heuzef
/
lesspass
огледало от https://github.com/lesspass/lesspass.git
1
0
Разклонения 0
Код Задачи 0 Версии 67 Уики Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1812 Ревизии
17 Клонове
516 MiB
 
 
 
 
 
 
ИН на ревизия: 19ea3bc995
Клонове Маркери
${ item.name }
Create branch ${ searchTerm }
от '19ea3bc995'
${ noResults }
lesspass/nginx/backend.conf.j2

64 lines
2.3 KiB
Директен файл Blame История 

  1. server {

  2.     listen 80 default_server;

  3.     listen [::]:80 default_server;

  4.     server_name {{ domain }} www.{{ domain }};

  5.     return 301 https://$server_name$request_uri;

  6. }

  7. 

  8. server {

  9.     listen 443 ssl http2;

  10.     listen [::]:443 ssl http2;

  11. 

  12.     ssl_certificate /etc/letsencrypt/live/{{ domain }}/fullchain.pem;

  13.     ssl_certificate_key /etc/letsencrypt/live/{{ domain }}/privkey.pem;

  14.     ssl_session_timeout 30m;

  15.     ssl_session_cache shared:SSL:20m;

  16.     ssl_session_tickets off;

  17. 

  18.     # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits

  19.     ssl_dhparam /etc/letsencrypt/live/{{ domain }}/dhparam.pem;

  20. 

  21.     # modern configuration. tweak to your needs.

  22.     ssl_protocols TLSv1.2;

  23.     ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';

  24.     ssl_prefer_server_ciphers on;

  25. 

  26.     # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)

  27.     add_header Strict-Transport-Security max-age=15768000;

  28. 

  29.     # OCSP Stapling ---

  30.     # fetch OCSP records from URL in ssl_certificate and cache them

  31.     ssl_stapling on;

  32.     ssl_stapling_verify on;

  33. 

  34.     ## verify chain of trust of OCSP response using Root CA and Intermediate certs

  35.     ssl_trusted_certificate /etc/letsencrypt/live/{{ domain }}/fullchain.pem;

  36. 

  37.     resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=300s;

  38. 

  39.     location ~ /(static|media)/ {

  40.        autoindex on;

  41.        root /backend/www;

  42.     }

  43. 

  44.     location ~ /(api|admin) {

  45.         proxy_pass http://backend:8000;

  46.         proxy_set_header X-Real-IP $remote_addr;

  47.         proxy_set_header Host $host;

  48.         proxy_set_header X-Forwarded-Proto $scheme;

  49.         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

  50.         proxy_set_header  X-Url-Scheme $scheme;

  51.         proxy_redirect off;

  52.     }

  53. 

  54.     location / {

  55.         proxy_pass http://frontend:8080;

  56.         proxy_set_header X-Real-IP $remote_addr;

  57.         proxy_set_header Host $host;

  58.         proxy_set_header X-Forwarded-Proto $scheme;

  59.         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

  60.         proxy_set_header  X-Url-Scheme $scheme;

  61.         proxy_redirect off;

  62.     }

  63. }