summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDirk Engling <erdgeist@erdgeist.org>2020-05-22 16:14:08 +0200
committerDirk Engling <erdgeist@erdgeist.org>2020-05-22 16:14:08 +0200
commitbc219b6877e275c3a74d504c97dbf4891762cd62 (patch)
treeb435bab8fd49d664d797a827425fb19f3138f66a
parentbe790d91e423b021b5ee6d43eb0fb2c68eb12085 (diff)
Provide sample nginx config blockHEADmaster
-rw-r--r--nginx.conf.sample51
1 files changed, 51 insertions, 0 deletions
diff --git a/nginx.conf.sample b/nginx.conf.sample
new file mode 100644
index 0000000..9c636b5
--- /dev/null
+++ b/nginx.conf.sample
@@ -0,0 +1,51 @@
1 server {
2 listen [::]:80;
3 listen [::]:443 ssl http2;
4 listen 80;
5 listen 443 ssl http2;
6 server_name dokumente.foo.com;
7
8 # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
9 ssl_certificate /var/dehydrated/certs/dokumente.foo.com/fullchain.pem;
10 ssl_certificate_key /var/dehydrated/certs/dokumente/privkey.pem;
11 ssl_dhparam /usr/local/etc/nginx/dhparams-4096.pem;
12 ssl_session_timeout 5m;
13 ssl_session_cache shared:SSL:50m;
14
15 # modern configuration. tweak to your needs.
16 ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
17 ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA25
186:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-S
19HA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
20 ssl_prefer_server_ciphers on;
21
22 # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
23 add_header Strict-Transport-Security max-age=15768000;
24
25 client_max_body_size 300M;
26
27 location ~ ^/(Public|static|dropzone) {
28 proxy_pass http://127.0.1.9:8000;
29 }
30
31 location ~ ^/Dokumente/([^/]+)(/.*)? {
32 auth_basic "Dokumente Admin Area";
33 auth_basic_user_file /var/run/Filer/Daten/Mandanten/$1;
34 proxy_pass http://127.0.1.9:8000;
35 }
36
37 location /admin {
38 auth_basic "Administratorenbereich";
39 auth_basic_user_file //var/run/Filer/Daten/admin.pw;
40 proxy_pass http://127.0.1.9:8000;
41 proxy_set_header Host $host;
42 proxy_set_header X-Forwarded-Proto https;
43 proxy_set_header X-Scheme $scheme;
44 proxy_set_header X-Forwarded-For $remote_addr;
45 }
46
47 location /.well-known/acme-challenge/ {
48 alias /usr/local/www/dehydrated/;
49 }
50 }
51