nginx conf helpers
This commit is contained in:
commit
9c4d358ef0
5 changed files with 173 additions and 0 deletions
44
nginx/logs.esy.fun
Normal file
44
nginx/logs.esy.fun
Normal file
|
@ -0,0 +1,44 @@
|
|||
# Nginx configuration
|
||||
|
||||
## Redirects all HTTP traffic to the HTTPS host
|
||||
server {
|
||||
server_name logs.esy.fun; ## YYY
|
||||
## In case of conflict, either remove "default_server" from the listen line below,
|
||||
## or delete the /etc/nginx/sites-enabled/default file.
|
||||
server_tokens off; ## Don't show the nginx version number, a security best practice
|
||||
access_log /var/log/nginx/logs.esy_access.log;
|
||||
error_log /var/log/nginx/logs.esy_error.log;
|
||||
|
||||
root /var/log;
|
||||
auth_basic "Admin restricted";
|
||||
auth_basic_user_file /etc/nginx/htpasswd;
|
||||
index index.html;
|
||||
location / {
|
||||
autoindex on;
|
||||
try_files $uri $uri/ =404; }
|
||||
|
||||
location ~ ^/.*\.log$ {
|
||||
default_type text/plain;
|
||||
add_header Content-Disposition "inline";
|
||||
}
|
||||
|
||||
listen [::]:443 ssl; # managed by Certbot
|
||||
listen 443 ssl; # managed by Certbot
|
||||
ssl_certificate /etc/letsencrypt/live/esy.fun/fullchain.pem; # managed by Certbot
|
||||
ssl_certificate_key /etc/letsencrypt/live/esy.fun/privkey.pem; # managed by Certbot
|
||||
|
||||
## [Optional] Enable HTTP Strict Transport Security
|
||||
## HSTS is a feature improving protection against MITM attacks
|
||||
## For more information see: https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
|
||||
}
|
||||
|
||||
server {
|
||||
if ($host = logs.esy.fun) {
|
||||
return 301 https://$host$request_uri;
|
||||
} # managed by Certbot
|
||||
server_name logs.esy.fun;
|
||||
listen 0.0.0.0:80;
|
||||
listen [::]:80;
|
||||
return 404; # managed by Certbot
|
||||
}
|
12
nginx/new-reverse-proxy.sh
Executable file
12
nginx/new-reverse-proxy.sh
Executable file
|
@ -0,0 +1,12 @@
|
|||
#!/usr/bin/env zsh
|
||||
|
||||
(($#<3)) && {
|
||||
print "usage: $0:t SUB DOMAIN"
|
||||
exit 1
|
||||
} >&2
|
||||
|
||||
SUB="$1"
|
||||
DOMAIN="$2"
|
||||
PORT="$3"
|
||||
|
||||
m4 -D SUB=$SUB -D DOMAIN=$DOMAIN -D PORT=$PORT reverse-proxy-template.m4 > $SUB.$DOMAIN
|
11
nginx/new-static-website.sh
Executable file
11
nginx/new-static-website.sh
Executable file
|
@ -0,0 +1,11 @@
|
|||
#!/usr/bin/env zsh
|
||||
|
||||
(($#<2)) && {
|
||||
print "usage: $0:t SUB DOMAIN"
|
||||
exit 1
|
||||
} >&2
|
||||
|
||||
SUB="$1"
|
||||
DOMAIN="$2"
|
||||
|
||||
m4 -D SUB=$SUB -D DOMAIN=$DOMAIN static-template.m4 > $SUB.$DOMAIN
|
57
nginx/reverse-proxy-template.m4
Normal file
57
nginx/reverse-proxy-template.m4
Normal file
|
@ -0,0 +1,57 @@
|
|||
# Nginx configuration
|
||||
|
||||
server {
|
||||
server_name SUB.DOMAIN;
|
||||
access_log /var/log/nginx/SUB_ssl_access.log;
|
||||
error_log /var/log/nginx/SUB_ssl_error.log;
|
||||
|
||||
listen *:443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
server_tokens off;
|
||||
|
||||
## SSL
|
||||
ssl on;
|
||||
ssl_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem; # managed by Certbot
|
||||
ssl_certificate_key /etc/letsencrypt/live/DOMAIN/privkey.pem; # managed by Certbot
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
ssl_session_timeout 5m;
|
||||
|
||||
## [Optional] Enable HTTP Strict Transport Security
|
||||
## HSTS is a feature improving protection against MITM attacks
|
||||
## For more information see: https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:PORT;
|
||||
gzip off;
|
||||
proxy_redirect off;
