diff options
author | Dirk Engling <erdgeist@erdgeist.org> | 2020-05-22 16:14:08 +0200 |
---|---|---|
committer | Dirk Engling <erdgeist@erdgeist.org> | 2020-05-22 16:14:08 +0200 |
commit | bc219b6877e275c3a74d504c97dbf4891762cd62 (patch) | |
tree | b435bab8fd49d664d797a827425fb19f3138f66a | |
parent | be790d91e423b021b5ee6d43eb0fb2c68eb12085 (diff) |
-rw-r--r-- | nginx.conf.sample | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/nginx.conf.sample b/nginx.conf.sample new file mode 100644 index 0000000..9c636b5 --- /dev/null +++ b/nginx.conf.sample | |||
@@ -0,0 +1,51 @@ | |||
1 | server { | ||
2 | listen [::]:80; | ||
3 | listen [::]:443 ssl http2; | ||
4 | listen 80; | ||
5 | listen 443 ssl http2; | ||
6 | server_name dokumente.foo.com; | ||
7 | |||
8 | # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate | ||
9 | ssl_certificate /var/dehydrated/certs/dokumente.foo.com/fullchain.pem; | ||
10 | ssl_certificate_key /var/dehydrated/certs/dokumente/privkey.pem; | ||
11 | ssl_dhparam /usr/local/etc/nginx/dhparams-4096.pem; | ||
12 | ssl_session_timeout 5m; | ||
13 | ssl_session_cache shared:SSL:50m; | ||
14 | |||
15 | # modern configuration. tweak to your needs. | ||
16 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; | ||
17 | ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA25 | ||
18 | 6:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-S | ||
19 | HA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; | ||
20 | ssl_prefer_server_ciphers on; | ||
21 | |||
22 | # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) | ||
23 | add_header Strict-Transport-Security max-age=15768000; | ||
24 | |||
25 | client_max_body_size 300M; | ||
26 | |||
27 | location ~ ^/(Public|static|dropzone) { | ||
28 | proxy_pass http://127.0.1.9:8000; | ||
29 | } | ||
30 | |||
31 | location ~ ^/Dokumente/([^/]+)(/.*)? { | ||
32 | auth_basic "Dokumente Admin Area"; | ||
33 | auth_basic_user_file /var/run/Filer/Daten/Mandanten/$1; | ||
34 | proxy_pass http://127.0.1.9:8000; | ||
35 | } | ||
36 | |||
37 | location /admin { | ||
38 | auth_basic "Administratorenbereich"; | ||
39 | auth_basic_user_file //var/run/Filer/Daten/admin.pw; | ||
40 | proxy_pass http://127.0.1.9:8000; | ||
41 | proxy_set_header Host $host; | ||
42 | proxy_set_header X-Forwarded-Proto https; | ||
43 | proxy_set_header X-Scheme $scheme; | ||
44 | proxy_set_header X-Forwarded-For $remote_addr; | ||
45 | } | ||
46 | |||
47 | location /.well-known/acme-challenge/ { | ||
48 | alias /usr/local/www/dehydrated/; | ||
49 | } | ||
50 | } | ||
51 | |||