Select Git revision
stechuhr-server.nginx
stechuhr-server.nginx 2.85 KiB
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
server_name %FQDN%;
access_log /var/log/nginx/%FQDN%-access.log;
error_log /var/log/nginx/%FQDN%-error.log;
add_header Cache-Control no-cache;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload;";
add_header x-frame-options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
client_max_body_size 10M;
client_body_buffer_size 128k;
#large_client_header_buffers 4 32k;
charset utf-8;
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
#add_header Public-Key-Pins 'pin-sha256=""; pin-sha256=""; max-age=2592000; includeSubDomains';
ssl on;
ssl_certificate /etc/nginx/certs/%FQDN%/server.cert;
ssl_certificate_key /etc/nginx/certs/%FQDN%/server.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_session_cache shared:SSL:10m;
ssl_dhparam /etc/ssl/dh2048.pem;
#ssl_stapling on;
#ssl_stapling_verify on;
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_redirect http://127.0.0.1:8000/ /;
proxy_pass http://127.0.0.1:8000;
proxy_read_timeout 86400s;
proxy_send_timeout 86400s;
allow all; # Any IP can perform any other requests
add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS';
#proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header X-Forwarded-Proto $scheme;
#add_header P3P 'CP="ALL DSP COR PSAa PSDa OUR NOR ONL UNI COM NAV"';
}
location ~ /.git/ {
deny all;
}
}