|
||||
|
||||
## Some requests take more than 30 seconds.
|
||||
proxy_read_timeout 300;
|
||||
proxy_connect_timeout 300;
|
||||
proxy_redirect off;
|
||||
|
||||
proxy_http_version 1.1;
|
||||
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-Ssl on;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
}
|
||||
}
|
||||
|
||||
## Redirects all HTTP traffic to the HTTPS host
|
||||
server {
|
||||
## In case of conflict, either remove "default_server" from the listen line below,
|
||||
## or delete the /etc/nginx/sites-enabled/default file.
|
||||
listen 0.0.0.0:80;
|
||||
listen [::]:80;
|
||||
server_name SUB.DOMAIN; ## YYY
|
||||
server_tokens off; ## Don't show the nginx version number, a security best practice
|
||||
return 301 https://$http_host$request_uri;
|
||||
access_log /var/log/nginx/SUB.DOMAIN()_access.log;
|
||||
error_log /var/log/nginx/SUB.DOMAIN()_error.log;
|
||||
}
|
||||
|
49
nginx/static-template.m4
Normal file
49
nginx/static-template.m4
Normal file
|
@ -0,0 +1,49 @@
|
|||
# Nginx configuration
|
||||
|
||||
## Redirects all HTTP traffic to the HTTPS host
|
||||
server {
|
||||
server_name SUB.DOMAIN;
|
||||
root /var/www/SUB.DOMAIN;
|
||||
access_log /var/log/nginx/SUB.DOMAIN()_access.log;
|
||||
error_log /var/log/nginx/SUB.DOMAIN()_error.log;
|
||||
|
||||
server_tokens off; ## Don't show the nginx version number, a security best practice
|
||||
|
||||
index index.html;
|
||||
location / { try_files $uri $uri/ =404; }
|
||||
|
||||
# optimise headers
|
||||
# imagine almost never expire
|
||||
location ~* \.(jpg|jpeg|png|gif|ico)$ {
|
||||
expires 30d;
|
||||
}
|
||||
|
||||
listen [::]:443 http2 ssl; # managed by Certbot
|
||||
listen 443 http2 ssl; # managed by Certbot
|
||||
ssl_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem; # managed by Certbot
|
||||
ssl_certificate_key /etc/letsencrypt/live/DOMAIN/privkey.pem; # managed by Certbot
|
||||
|
||||
# WARNING
|
||||
# compression with HTTPS can be used to decrypt
|
||||
# Only for public data !
|
||||
gzip on;
|
||||
gzip_types application/javascript image/* text/css;
|
||||
gunzip on;
|
||||
|
||||
etag on;
|
||||
## [Optional] Enable HTTP Strict Transport Security
|
||||
## HSTS is a feature improving protection against MITM attacks
|
||||
## For more information see:
|
||||
## https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
|
||||
}
|
||||
|
||||
server {
|
||||
if ($host = SUB.DOMAIN) {
|
||||
return 301 https://$host$request_uri;
|
||||
} # managed by Certbot
|
||||
server_name SUB.DOMAIN;
|
||||
listen 0.0.0.0:80;
|
||||
listen [::]:80;
|
||||
return 404; # managed by Certbot
|
||||
}
|
Loading…
Reference in a new issue