daniyel/nginx.conf.tmpl

## nginx.conf.tmpl
user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log debug;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format upstreamlog '[$time_local] $remote_addr - $remote_user - $server_name to: $proxy_host => $upstream_addr: $request upstream_response_time $upstream_response_time msec $msec request_time $request_time';

    error_log  /var/log/nginx/http-error.log info;
    access_log /var/log/nginx/access.log upstreamlog;

    server {
        listen       80;
        server_name  PROXY_DOMAIN;

        # Pass this particular URL off to certbot, to authenticate HTTPS certificates
        location '/.well-known/acme-challenge' {
            default_type "text/plain";
            proxy_pass http://localhost:1337;
        }

        location / {
            return 301 https://$server_name$request_uri;
        }
    }
    server {
        listen                    443 ssl;
        server_name               PROXY_DOMAIN;

        ssl_certificate           /etc/letsencrypt/live/PROXY_DOMAIN/fullchain.pem;
        ssl_certificate_key       /etc/letsencrypt/live/PROXY_DOMAIN/privkey.pem;
        ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers               'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
        ssl_prefer_server_ciphers on;

        location / {
            proxy_ssl_name        $proxy_host;
            proxy_ssl_server_name on;
            proxy_set_header      Host ORIGINAL_DOMAIN;
            proxy_pass            https://ORIGINAL_DOMAIN;
            proxy_connect_timeout 600;
            proxy_send_timeout    600;
            proxy_read_timeout    600;
            send_timeout          600;
        }
    }

    include /etc/nginx/conf.d/*.conf;
}
	user nginx;
	worker_processes 1;

	error_log /var/log/nginx/error.log debug;
	pid /var/run/nginx.pid;

	events {
	worker_connections 1024;
	}

	http {
	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	log_format upstreamlog '[$time_local] $remote_addr - $remote_user - $server_name to: $proxy_host => $upstream_addr: $request upstream_response_time $upstream_response_time msec $msec request_time $request_time';

	error_log /var/log/nginx/http-error.log info;
	access_log /var/log/nginx/access.log upstreamlog;

	server {
	listen 80;
	server_name PROXY_DOMAIN;

	# Pass this particular URL off to certbot, to authenticate HTTPS certificates
	location '/.well-known/acme-challenge' {
	default_type "text/plain";
	proxy_pass http://localhost:1337;
	}

	location / {
	return 301 https://$server_name$request_uri;
	}
	}
	server {
	listen 443 ssl;
	server_name PROXY_DOMAIN;

	ssl_certificate /etc/letsencrypt/live/PROXY_DOMAIN/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/PROXY_DOMAIN/privkey.pem;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
	ssl_prefer_server_ciphers on;

	location / {
	proxy_ssl_name $proxy_host;
	proxy_ssl_server_name on;
	proxy_set_header Host ORIGINAL_DOMAIN;
	proxy_pass https://ORIGINAL_DOMAIN;
	proxy_connect_timeout 600;
	proxy_send_timeout 600;
	proxy_read_timeout 600;
	send_timeout 600;
	}
	}

	include /etc/nginx/conf.d/*.conf;
	}