Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Nginx virtualhost example #2

Open
goldyfruit opened this issue Mar 3, 2022 · 0 comments
Open

Add Nginx virtualhost example #2

goldyfruit opened this issue Mar 3, 2022 · 0 comments
Assignees
@goldyfruit
Labels
documentation Improvements or additions to documentation

Comments

@goldyfruit
Copy link
Collaborator

goldyfruit commented Mar 3, 2022
edited
Loading

Nginx example with TLS support should be added to the documentation.

20-api.domain.io.conf

server {
        listen         80;
	server_name    api.domain.io;

        root /srv/data/web/api.domain.io;
        index index.html index.htm index.php;

	location /.well-known/acme-challenge/ {
		try_files $uri /dev/null =404;
	}

        location / {
		return 301 https://$host$request_uri;
        }

	access_log /srv/data/logs/web/api.domain.io/access-80.log;
	error_log /srv/data/logs/web/api.domain.io/error-80.log;
}

server {
	listen 443 ssl http2;
	server_name api.domain.io;

       	root /srv/data/web/api.domain.io;
	index index.html index.htm index.php;

	include snippets/ssl-api.domain.io.conf;
	include snippets/ssl-params.conf;

	location / {
		proxy_pass		http://10.22.56.1:8100;
		proxy_redirect		off;
		proxy_set_header	Host            $host;
		proxy_set_header	X-Real-IP       $remote_addr;
		proxy_set_header	X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header        X-Forwarded-Proto $scheme;
	}

	access_log /srv/data/logs/web/api.domain.io/access-443.log;
	error_log /srv/data/logs/web/api.domain.io/error-443.log;
}

ssl-params.conf

ssl_certificate /etc/letsencrypt/live/api.domain.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/api.domain.io/privkey.pem;

ssl-api.domain.io.conf

# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;

resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options sameorigin;
add_header X-Content-Type-Options nosniff;
@goldyfruit goldyfruit added the documentation Improvements or additions to documentation label Mar 3, 2022
@goldyfruit goldyfruit self-assigned this Mar 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@goldyfruit goldyfruit

Labels
documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@goldyfruit