From b8519b22b2d573aec1a96cf4d38002376df617ec Mon Sep 17 00:00:00 2001 From: James Bunton Date: Sun, 9 Feb 2020 15:50:30 +1100 Subject: [PATCH] nginx --- etc/nginx/nginx.conf | 21 +++++++++++++++++++ etc/nginx/sites-available/default | 6 ++++++ etc/nginx/sites-available/example.com | 15 +++++++++++++ etc/nginx/sites-enabled/0000_default | 1 + etc/nginx/snippets/listen-http.conf | 2 ++ etc/nginx/snippets/listen-tls.conf | 14 +++++++++++++ etc/nginx/snippets/standard-server.conf | 28 +++++++++++++++++++++++++ 7 files changed, 87 insertions(+) create mode 100644 etc/nginx/nginx.conf create mode 100644 etc/nginx/sites-available/default create mode 100644 etc/nginx/sites-available/example.com create mode 120000 etc/nginx/sites-enabled/0000_default create mode 100644 etc/nginx/snippets/listen-http.conf create mode 100644 etc/nginx/snippets/listen-tls.conf create mode 100644 etc/nginx/snippets/standard-server.conf diff --git a/etc/nginx/nginx.conf b/etc/nginx/nginx.conf new file mode 100644 index 0000000..cd5cf36 --- /dev/null +++ b/etc/nginx/nginx.conf @@ -0,0 +1,21 @@ +user http; +worker_processes 1; + +events { + worker_connections 1024; +} + +http { + include mime.types; + default_type application/octet-stream; + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + + access_log syslog:server=unix:/dev/log,tag=nginx,nohostname,severity=info combined; + error_log syslog:server=unix:/dev/log,tag=nginx,nohostname,severity=error; + + include sites-enabled/*; +} diff --git a/etc/nginx/sites-available/default b/etc/nginx/sites-available/default new file mode 100644 index 0000000..e79ef07 --- /dev/null +++ b/etc/nginx/sites-available/default @@ -0,0 +1,6 @@ +server { + include snippets/listen-http.conf; + include snippets/listen-tls.conf; + + return 404; +} diff --git a/etc/nginx/sites-available/example.com b/etc/nginx/sites-available/example.com new file mode 100644 index 0000000..f40514b --- /dev/null +++ b/etc/nginx/sites-available/example.com @@ -0,0 +1,15 @@ +server { + include snippets/listen-tls.conf; + server_name example.com; + + root /srv/http/example.com; + + include snippets/standard-server.conf; +} + +server { + include snippets/listen-http.conf; + server_name example.com; + + return 301 https://example.com$request_uri; +} diff --git a/etc/nginx/sites-enabled/0000_default b/etc/nginx/sites-enabled/0000_default new file mode 120000 index 0000000..6d9ba33 --- /dev/null +++ b/etc/nginx/sites-enabled/0000_default @@ -0,0 +1 @@ +../sites-available/default \ No newline at end of file diff --git a/etc/nginx/snippets/listen-http.conf b/etc/nginx/snippets/listen-http.conf new file mode 100644 index 0000000..76cb18d --- /dev/null +++ b/etc/nginx/snippets/listen-http.conf @@ -0,0 +1,2 @@ +listen 80; +listen [::]:80; diff --git a/etc/nginx/snippets/listen-tls.conf b/etc/nginx/snippets/listen-tls.conf new file mode 100644 index 0000000..26eb327 --- /dev/null +++ b/etc/nginx/snippets/listen-tls.conf @@ -0,0 +1,14 @@ +listen 443 ssl; +listen [::]:443 ssl; + +ssl_certificate /home/letsencrypt/output/latest.pem; +ssl_certificate_key /home/letsencrypt/domain-key.pem; + +# https://wiki.mozilla.org/Security/Server_Side_TLS +ssl_protocols TLSv1.2; +ssl_prefer_server_ciphers on; +ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + +add_header "Strict-Transport-Security" "max-age=7776000; includeSubdomains" always; +add_header X-Frame-Options "DENY" always; +add_header Content-Security-Policy "upgrade-insecure-requests" always; diff --git a/etc/nginx/snippets/standard-server.conf b/etc/nginx/snippets/standard-server.conf new file mode 100644 index 0000000..46fa4c2 --- /dev/null +++ b/etc/nginx/snippets/standard-server.conf @@ -0,0 +1,28 @@ +location ~ /\.git/ { + return 403; +} + + +location = /favicon.ico { + log_not_found off; + access_log off; +} + +location ~ /apple-touch-icon[^/]*.png { + log_not_found off; + access_log off; +} + +location = /robots.txt { + log_not_found off; + access_log off; +} + +location /.well-known/acme-challenge { + alias /home/letsencrypt/web-acme-challenge; + auth_basic off; +} + +location /healthcheck { + return 200; +} -- 2.39.2