Skip to content

Instantly share code, notes, and snippets.

@Yinchie
Last active February 17, 2017 22:48
Show Gist options
  • Save Yinchie/02c8d4afffe726f32a0a2d7e84d43b58 to your computer and use it in GitHub Desktop.
Save Yinchie/02c8d4afffe726f32a0a2d7e84d43b58 to your computer and use it in GitHub Desktop.
Server block for my Jekyll generated website.
# main server
server {
listen 443 default_server fastopen=256 ssl http2;
listen [::]:443 fastopen=256 ssl http2 ipv6only=on;
server_name itchy.nl www.itchy.nl;
charset utf-8;
# Modify certain headers for security.
more_set_headers "Server: itchy.nl";
more_set_headers "X-Server-Admin: Yee Chie Tu";
more_set_headers "X-PGP-Fingerprint: 49C3 0DF3 6393 CD95 E93F A457 16CF E267 6760 8DB6";
more_set_headers "X-Powered-By: Vultr - www.vultr.com/?ref=6878145";
# Include my SSL/TLS settings.
include /etc/nginx/includes/tls.conf;
root /var/www/itchy;
index index.html;
# root
location / {
# Block Bad Bots
include /etc/nginx/bots.d/blockbots.conf;
include /etc/nginx/bots.d/ddos.conf;
# Allow only requests to our host. Drop connection otherwise.
if ($host !~ ^(www.itchy.nl|itchy.nl)$ ) { return 444; }
# Drop connection if listed on Spamhaus DROP/EDROP list.
if ($is_spamhaus_drop) { return 444; }
# Allow only GET, HEAD and POST requests.
if ($request_method !~ ^(GET|HEAD|POST)$ ) { return 444; }
# Empty user agent not allowed.
if ($http_user_agent = "") { return 444; }
# prettier url when used with jekyll.
if ($request_uri ~* "/index.html") {
rewrite (?i)^(.*)index\.html$ $1 permanent;
}
if ($request_uri ~* ".html") {
rewrite (?i)^(.*)/(.*)\.html $1/$2 permanent;
}
# Allow logging.
access_log /var/log/nginx/access.log main buffer=1m flush=10s;
# Include my security header parameters.
include /etc/nginx/includes/security_headers.conf;
add_header Vary "Accept-Encoding";
brotli on;
brotli_static on;
try_files $uri.html $uri $uri/ /index.html;
expires -1;
}
# static resources.
location ^~ /assets/ {
log_not_found off;
add_header Cache-Control "public";
expires max;
# Enable serving static compressed resources.
brotli on;
brotli_static on;
gzip_static on;
gzip_vary on;
location ~* ^/assets/fonts/.+\.(ttf|eot|woff|woff2)$ {
add_header Cache-Control "public";
add_header Vary "Accept-Encoding";
add_header Access-Control-Allow-Origin *;
}
# serve Webp images over jpg/png for supported clients.
location ~* ^/assets/icons/.+\.(png|jpg)$ {
add_header Cache-Control "public, no-transform";
try_files $uri$webp_suffix $uri =404;
}
}
# serve Webp images over jpg/png for supported clients.
location ~* ^/content/images/.+\.(png|jpg)$ {
log_not_found off;
add_header Cache-Control "public, no-transform";
add_header Vary "Accept-Encoding";
try_files $uri$webp_suffix $uri =404;
expires max;
}
# Serve files not located in the Jekyll build directory.
location = /67608DB6.pub.asc { alias /var/www/public/67608DB6.pub.asc; }
location = /humans.txt { alias /var/www/public/humans.txt; }
location = /robots.txt { alias /var/www/public/robots.txt; }
# Let's Encrypt / Certbot, renewel location.
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
alias /var/www/acme-challenge/;
}
# Hide /acme-challenge subdirectory and return 404 on all requests.
# It is somewhat more secure than letting Nginx return 403.
# Ending slash is important!
location = /.well-known/acme-challenge/ {
return 404;
}
# 410 gone error for unsupported file extensions.
# Disallowing these file extensions.
location ~ \.(aspx|php|jsp|cgi)$ { return 410; }
# Prevent clients from accessing to backup/config/source files.
location ~* (?:\.(?:bak|conf|dist|fla|in[ci]|log|psd|sh|sql|sw[op])|~)$ {
deny all;
}
# 404 error page
error_page 404 /404;
# default nginx error pages.
error_page 500 502 503 504 /50x.html;
location = /50x.html { root /etc/nginx/html; }
}
# 301 permanent redirects.
# required for HSTS preload.
# When HTTP, 301 permanent redirect to HTTPS.
server {
listen 80 fastopen=256;
listen [::]:80 ipv6only=on;
server_name itchy.nl www.itchy.nl;
charset utf-8;
more_set_headers "Server: itchy.nl";
more_set_headers "X-Server-Admin: Yee Chie Tu";
more_set_headers "X-PGP-Fingerprint: 49C3 0DF3 6393 CD95 E93F A457 16CF E267 6760 8DB6";
more_set_headers "X-Powered-By: Vultr - www.vultr.com/?ref=6878145";
# Block Bad Bots
include /etc/nginx/bots.d/blockbots.conf;
include /etc/nginx/bots.d/ddos.conf;
return 301 https://$host$request_uri;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment