Created
January 31, 2021 08:21
-
-
Save albertyw/00c0ae43e7fba8b1f855075b1df60063 to your computer and use it in GitHub Desktop.
netdata nginx config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### Redirects ### | |
# Change IP address to domain name | |
server { | |
listen 80; | |
server_name netdata.albertyw.com; | |
return 301 https://netdata.albertyw.com$request_uri; | |
} | |
### Servers ### | |
server { | |
listen 443 ssl http2; | |
server_name netdata.albertyw.com; | |
access_log /var/log/nginx/netdata.access.log; | |
error_log /var/log/nginx/netdata.error.log; | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; | |
ssl_prefer_server_ciphers on; | |
ssl_session_cache shared:SSL:10m; | |
ssl_session_timeout 10m; | |
ssl_certificate /etc/nginx/ssl/server.pem; | |
ssl_certificate_key /etc/nginx/ssl/server.key; | |
ssl_dhparam /etc/nginx/ssl/dhparams.pem; | |
# config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security | |
# to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping | |
add_header Strict-Transport-Security "max-age=1209600; includeSubdomains;"; | |
gzip on; | |
gzip_disable "msie6"; | |
gzip_vary on; | |
gzip_proxied any; | |
gzip_comp_level 6; | |
gzip_buffers 16 8k; | |
gzip_http_version 1.1; | |
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript; | |
auth_basic "Authentication Required"; | |
auth_basic_user_file /home/albertyw/server-config/netdata/nginx-access; | |
location / { | |
include sites-enabled/netdata-headers; | |
proxy_pass http://127.0.0.1:5008; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header Host $http_host; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
proxy_buffering off; | |
expires 7d; | |
add_header Cache-Control "public"; | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### Config ### | |
# read more here https://gist.github.com/plentz/6737338 | |
# config to don't allow the browser to render the page inside an frame or iframe | |
# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking | |
# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri | |
# https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options | |
add_header X-Frame-Options SAMEORIGIN; | |
# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header, | |
# to disable content-type sniffing on some browsers. | |
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers | |
# currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx | |
# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx | |
# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020 | |
add_header X-Content-Type-Options nosniff; | |
# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. | |
# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for | |
# this particular website if it was disabled by the user. | |
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers | |
add_header X-XSS-Protection "1; mode=block"; | |
# config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security | |
# to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping | |
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; | |
add_header Cache-Control "public"; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment