log /var/log/nginx/access.log; # main buffer=32k; + #access_log /var/log/nginx/cache.log cache; + error_log /var/log/nginx/error.log error; + expires 1h; + listen 443 ssl http2; #sndbuf=128k; + limit_req zone=gulag burst=1000 nodelay; + server_name repo.secmayl.com repo.manios.ca; + resolver 192.168.0.1; + + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Frame-Options SAMEORIGIN; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + #proxy_cache webcache; + #proxy_cache_key $scheme$host$request_uri; + #proxy_cache_valid 200 301 302 304 120m; + #xproxy_cache_valid any 1m; + + # ssl settings. use publicly trusted cert (let's encrypt) with public traffic +# ssl on; + ssl_certificate /root/.acme.sh/repo.secmayl.com/repo.secmayl.com.cer; + ssl_certificate_key /root/.acme.sh/repo.secmayl.com/repo.secmayl.com.key; + + ssl_session_timeout 5m; + ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES128+EECDH:AES128+EDH; + ssl_ecdh_curve secp384r1; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + ssl_dhparam /usr/home/chucklz/certs/dh-4096.pem; + + # Only allow GET, HEAD and POST request methods. Since this a proxy you may + # want to be more restrictive with your request methods. The calls are going + # to be passed to the back end server and nginx does not know what it + # normally accepts, so everything gets passed. If we only need to accept GET + # HEAD and POST then limit that here. + if ($request_method !~ ^(GET|HEAD|POST)$ ) { + return 403; + } + + # user forum. This goes to a different server then the standard we cluster for example. + #location /forum/ { + # proxy_pass http://192.168.1.201/forum/; + #} + + ## Do not cache any requests using our cgi paths. The http_my_secret_header + ## is not used and is just a place holder if you need this function. + #location ~* (/cgi/||/authorized/|/restrict/) { + # expires epoch; + # proxy_no_cache 1; + # proxy_cache_bypass $http_my_secret_header; + # proxy_pass http://backend_web_servers; + #} + + # acme challenge location + location ^~ /.well-known/acme-challenge/ { + root /usr/local/www/letsencrypt; + } + + # hide dir on all requests + location = /.well-known/acme-challenge/ { + return 404; + } + + # default htdocs + location / { + ## redirect host going to www to non-www hostname + #if ($host ~* ^(www\.example\.com)$ ) { + # return 301 https://example.com$uri; + #} + #proxy_pass http://backend_web_servers; + + proxy_redirect off; + proxy_set_header X-Forwarded-Host $http_host; + proxy_pass https://$host$request_uri; + } + + ## All other errors get the generic error page + error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 495 496 497 500 501 502 503 504 505 506 507 /error_page.html; + #location /error_page_example_com.html { + location /error_page.html { + internal; + } +} \ No newline at end of file