Ethan826/nginx.conf

## nginx.conf
worker_processes  1;

#error_log  /var/log/nginx/error.log;
#error_log  /var/log/nginx/error.log  notice;
#error_log  /var/log/nginx/error.log  info;

#pid        /var/run/nginx.pid;


events {
		worker_connections  1024;
		use epoll;
}


http {
		include       mime.types;
		default_type  application/octet-stream;

#log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
#                  '$status $body_bytes_sent "$http_referer" '
#                  '"$http_user_agent" "$http_x_forwarded_for"';

#access_log  /var/log/nginx/access.log  main;

		sendfile        on;
#tcp_nopush     on;

#keepalive_timeout  0;
		keepalive_timeout  65;

#gzip  on;

		include conf.d/*.conf;
						server {
						listen 80 default_server;
						listen [::]:80 default_server;

# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
		    return 301 https://$host$request_uri;
}

server {
		listen 443 ssl;
		listen [::]:443 ssl;

		location / {
		    	proxy_pass http://localhost:8080;
		}

		location /prisoner/ {
		    	proxy_pass http://localhost:8082/;
		}

		location /public {
			alias /var/www/public;
		}

		location /diet-tracker {
			proxy_pass http://localhost:8081;
                }

		#location /diet-tracker/ {
                        #return 200 "Down for maintenance.";
			#add_header Content-Type text/plain;
			## proxy_pass http://localhost:8081/;
		#}

		# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
		ssl_certificate /var/www/secrets/flashbangsplat/domain-crt.txt;
		ssl_certificate_key /var/www/secrets/flashbangsplat/domain-key.txt;
		ssl_session_timeout 1d;
		ssl_session_cache shared:SSL:50m;
		# ssl_session_tickets off;

		# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
		# ssl_dhparam /path/to/dhparam.pem;

		# modern configuration. tweak to your needs.
		ssl_protocols TLSv1.2;
		ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
		ssl_prefer_server_ciphers on;

		# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
		add_header Strict-Transport-Security max-age=15768000;

		# OCSP Stapling ---
		# fetch OCSP records from URL in ssl_certificate and cache them
		ssl_stapling on;
		ssl_stapling_verify on;

		## verify chain of trust of OCSP response using Root CA and Intermediate certs
		ssl_trusted_certificate /var/www/secrets/flashbangsplat/domain-crt.txt;

		}

		include vhosts.d/*.conf;

}
	worker_processes 1;

	#error_log /var/log/nginx/error.log;
	#error_log /var/log/nginx/error.log notice;
	#error_log /var/log/nginx/error.log info;

	#pid /var/run/nginx.pid;


	events {
	worker_connections 1024;
	use epoll;
	}


	http {
	include mime.types;
	default_type application/octet-stream;

	#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
	# '$status $body_bytes_sent "$http_referer" '
	# '"$http_user_agent" "$http_x_forwarded_for"';

	#access_log /var/log/nginx/access.log main;

	sendfile on;
	#tcp_nopush on;

	#keepalive_timeout 0;
	keepalive_timeout 65;

	#gzip on;

	include conf.d/*.conf;
	server {
	listen 80 default_server;
	listen [::]:80 default_server;

	# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
	return 301 https://$host$request_uri;
	}

	server {
	listen 443 ssl;
	listen [::]:443 ssl;

	location / {
	proxy_pass http://localhost:8080;
	}

	location /prisoner/ {
	proxy_pass http://localhost:8082/;
	}

	location /public {
	alias /var/www/public;
	}

	location /diet-tracker {
	proxy_pass http://localhost:8081;
	}

	#location /diet-tracker/ {
	#return 200 "Down for maintenance.";
	#add_header Content-Type text/plain;
	## proxy_pass http://localhost:8081/;
	#}

	# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
	ssl_certificate /var/www/secrets/flashbangsplat/domain-crt.txt;
	ssl_certificate_key /var/www/secrets/flashbangsplat/domain-key.txt;
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:50m;
	# ssl_session_tickets off;

	# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
	# ssl_dhparam /path/to/dhparam.pem;

	# modern configuration. tweak to your needs.
	ssl_protocols TLSv1.2;
	ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
	ssl_prefer_server_ciphers on;

	# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
	add_header Strict-Transport-Security max-age=15768000;

	# OCSP Stapling ---
	# fetch OCSP records from URL in ssl_certificate and cache them
	ssl_stapling on;
	ssl_stapling_verify on;

	## verify chain of trust of OCSP response using Root CA and Intermediate certs
	ssl_trusted_certificate /var/www/secrets/flashbangsplat/domain-crt.txt;

	}

	include vhosts.d/*.conf;

	}