This config should work
This commit is contained in:
parent
94a4f08467
commit
08a9782874
|
@ -0,0 +1,85 @@
|
|||
# For websockets
|
||||
map $http_upgrade $connection_upgrade {
|
||||
default upgrade;
|
||||
'' close;
|
||||
}
|
||||
|
||||
# Configure upstream
|
||||
upstream movienight {
|
||||
server localhost:8089;
|
||||
}
|
||||
|
||||
# Secure redirect
|
||||
server {
|
||||
server_name example.com;
|
||||
listen ipv4:80;
|
||||
listen [ipv6]:80;
|
||||
return 301 https://$host$request_uri;
|
||||
|
||||
# Uncomment this if you need to use the 'webroot' method with certbot. Make sure
|
||||
# that you also create the .well-known/acme-challenge directory structure in pleroma/priv/static and
|
||||
# that is is accessible by the webserver. You may need to load this file with the ssl
|
||||
# server block commented out, run certbot to get the certificate, and then uncomment it.
|
||||
#
|
||||
# location ~ /\.well-known/acme-challenge {
|
||||
# root <path to install>/pleroma/priv/static/;
|
||||
# }
|
||||
}
|
||||
|
||||
# movienight
|
||||
server {
|
||||
server_name example.com;
|
||||
|
||||
# Enable QUIC and HTTP/3.
|
||||
#listen ipv4:port quic reuseport;
|
||||
#listen [ipv6]:port quic reuseport;
|
||||
|
||||
listen ipv4:443;
|
||||
listen [ipv6]:443 ssl http2;
|
||||
|
||||
# TLS
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
#ssl_dhparam /etc/nginx/dhparam.pem; # generate with openssl dhparam -out /etc/nginx/dhparam.pem 4096
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
ssl_session_tickets off;
|
||||
ssl_session_timeout 10m;
|
||||
ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1;
|
||||
ssl_ciphers "EECDH+CHACHA20:EECDH+AESGCM";
|
||||
|
||||
|
||||
# HTST
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
|
||||
|
||||
# Cert
|
||||
ssl_trusted_certificate /etc/nginx/certs/example.com/cert_ecc.pem;
|
||||
ssl_certificate /etc/nginx/certs/example.com/cert_ecc.pem;
|
||||
ssl_certificate_key /etc/nginx/certs/exaample.com/key_ecc.pem;
|
||||
|
||||
# Allow unlimited upload
|
||||
client_max_body_size 0;
|
||||
|
||||
# Headers
|
||||
# Add Alt-Svc header to negotiate HTTP/3.
|
||||
#add_header alt-svc 'h3-27=":port"; ma=86400';
|
||||
|
||||
location / {
|
||||
proxy_pass http://movienight;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Port $server_port;
|
||||
add_header referrer-policy same-origin;
|
||||
add_header x-content-type-options nosniff;
|
||||
add_header x-download-options noopen;
|
||||
add_header x-frame-options self;
|
||||
add_header x-permitted-cross-domain-policies none;
|
||||
add_header x-xss-protection "1; mode=block;";
|
||||
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue