Commit 1b14e2cc authored by moba's avatar moba

nginx base configuration plus some hosts

parent c79b2407
# sangha-nginx
This directory contains parts of our NGINX server configuration. These
are not complete and serve merely as an example. Handle with care.
The [NGINX documentation](http://nginx.org/en/docs/) is actually fairly
good. Before you apply any of the statements you see in this directory
please read up on the respective command there!
Things also change over time, both in terms of NGINX directives, but also
in terms of best practices for SSL etc.; do not expect this repository
to reflect the latest developments, it is merely a snapshot.
## Features
* Log Sanitation: do not log the last IPv4 octet/IPv6 hextet of visitors
* LetsEncrypt ACME
* GZIP Compression Optimization
## :warning: WARNING :warning:
* HSTS Preload is enabled in this configuration. You need to educate yourself and think hard whether you want that for your own site(s). [This is dangerous.](https://scotthelme.co.uk/death-by-copy-paste/)
## TODO
* Content-Security-Policy
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 2048;
use epoll;
multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
keepalive_requests 100000;
types_hash_max_size 2048;
server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
include /etc/nginx/snippets/sanitize-logs.conf;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_static on;
gzip_proxied expired no-cache no-store private auth;
gzip_comp_level 8;
gzip_min_length 1100;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript font/truetype font/opentype image/svg+xml application/json;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/api.sangha.techcultivation.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/api.sangha.techcultivation.org/privkey.pem;
include /etc/nginx/snippets/ssl-configuration.conf;
include /etc/nginx/snippets/sanitize-logs-per-server.conf;
server_name api.sangha.techcultivation.org;
location = / {
rewrite ^ https://techcultivation.org/ redirect;
}
location /v1/ {
proxy_pass http://10.0.3.206:9991/v1/;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/donate.techcultivation.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/donate.techcultivation.org/privkey.pem;
include /etc/nginx/snippets/ssl-configuration.conf;
include /etc/nginx/snippets/sanitize-logs-per-server.conf;
server_name donate.techcultivation.org;
}
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
include /etc/nginx/snippets/letsencrypt-acme-challenge.conf;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/sandbox.api.sangha.techcultivation.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sandbox.api.sangha.techcultivation.org/privkey.pem;
include /etc/nginx/snippets/ssl-configuration.conf;
include /etc/nginx/snippets/sanitize-logs-per-server.conf;
server_name sandbox.api.sangha.techcultivation.org;
location = / {
rewrite ^ https://techcultivation.org/ redirect;
}
location /v1/ {
proxy_pass http://10.0.3.71:9991/v1/;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/sangha.techcultivation.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sangha.techcultivation.org/privkey.pem;
include /etc/nginx/snippets/ssl-configuration.conf;
include /etc/nginx/snippets/sanitize-logs-per-server.conf;
server_name sangha.techcultivation.org;
}
../sites-available/api.sangha.techcultivation.org
\ No newline at end of file
../sites-available/donate.techcultivation.org
\ No newline at end of file
../sites-available/letsencrypt-acme
\ No newline at end of file
../sites-available/sandbox.api.sangha.techcultivation.org
\ No newline at end of file
../sites-available/sangha.techcultivation.org
\ No newline at end of file
#############################################################################
# Configuration file for Let's Encrypt ACME Challenge location
# This file is already included in listen_xxx.conf files.
# Do NOT include it separately!
#############################################################################
#
# This config enables to access /.well-known/acme-challenge/xxxxxxxxxxx
# on all our sites (HTTP), including all subdomains.
# This is required by ACME Challenge (webroot authentication).
# You can check that this location is working by placing ping.txt here:
# /var/www/letsencrypt/.well-known/acme-challenge/ping.txt
# And pointing your browser to:
# http://xxx.domain.tld/.well-known/acme-challenge/ping.txt
#
# Sources:
# https://community.letsencrypt.org/t/howto-easy-cert-generation-and-renewal-with-nginx/3491
#
#############################################################################
# Rule for legitimate ACME Challenge requests (like /.well-known/acme-challenge/xxxxxxxxx)
# We use ^~ here, so that we don't check other regexes (for speed-up). We actually MUST cancel
# other regex checks, because in our other config files have regex rule that denies access to files with dotted names.
location ^~ /.well-known/acme-challenge/ {
# Set correct content type. According to this:
# https://community.letsencrypt.org/t/using-the-webroot-domain-verification-method/1445/29
# Current specification requires "text/plain" or no content header at all.
# It seems that "text/plain" is a safe option.
default_type "text/plain";
# This directory must be the same as in /etc/letsencrypt/cli.ini
# as "webroot-path" parameter. Also don't forget to set "authenticator" parameter
# there to "webroot".
# Do NOT use alias, use root! Target directory is located here:
# /var/www/common/letsencrypt/.well-known/acme-challenge/
root /var/www/letsencrypt;
}
# Hide /acme-challenge subdirectory and return 404 on all requests.
# It is somewhat more secure than letting Nginx return 403.
# Ending slash is important!
location = /.well-known/acme-challenge/ {
return 404;
}
location / {
rewrite ^ https://$host$request_uri? permanent;
}
set $sanitized_remote_addr $remote_addr;
if ($remote_addr ~* (.*):(.*)) {
set $sanitized_remote_addr $1:0;
}
if ($remote_addr ~* (.*)\.(.*)) {
set $sanitized_remote_addr $1.0;
}
log_format sanitized '$http_host $sanitized_remote_addr [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'$request_time';
access_log /var/log/nginx/access.log sanitized;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/ssl/dhparam2048.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
#add_header Content-Security-Policy "default-src 'self'";
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment