marcusconsulting/docker-skeleton
2
0
Fork 0
Code
docker-skeleton/.templates/nginx/nginx.conf

108 lines
3.9 KiB
Nginx Configuration File
Raw Blame History

# NGINX configuration for a virtualhost proxied to a Docker service.
# Uses https://github.com/acmesh-official/acme.sh to manage SSL certificates.
# Flags the non 2xx or non 3xx (probably error) responses.
map $status $errorlog_$PAR_PROXYPORT { ~^[23] 0; default 1; }
# The STS header should only be sent over https.
map $scheme $hsts_header_$PAR_PROXYPORT { https "max-age=31536000; includeSubDomains"; }
# Virtualhost's configuration follows.
server {
listen 80;
# listen 443 ssl;
server_name_in_redirect on;
server_name $PAR_SERVERNAME;
set $server_admin $PAR_WEBMASTER;
# access log and error log.
# Any requests getting a non 2xx or non 3xx response will go to the error log as well.
access_log $PAR_SERVICE/logs/web/access.log combined;
access_log $PAR_SERVICE/logs/web/error.log combined if=$errorlog_$PAR_PROXYPORT;
# Let's Encrypt (acme.sh) support.
location /.well-known/ {
proxy_pass http://$PAR_ACMEHOST:$PAR_ACMEPORT;
error_page 500 502 503 504 @proxy_error;
}
# Forced redirect to https.
# if ($scheme = http) {
# return 301 https://$host$request_uri;
# }
# Extended character set.
charset utf-8;
# Webapp's configuration.
location /$PAR_LOCATION {
proxy_pass http://$PAR_PROXYHOST:$PAR_PROXYPORT/$PAR_LOCATION;
error_page 500 502 503 504 @proxy_error;
client_max_body_size 1G;
keepalive_timeout 30;
proxy_read_timeout 300;
proxy_request_buffering on;
proxy_buffers 2048 16k;
proxy_buffer_size 16k;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
#websockets
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location @proxy_error {
types { } default_type text/html;
return 500
"<span style='font-size: x-large'>Sorry something went wrong. Try again a bit later.<br>
You may report this at <a href='mailto:$server_admin'>$server_admin</a>.</span>";
}
#
# Optional export backups function.
# Needs ACLs, see the include file.
#include $PAR_SERVICE/configs/nginx_xport.inc;
#
# Optional simple static service.
#include $PAR_SERVICE/configs/nginx_static.inc;
#
# Optional simple disabled-static servioe.
#include $PAR_SERVICE/configs/nginx_nostatic.inc;
##################################################################################
# The SSL part
# https://ssl-config.mozilla.org/
# https://community.letsencrypt.org/t/howto-a-with-all-100-s-on-ssl-labs-test-using-nginx-mainline-stable/55033
# For an ACME-handled certificate.
# ssl_certificate $PAR_SERVICE/configs/acme/$PAR_SERVERNAME/fullchain.cer;
# ssl_certificate_key $PAR_SERVICE/configs/acme/$PAR_SERVERNAME/$PAR_SERVERNAME.key;
# For a (possibly symlinked) static certificate.
# ssl_certificate $PAR_SERVICE/configs/certs/$PAR_SERVERNAME/fullchain.cer;
# ssl_certificate_key $PAR_SERVICE/configs/certs/$PAR_SERVERNAME/$PAR_SERVERNAME.key;
# Settings to achieve 'A' grade on https://www.ssllabs.com/ssltest/
ssl_session_timeout 1440m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA";
# Activate it only in case of stable https service.
# more_set_headers "Strict-Transport-Security: $hsts_header_$PAR_PROXYPORT";
# ssl_stapling on;
# ssl_stapling_verify on;
}
# That's all.
View Git Blame Copy Permalink