Non puoi selezionare più di 25 argomenti Gli argomenti devono iniziare con una lettera o un numero, possono includere trattini ('-') e possono essere lunghi fino a 35 caratteri.
 
 
 
 
 
 

64 righe
2.3 KiB

  1. server {
  2. listen 80 default_server;
  3. listen [::]:80 default_server;
  4. server_name {{ domain }} www.{{ domain }};
  5. return 301 https://$server_name$request_uri;
  6. }
  7. server {
  8. listen 443 ssl http2;
  9. listen [::]:443 ssl http2;
  10. ssl_certificate /etc/letsencrypt/live/{{ domain }}/fullchain.pem;
  11. ssl_certificate_key /etc/letsencrypt/live/{{ domain }}/privkey.pem;
  12. ssl_session_timeout 30m;
  13. ssl_session_cache shared:SSL:20m;
  14. ssl_session_tickets off;
  15. # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
  16. ssl_dhparam /etc/letsencrypt/live/{{ domain }}/dhparam.pem;
  17. # modern configuration. tweak to your needs.
  18. ssl_protocols TLSv1.2;
  19. ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
  20. ssl_prefer_server_ciphers on;
  21. # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
  22. add_header Strict-Transport-Security max-age=15768000;
  23. # OCSP Stapling ---
  24. # fetch OCSP records from URL in ssl_certificate and cache them
  25. ssl_stapling on;
  26. ssl_stapling_verify on;
  27. ## verify chain of trust of OCSP response using Root CA and Intermediate certs
  28. ssl_trusted_certificate /etc/letsencrypt/live/{{ domain }}/fullchain.pem;
  29. resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=300s;
  30. location ~ /(static|media)/ {
  31. autoindex on;
  32. root /backend/www;
  33. }
  34. location ~ /(api|admin) {
  35. proxy_pass http://backend:8000;
  36. proxy_set_header X-Real-IP $remote_addr;
  37. proxy_set_header Host $host;
  38. proxy_set_header X-Forwarded-Proto $scheme;
  39. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  40. proxy_set_header X-Url-Scheme $scheme;
  41. proxy_redirect off;
  42. }
  43. location / {
  44. proxy_pass http://frontend:8080;
  45. proxy_set_header X-Real-IP $remote_addr;
  46. proxy_set_header Host $host;
  47. proxy_set_header X-Forwarded-Proto $scheme;
  48. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  49. proxy_set_header X-Url-Scheme $scheme;
  50. proxy_redirect off;
  51. }
  52. }