Last active
September 2, 2022 03:37
-
-
Save anx-ag/64ed6712f3a545bcf0aa9fd03cc41e2c to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# mattermost | |
# config can be tested on https://www.ssllabs.com/ssltest/ and a good nginx config generator | |
# can be found at https://ssl-config.mozilla.org/ | |
# proxy cache | |
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=__APPNAME___cache:10m max_size=3g inactive=120m use_temp_path=off; | |
# upstream used in proxy_pass below | |
upstream __APPNAME___backend { | |
# ip where Mattermost is running; this relies on a working DNS inside the Docker network | |
# and uses the hostname of the mattermost container (see service name in docker-compose.yml) | |
server __APPNAME__:8065; | |
keepalive 64; | |
} | |
server { | |
server_name __DOMAIN__; | |
listen 443 ssl http2; | |
listen [::]:443 ssl; | |
# logging | |
access_log /var/log/nginx/__APPNAME__.access.log; | |
error_log /var/log/nginx/__APPNAME__.error.log warn; | |
# gzip for performance | |
gzip on; | |
gzip_vary on; | |
gzip_proxied any; | |
gzip_comp_level 6; | |
gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml; | |
## ssl | |
ssl_dhparam /dhparams4096.pem; | |
ssl_session_timeout 1d; | |
ssl_session_cache shared:MozSSL:10m; | |
ssl_session_tickets off; | |
# intermediate configuration | |
ssl_protocols TLSv1.2 TLSv1.3; | |
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; | |
ssl_prefer_server_ciphers off; | |
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate | |
ssl_certificate /certs/live/__DOMAIN__/fullchain.pem; | |
ssl_certificate_key /certs/live/__DOMAIN__/privkey.pem; | |
# enable TLSv1.3's 0-RTT. Use $ssl_early_data when reverse proxying to prevent replay attacks. | |
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data | |
ssl_early_data on; | |
# OCSP stapling | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
#resolver 1.1.1.1; | |
# verify chain of trust of OCSP response using Root CA and Intermediate certs | |
#ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; | |
## security headers | |
# https://securityheaders.com/ | |
# https://scotthelme.co.uk/tag/security-headers/ | |
add_header X-Frame-Options "SAMEORIGIN" always; | |
add_header X-XSS-Protection "1; mode=block" always; | |
add_header X-Content-Type-Options "nosniff" always; | |
add_header Referrer-Policy no-referrer; | |
add_header Strict-Transport-Security "max-age=63072000" always; | |
add_header Permissions-Policy "interest-cohort=()"; | |
## locations | |
# ACME-challenge | |
location ^~ /.well-known { | |
default_type "text/plain"; | |
root /usr/share/nginx/html; | |
allow all; | |
} | |
# disable Google bots from indexing this site | |
location = /robots.txt { | |
add_header Content-Type text/plain; | |
return 200 "User-agent: *\nDisallow: /\n"; | |
} | |
location ~ /api/v[0-9]+/(users/)?websocket$ { | |
proxy_set_header Upgrade $http_upgrade; | |
proxy_set_header Connection "upgrade"; | |
client_max_body_size 50M; | |
proxy_set_header Host $http_host; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
proxy_set_header X-Frame-Options SAMEORIGIN; | |
proxy_set_header Early-Data $ssl_early_data; | |
proxy_buffers 256 16k; | |
proxy_buffer_size 16k; | |
client_body_timeout 60; | |
send_timeout 300; | |
lingering_timeout 5; | |
proxy_connect_timeout 90; | |
proxy_send_timeout 300; | |
proxy_read_timeout 90s; | |
proxy_http_version 1.1; | |
proxy_pass http://__APPNAME___backend; | |
} | |
location / { | |
client_max_body_size 50M; | |
proxy_set_header Connection ""; | |
proxy_set_header Host $http_host; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
proxy_set_header X-Frame-Options SAMEORIGIN; | |
proxy_set_header Early-Data $ssl_early_data; | |
proxy_buffers 256 16k; | |
proxy_buffer_size 16k; | |
proxy_read_timeout 600s; | |
proxy_cache __APPNAME___cache; | |
proxy_cache_revalidate on; | |
proxy_cache_min_uses 2; | |
proxy_cache_use_stale timeout; | |
proxy_cache_lock on; | |
proxy_http_version 1.1; | |
proxy_pass http://__APPNAME___backend; | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment