-
Notifications
You must be signed in to change notification settings - Fork 9
/
default.conf
67 lines (57 loc) · 2.4 KB
/
default.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
# https://bjornjohansen.no/redirect-to-https-with-nginx
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name _;
################################################################################
# ssl config (check with https://www.ssllabs.com/ssltest/)
# serve this path, then user certbot like:
# certbot certonly \
# --text \
# --email [email protected] \
# --webroot -w /var/lib/certbot/ \
# -d mydomain1.net - mydomain2.net ...
#
location ^~ /.well-known/acme-challenge {
alias /var/lib/certbot/.well-known/acme-challenge;
default_type "text/plain";
try_files $uri =404;
}
# HSTS, nice ...
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
# certbot places files in /etc/letsencrypt/live/mydomain.net/...
# need to use some variables here ...
# note: android chrome needs the full chain
ssl_certificate ssl/latest/fullchain.pem;
ssl_certificate_key ssl/latest/privkey.pem;
# better ssl test?
# https://blog.qualys.com/ssllabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#ssl_prefer_server_ciphers on;
#ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
# default location doing ssl termination.
# forwards to an upstream host on the docker network http://$host:80
location / {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
#proxy_http_version 1.1;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Https-Protocol $ssl_protocol;
resolver 127.0.0.11; # use docker-internal dns
proxy_pass http://$host:80;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}