mirror of https://git.henryfjordan.com/henry/web
184 lines
6.7 KiB
Nginx Configuration File
184 lines
6.7 KiB
Nginx Configuration File
user nginx nginx;
|
|
worker_processes 1;
|
|
|
|
error_log /var/log/nginx/error_log info;
|
|
|
|
events {
|
|
|
|
worker_connections 1024;
|
|
use epoll;
|
|
}
|
|
|
|
http {
|
|
|
|
include /etc/nginx/mime.types;
|
|
default_type application/octet-stream;
|
|
|
|
log_format main
|
|
'$remote_addr - $remote_user [$time_local] '
|
|
'"$request" $status $bytes_sent '
|
|
'"$http_referer" "$http_user_agent" '
|
|
'"$gzip_ratio"';
|
|
|
|
client_header_timeout 10m;
|
|
client_body_timeout 10m;
|
|
send_timeout 10m;
|
|
|
|
connection_pool_size 256;
|
|
client_header_buffer_size 1k;
|
|
large_client_header_buffers 4 2k;
|
|
request_pool_size 4k;
|
|
|
|
gzip on;
|
|
gzip_min_length 1100;
|
|
gzip_buffers 4 8k;
|
|
gzip_types text/plain;
|
|
|
|
output_buffers 1 32k;
|
|
postpone_output 1460;
|
|
|
|
sendfile on;
|
|
tcp_nopush on;
|
|
tcp_nodelay on;
|
|
|
|
keepalive_timeout 75 20;
|
|
|
|
ignore_invalid_headers on;
|
|
|
|
server_tokens off;
|
|
|
|
add_header X-Frame-Options SAMEORIGIN;
|
|
add_header X-Content-Type-Options nosniff;
|
|
add_header X-XSS-Protection "1; mode=block";
|
|
|
|
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; frame-src 'self'; object-src 'none'";
|
|
|
|
index index.html;
|
|
|
|
upstream gitea {
|
|
server gitea:3000;
|
|
}
|
|
|
|
upstream portainer {
|
|
server portainer:9000;
|
|
}
|
|
|
|
# Redirect to https
|
|
server {
|
|
|
|
listen 80;
|
|
server_name henryfjordan.com *.henryfjordan.com;
|
|
|
|
return 301 https://$host$request_uri;
|
|
}
|
|
|
|
# Home Page
|
|
server {
|
|
|
|
listen 443;
|
|
server_name henryfjordan.com www.henryfjordan.com;
|
|
|
|
ssl on;
|
|
ssl_certificate /etc/nginx/certs/default.crt;
|
|
ssl_certificate_key /etc/nginx/certs/default.key;
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
|
|
ssl_dhparam /etc/nginx/certs/dhparam.pem;
|
|
|
|
access_log /var/log/nginx/localhost.ssl_access_log main;
|
|
error_log /var/log/nginx/localhost.ssl_error_log info;
|
|
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
|
|
|
|
location / {
|
|
root /etc/nginx/html;
|
|
}
|
|
}
|
|
|
|
# gitea
|
|
server {
|
|
|
|
listen 443;
|
|
server_name git.henryfjordan.com;
|
|
|
|
ssl on;
|
|
ssl_certificate /etc/nginx/certs/default.crt;
|
|
ssl_certificate_key /etc/nginx/certs/default.key;
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
|
|
ssl_dhparam /etc/nginx/certs/dhparam.pem;
|
|
|
|
access_log /var/log/nginx/localhost.ssl_access_log main;
|
|
error_log /var/log/nginx/localhost.ssl_error_log info;
|
|
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
|
|
|
|
location / {
|
|
proxy_pass http://gitea;
|
|
}
|
|
|
|
location /.well-known {
|
|
root /etc/nginx/html;
|
|
}
|
|
}
|
|
|
|
# nextcloud
|
|
server {
|
|
|
|
listen 443;
|
|
server_name cloud.henryfjordan.com;
|
|
|
|
ssl on;
|
|
ssl_certificate /etc/nginx/certs/default.crt;
|
|
ssl_certificate_key /etc/nginx/certs/default.key;
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
|
|
ssl_dhparam /etc/nginx/certs/dhparam.pem;
|
|
|
|
access_log /var/log/nginx/localhost.ssl_access_log main;
|
|
error_log /var/log/nginx/localhost.ssl_error_log info;
|
|
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
|
|
|
|
location / {
|
|
proxy_pass http://172.20.0.4;
|
|
}
|
|
|
|
location /.well-known {
|
|
root /etc/nginx/html;
|
|
}
|
|
}
|
|
|
|
# portainer
|
|
server {
|
|
|
|
listen 443;
|
|
server_name portainer.henryfjordan.com;
|
|
|
|
ssl on;
|
|
ssl_certificate /etc/nginx/certs/default.crt;
|
|
ssl_certificate_key /etc/nginx/certs/default.key;
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
|
|
ssl_dhparam /etc/nginx/certs/dhparam.pem;
|
|
|
|
access_log /var/log/nginx/localhost.ssl_access_log main;
|
|
error_log /var/log/nginx/localhost.ssl_error_log info;
|
|
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
|
|
|
|
location / {
|
|
proxy_pass http://portainer;
|
|
}
|
|
|
|
location /.well-known {
|
|
root /etc/nginx/html;
|
|
}
|
|
}
|
|
}
|
|
|