heuzef
/
lesspass
kopie van https://github.com/lesspass/lesspass.git
1
0
Vork 0
Code Kwesties 0 Publicaties 67 Wiki Activiteit
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
25 Commits
17 Branches
640 MiB
 
 
 
 
 
 
Tree: ed80a2f892
Branches Labels
${ item.name }
Maak branch ${ searchTerm }
van 'ed80a2f892'
${ noResults }
lesspass/backend.conf.j2

72 regels
2.3 KiB
Ruw Blame Geschiedenis 

  1. server {

  2.     listen 80 default_server;

  3.     listen [::]:80 default_server;

  4. {% if domain %}

  5.     server_name {{ domain }} www.{{ domain }};

  6. {% else %}

  7.     server_name localhost;

  8. {% endif %}

  9.     return 301 https://$server_name$request_uri;

  10. }

  11. 

  12. server {

  13.     listen 443 ssl http2;

  14.     listen [::]:443 ssl http2;

  15. 

  16.     ssl_certificate /etc/ssl/certs/certificate.crt;

  17.     ssl_certificate_key /etc/ssl/private/private.key;

  18.     ssl_session_timeout 30m;

  19.     ssl_session_cache shared:SSL:20m;

  20.     ssl_session_tickets off;

  21. 

  22. {% if dhparam %}

  23.     # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits

  24.     ssl_dhparam /etc/ssl/certs/dhparam.pem;

  25. {% endif %}

  26. 

  27.     # modern configuration. tweak to your needs.

  28.     ssl_protocols TLSv1.2;

  29.     ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';

  30.     ssl_prefer_server_ciphers on;

  31. 

  32.     # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)

  33.     add_header Strict-Transport-Security max-age=15768000;

  34. 

  35. {% if ssl_trusted_certificate %}

  36.     # OCSP Stapling ---

  37.     # fetch OCSP records from URL in ssl_certificate and cache them

  38.     ssl_stapling on;

  39.     ssl_stapling_verify on;

  40. 

  41.     ## verify chain of trust of OCSP response using Root CA and Intermediate certs

  42.     ssl_trusted_certificate /etc/ssl/certs/ca.crt;

  43. 

  44.     resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=300s;

  45. {% endif %}

  46. 

  47.     location ~ /(static|media)/ {

  48.        autoindex on;

  49.        root /backend/www;

  50.     }

  51. 

  52.     location ~ /(api|admin) {

  53.         proxy_pass http://backend:8000;

  54.         proxy_set_header X-Real-IP $remote_addr;

  55.         proxy_set_header Host $host;

  56.         proxy_set_header X-Forwarded-Proto $scheme;

  57.         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

  58.         proxy_set_header  X-Url-Scheme $scheme;

  59.         proxy_redirect off;

  60.     }

  61. 

  62.     location / {

  63.         proxy_pass http://frontend:8080;

  64.         proxy_set_header X-Real-IP $remote_addr;

  65.         proxy_set_header Host $host;

  66.         proxy_set_header X-Forwarded-Proto $scheme;

  67.         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

  68.         proxy_set_header  X-Url-Scheme $scheme;

  69.         proxy_redirect off;

  70.     }

  71. }