This repository was archived by the owner on Aug 23, 2018. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathnginx_sites_available
105 lines (92 loc) · 5.06 KB
/
nginx_sites_available
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
# based on https://github.com/Strider-CD/strider/issues/860
server {
# HTTP configuration
# This is only used to redirect HTTP requests to HTTPS.
listen 80;
# The name this server responds to.
server_name ci.linkurio.us;
return 301 https://$server_name$request_uri;
}
server {
# Basic configuration
# Our server should respond to requests on any IP address on port 443; the default HTTPS port.
listen 443;
# The name this server responds to.
server_name ci.linkurio.us;
# Don't send the nginx version number.
server_tokens off;
# Don't allow the website to be embedded in an iframe (unless it's from the same origin).
# See: https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
add_header X-Frame-Options SAMEORIGIN;
# Disable MIME-type sniffing.
# See: https://www.owasp.org/index.php/List_of_useful_HTTP_headers
add_header X-Content-Type-Options nosniff;
# Enable XSS protection.
# See: https://www.owasp.org/index.php/List_of_useful_HTTP_headers
add_header X-XSS-Protection "1; mode=block";
# Prevent SSL stripping.
# See: https://en.wikipedia.org/wiki/Moxie_Marlinspike#SSL_stripping
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
# SSL configuration
# Enable SSL.
ssl on;
# Allow only TLS, disable the old SSL protocols.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# The SSL certificate this server should use.
ssl_certificate /etc/letsencrypt/live/ci.linkurio.us/fullchain.pem;
# The private key this server should use.
ssl_certificate_key /etc/letsencrypt/live/ci.linkurio.us/privkey.pem;
# SSL session parameters may be reused by the client for the given time.
ssl_session_timeout 5m;
# Store the SSL session parameters in a shared, 10 MB cache.
ssl_session_cache shared:SSL:10m;
# Set the supports SSL cipher suites. Allow only strong suites.
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
# Prefer server cipher suites over the ones the client requests.
# This makes sure the client can't use weak cipher suites.
ssl_prefer_server_ciphers on;
# Enable SSL stapling.
# See https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
ssl_stapling on;
resolver 8.8.8.8;
# Enable Public Key Pinning. This prevents MITM attack by giving the client additional information about our SSL certificate.
# See: https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning
# Requires an additional, backup certificate. Disable for now.
# add_header Public-Key-Pins 'pin-sha256="gS7k9UlBgmDZ6+T45UDzoohPX9PEkspSZ1eQBwlABNM="; max-age=5184000; includeSubDomains';
# Logging configuration
access_log /var/log/nginx/ci.linkurio.us.access.log;
# Set a base configuration for all requests to this virtual server.
location / {
# Set this server up as a reverse-proxy for the given address.
# We configure our reverse-proxy to always connect over plain HTTP on a specific port.
proxy_pass http://localhost:8081;
# Rewrite Location and Refresh HTTP headers, so that the client sees the address they requested.
proxy_redirect http://localhost:8081 https://ci.linkurio.us;
# Our server should set the Host HTTP header to the name of this virtual server if the header is not present.
# In practise, the value of the header should always be the name of the virtual server, because, otherwise
# our server configuration wouldn't be hit at all.
proxy_set_header Host $host;
# Set the X-Real-IP HTTP header to the address of the client.
proxy_set_header X-Real-IP $remote_addr;
# Set the X-Forwarded-For HTTP header to contain the value set by the client, with the address of the client
# appended to it.
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# Set the X-Forwarded-Proto HTTP header to contain "http" or "https", depending on how the client contacted
# our proxy. In practise, it should always be "https".
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 90;
}
# Socket.io will send requests to the location configured below. It requires some special configuration for
# websockets to perform properly.
location /socket.io/ {
# Requests to this location should be proxied to the address given below.
# This directive may actually be redundant, given the configuration for the root above.
proxy_pass http://localhost:8081;
# Because websockets use keepalive, we need to make sure HTTP version 1.1 is used.
proxy_http_version 1.1;
# To allow websocket proxying, we need to forward the Upgrade and Connection HTTP headers.
# See http://nginx.org/en/docs/http/websocket.html for more details.
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}