Provide sample nginx config blockHEAD master

author: Dirk Engling <erdgeist@erdgeist.org> 2020-05-22 16:14:08 +0200
committer: Dirk Engling <erdgeist@erdgeist.org> 2020-05-22 16:14:08 +0200
commit: bc219b6877e275c3a74d504c97dbf4891762cd62 (patch)
tree: b435bab8fd49d664d797a827425fb19f3138f66a
parent: be790d91e423b021b5ee6d43eb0fb2c68eb12085 (diff)
1 files changed, 51 insertions, 0 deletions
diff --git a/nginx.conf.sample b/nginx.conf.sample
new file mode 100644
index 0000000..9c636b5
--- /dev/null
+++ b/nginx.conf.sample
@@ -0,0 +1,51 @@
+   server {
+        listen [::]:80;
+        listen [::]:443 ssl http2;
+        listen 80;
+        listen 443 ssl http2;
+        server_name dokumente.foo.com;
+        # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
+        ssl_certificate /var/dehydrated/certs/dokumente.foo.com/fullchain.pem;
+        ssl_certificate_key /var/dehydrated/certs/dokumente/privkey.pem;
+        ssl_dhparam /usr/local/etc/nginx/dhparams-4096.pem;
+        ssl_session_timeout 5m;
+        ssl_session_cache shared:SSL:50m;
+        # modern configuration. tweak to your needs.
+        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA25
+6:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-S
+HA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
+        ssl_prefer_server_ciphers on;
+        # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
+        add_header Strict-Transport-Security max-age=15768000;
+        client_max_body_size 300M;
+        location ~ ^/(Public|static|dropzone) {
+                proxy_pass http://127.0.1.9:8000;
+        }
+        location ~ ^/Dokumente/([^/]+)(/.*)? {
+                auth_basic "Dokumente Admin Area";
+                auth_basic_user_file /var/run/Filer/Daten/Mandanten/$1;
+                proxy_pass http://127.0.1.9:8000;
+        }
+        location /admin {
+                auth_basic "Administratorenbereich";
+                auth_basic_user_file //var/run/Filer/Daten/admin.pw;
+                proxy_pass http://127.0.1.9:8000;
+                proxy_set_header Host            $host;
+                proxy_set_header X-Forwarded-Proto https;
+                proxy_set_header X-Scheme $scheme;
+                proxy_set_header X-Forwarded-For $remote_addr;
+        }
+        location /.well-known/acme-challenge/ {
+          alias /usr/local/www/dehydrated/;
+        }
+    }
author	Dirk Engling <erdgeist@erdgeist.org>	2020-05-22 16:14:08 +0200
committer	Dirk Engling <erdgeist@erdgeist.org>	2020-05-22 16:14:08 +0200
commit	bc219b6877e275c3a74d504c97dbf4891762cd62 (patch)
tree	b435bab8fd49d664d797a827425fb19f3138f66a
parent	be790d91e423b021b5ee6d43eb0fb2c68eb12085 (diff)

diff --git a/nginx.conf.sample b/nginx.conf.sample new file mode 100644 index 0000000..9c636b5 --- /dev/null +++ b/nginx.conf.sample
@@ -0,0 +1,51 @@
	1	server {
	2	listen [::]:80;
	3	listen [::]:443 ssl http2;
	4	listen 80;
	5	listen 443 ssl http2;
	6	server_name dokumente.foo.com;
	7
	8	# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
	9	ssl_certificate /var/dehydrated/certs/dokumente.foo.com/fullchain.pem;
	10	ssl_certificate_key /var/dehydrated/certs/dokumente/privkey.pem;
	11	ssl_dhparam /usr/local/etc/nginx/dhparams-4096.pem;
	12	ssl_session_timeout 5m;
	13	ssl_session_cache shared:SSL:50m;
	14
	15	# modern configuration. tweak to your needs.
	16	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
	17	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA25
	18	6:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-S
	19	HA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
	20	ssl_prefer_server_ciphers on;
	21
	22	# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
	23	add_header Strict-Transport-Security max-age=15768000;
	24
	25	client_max_body_size 300M;
	26
	27	location ~ ^/(Public\|static\|dropzone) {
	28	proxy_pass http://127.0.1.9:8000;
	29	}
	30
	31	location ~ ^/Dokumente/([^/]+)(/.*)? {
	32	auth_basic "Dokumente Admin Area";
	33	auth_basic_user_file /var/run/Filer/Daten/Mandanten/$1;
	34	proxy_pass http://127.0.1.9:8000;
	35	}
	36
	37	location /admin {
	38	auth_basic "Administratorenbereich";
	39	auth_basic_user_file //var/run/Filer/Daten/admin.pw;
	40	proxy_pass http://127.0.1.9:8000;
	41	proxy_set_header Host $host;
	42	proxy_set_header X-Forwarded-Proto https;
	43	proxy_set_header X-Scheme $scheme;
	44	proxy_set_header X-Forwarded-For $remote_addr;
	45	}
	46
	47	location /.well-known/acme-challenge/ {
	48	alias /usr/local/www/dehydrated/;
	49	}
	50	}
	51