98 lines
3.5 KiB
Nginx Configuration File
98 lines
3.5 KiB
Nginx Configuration File
# NGINX configuration for a virtualhost proxied to a Docker service.
|
|
# Uses https://github.com/acmesh-official/acme.sh to manage SSL certificates.
|
|
|
|
# Flags the non 2xx or non 3xx (probably error) responses.
|
|
map $status $errorlog { ~^[23] 0; default 1; }
|
|
|
|
# Virtualhost's configuration follows.
|
|
server {
|
|
listen 80;
|
|
# listen 443 ssl;
|
|
|
|
server_name_in_redirect on;
|
|
server_name $PAR_SERVERNAME;
|
|
|
|
set $server_admin webmaster@$server_name;
|
|
|
|
# access log and error log.
|
|
# Any requests getting a non 2xx or non 3xx response will go to the error log as well.
|
|
access_log $PAR_SERVICE/logs/web/access.log combined;
|
|
access_log $PAR_SERVICE/logs/web/error.log combined if=$errorlog;
|
|
|
|
# Let's Encrypt (acme.sh) support.
|
|
location /.well-known/ {
|
|
proxy_pass http://$PAR_ACMEHOST:$PAR_ACMEPORT;
|
|
error_page 500 502 503 504 @proxy_error;
|
|
}
|
|
|
|
# Forced redirect to https.
|
|
# if ($scheme = http) {
|
|
# return 301 https://$host$request_uri;
|
|
# }
|
|
|
|
# Webapp's configuration.
|
|
charset utf-8;
|
|
location /$PAR_LOCATION {
|
|
proxy_pass http://$PAR_PROXYHOST:$PAR_PROXYPORT/$PAR_LOCATION;
|
|
error_page 500 502 503 504 @proxy_error;
|
|
|
|
client_max_body_size 1G;
|
|
keepalive_timeout 30;
|
|
proxy_read_timeout 300;
|
|
|
|
proxy_request_buffering on;
|
|
proxy_buffers 2048 16k;
|
|
proxy_buffer_size 16k;
|
|
|
|
proxy_set_header X-Forwarded-Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Forwarded-Server $host;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
#websockets
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
}
|
|
location @proxy_error {
|
|
default_type text/html;
|
|
return 500
|
|
"<span style='font-size: x-large'>Sorry something went wrong. Try again a bit later.<br>
|
|
You may report this at <a href='mailto:$server_admin'>$server_admin</a>.</span>";
|
|
}
|
|
|
|
# No static service.
|
|
# location / {
|
|
# default_type text/html;
|
|
# return 404 "<span style='font-size: x-large'>Sorry try <a href='$scheme://$server_name/$PAR_LOCATION'>$scheme://$server_name/$PAR_LOCATION</a> instead.</span>";
|
|
# }
|
|
|
|
##################################################################################
|
|
# The SSL part
|
|
# https://ssl-config.mozilla.org/
|
|
# https://community.letsencrypt.org/t/howto-a-with-all-100-s-on-ssl-labs-test-using-nginx-mainline-stable/55033
|
|
|
|
# ssl_certificate $PAR_SERVICE/configs/acme/$PAR_SERVERNAME/fullchain.cer;
|
|
# ssl_certificate_key $PAR_SERVICE/configs/acme/$PAR_SERVERNAME/$PAR_SERVERNAME.key;
|
|
|
|
# Settings to achieve 'A' grade on https://www.ssllabs.com/ssltest/
|
|
ssl_session_timeout 1440m;
|
|
ssl_session_tickets off;
|
|
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_prefer_server_ciphers off;
|
|
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA";
|
|
|
|
ssl_stapling on;
|
|
ssl_stapling_verify on;
|
|
|
|
# Read before activating: https://blog.g3rt.nl/nginx-add_header-pitfall.html
|
|
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
|
# add_header X-Frame-Options SAMEORIGIN;
|
|
# add_header X-Content-Type-Options nosniff;
|
|
|
|
}
|
|
|
|
# That's all. |