This config should work

This commit is contained in:
Your New SJW Waifu 2020-04-25 14:02:21 -05:00
parent 94a4f08467
commit 08a9782874
1 changed files with 85 additions and 0 deletions

View File

@ -0,0 +1,85 @@
# For websockets
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# Configure upstream
upstream movienight {
server localhost:8089;
}
# Secure redirect
server {
server_name example.com;
listen ipv4:80;
listen [ipv6]:80;
return 301 https://$host$request_uri;
# Uncomment this if you need to use the 'webroot' method with certbot. Make sure
# that you also create the .well-known/acme-challenge directory structure in pleroma/priv/static and
# that is is accessible by the webserver. You may need to load this file with the ssl
# server block commented out, run certbot to get the certificate, and then uncomment it.
#
# location ~ /\.well-known/acme-challenge {
# root <path to install>/pleroma/priv/static/;
# }
}
# movienight
server {
server_name example.com;
# Enable QUIC and HTTP/3.
#listen ipv4:port quic reuseport;
#listen [ipv6]:port quic reuseport;
listen ipv4:443;
listen [ipv6]:443 ssl http2;
# TLS
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
#ssl_dhparam /etc/nginx/dhparam.pem; # generate with openssl dhparam -out /etc/nginx/dhparam.pem 4096
ssl_stapling on;
ssl_stapling_verify on;
ssl_session_tickets off;
ssl_session_timeout 10m;
ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1;
ssl_ciphers "EECDH+CHACHA20:EECDH+AESGCM";
# HTST
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
# Cert
ssl_trusted_certificate /etc/nginx/certs/example.com/cert_ecc.pem;
ssl_certificate /etc/nginx/certs/example.com/cert_ecc.pem;
ssl_certificate_key /etc/nginx/certs/exaample.com/key_ecc.pem;
# Allow unlimited upload
client_max_body_size 0;
# Headers
# Add Alt-Svc header to negotiate HTTP/3.
#add_header alt-svc 'h3-27=":port"; ma=86400';
location / {
proxy_pass http://movienight;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
add_header referrer-policy same-origin;
add_header x-content-type-options nosniff;
add_header x-download-options noopen;
add_header x-frame-options self;
add_header x-permitted-cross-domain-policies none;
add_header x-xss-protection "1; mode=block;";
}
}