Ghost Cloudflare Nginx Config
server { | |
listen 443 ssl http2; | |
listen [::]:443 ssl http2; | |
server_name www.verifiedbyme.xyz; | |
# SSL | |
ssl_certificate /etc/nginx/ssl/nginx.crt; | |
ssl_certificate_key /etc/nginx/ssl/nginx.key; | |
# reverse proxy | |
location / { | |
proxy_pass http://127.0.0.1:2368; | |
proxy_http_version 1.1; | |
proxy_cache_bypass $http_upgrade; | |
proxy_set_header Upgrade $http_upgrade; | |
proxy_set_header Connection "upgrade"; | |
proxy_set_header Host $host; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
proxy_set_header X-Forwarded-Host $host; | |
proxy_set_header X-Forwarded-Port $server_port; | |
} | |
# security headers | |
add_header X-Frame-Options "SAMEORIGIN" always; | |
add_header X-XSS-Protection "1; mode=block" always; | |
add_header X-Content-Type-Options "nosniff" always; | |
add_header Referrer-Policy "no-referrer-when-downgrade" always; | |
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; | |
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; | |
# . files | |
location ~ /\.(?!well-known) { | |
deny all; | |
} | |
# favicon.ico | |
location = /favicon.ico { | |
log_not_found off; | |
access_log off; | |
} | |
# robots.txt | |
location = /robots.txt { | |
log_not_found off; | |
access_log off; | |
} | |
# gzip | |
gzip on; | |
gzip_vary on; | |
gzip_proxied any; | |
gzip_comp_level 6; | |
gzip_types text/plain text/css text/xml application/json application/javascript application/xml+rss application/atom+xml image/svg+xml; | |
} | |
# non-www, subdomains redirect | |
server { | |
listen 443 ssl http2; | |
listen [::]:443 ssl http2; | |
server_name .verifiedbyme.xyz; | |
# SSL | |
ssl_certificate /etc/nginx/ssl/verifiedbyme.xyz.crt; | |
ssl_certificate_key /etc/nginx/ssl/verifiedbyme.xyz.key; | |
return 301 https://www.verifiedbyme.xyz$request_uri; | |
} | |
# HTTP redirect | |
server { | |
listen 80; | |
listen [::]:80; | |
server_name .verifiedbyme.xyz; | |
return 301 https://www.verifiedbyme.xyz$request_uri; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment