Skip to content
Snippets Groups Projects
Select Git revision
  • 2c49ac4e9cc60f1e205b5b2410d01948fb33c778
  • master default protected
  • config
3 results

stechuhr-server.nginx

Blame
  • stechuhr-server.nginx 2.85 KiB
    server {
    
    	listen 443 ssl default_server;
    	listen [::]:443 ssl default_server;
        server_name %FQDN%;
    
            access_log /var/log/nginx/%FQDN%-access.log;
            error_log /var/log/nginx/%FQDN%-error.log;
    
            add_header      Cache-Control   no-cache;
            add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload;";
            add_header x-frame-options SAMEORIGIN;
            add_header X-Content-Type-Options nosniff;
            add_header X-XSS-Protection "1; mode=block";
    
    
            client_max_body_size 10M;
            client_body_buffer_size 128k;
    	#large_client_header_buffers 4 32k;
    	charset utf-8;
    
    	#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
    	#add_header Public-Key-Pins 'pin-sha256=""; pin-sha256=""; max-age=2592000; includeSubDomains';
    
    	ssl on;
    	ssl_certificate /etc/nginx/certs/%FQDN%/server.cert;
    	ssl_certificate_key /etc/nginx/certs/%FQDN%/server.key;
    	ssl_session_timeout 5m;
    	ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
    	ssl_prefer_server_ciphers on;
    	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
    	ssl_session_cache shared:SSL:10m;
    	ssl_dhparam /etc/ssl/dh2048.pem;
    	#ssl_stapling on;
    	#ssl_stapling_verify on;
    
    
            location / {
                    proxy_set_header Host $host;
                    proxy_set_header X-Forwarded-Host $host;
                    proxy_set_header X-Forwarded-Server $host;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    proxy_http_version 1.1;
                    proxy_set_header Upgrade $http_upgrade;
                    proxy_set_header Connection "upgrade";
                    
                    proxy_redirect http://127.0.0.1:8000/ /;
                    proxy_pass http://127.0.0.1:8000;
                    proxy_read_timeout 86400s;
                    proxy_send_timeout 86400s;
                    allow all; # Any IP can perform any other requests
    
                    add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
                    add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS';
            #proxy_set_header X-Real-IP $remote_addr;
            #proxy_set_header X-Forwarded-Proto $scheme;
            #add_header P3P 'CP="ALL DSP COR PSAa PSDa OUR NOR ONL UNI COM NAV"';
    
            }
    	location ~ /.git/ {
          deny all;
    	}
    }