Skip to content

Instantly share code, notes, and snippets.

@drefined

drefined/appserver.nginx.conf

Created September 9, 2016 05:38
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save drefined/56c0de7343567a078dfa5dc1fa0c70f8 to your computer and use it in GitHub Desktop.
Save drefined/56c0de7343567a078dfa5dc1fa0c70f8 to your computer and use it in GitHub Desktop.
Download ZIP
Basic Nginx Gateway / App setup. DO NOT SIMPLY COPY PASTE WITHOUT UNDERSTANDING THE CONTENTS.
Raw
appserver.nginx.conf
server {
# Listen on internal ports only. Do not expose this server directly.
listen 127.0.0.1:80;
listen 10.0.0.1:80; # Secure internal IP
# Hosts
server_name www.wieni.be;
# Root
root /wherever/this/site/lives;
try_files $uri $uri/ =404;
index index.html index.htm;
error_page 404 /404.html;
# Block hidden files
location ~ (^|/)\. {
return 403;
}
location ~ '\.php' {
try_files $uri =404;
include fastcgi_params;
fastcgi_param HTTPS $forwarded_https if_not_empty;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_pass unix:/var/run/www-wieni-php5-fpm.sock;
fastcgi_index index.php;
}
location / {
# We skip PHP for static content
try_files $uri /index.php?$query_string;
}
}
Raw
gateway.nginx.conf
server {
listen 80;
server_name www.wieni.be;
return 301 https://www.wieni.be$request_uri; # Redirect all HTTP traffic to HTTPS
}
server {
listen 443 ssl http2; # This is all that's needed on Nginx 1.9.5+ with OpenSSL 1.0.2 to enable HTTP/2.
server_name www.wieni.be;
# Mozilla's TLS settings for intermediate compatibility. See https://wiki.mozilla.org/Security/Server_Side_TLS
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
add_header Strict-Transport-Security max-age=23652000 always;
ssl_certificate /etc/ssl/letsencrypt/wieni.be/fullchain.pem;
ssl_certificate_key /etc/ssl/letsencrypt/wieni.be/privkey.pem;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_dhparam /etc/nginx/dhparam-2048.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/letsencrypt/wieni.be/chain.pem;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 10s;
# The location below is used for our Let's Encrypt autorenewal.
# location /.well-known {
# add_header Content-Type text/plain;
# proxy_pass http://internal-ip-of-letsencrypt-management-box;
# proxy_hide_header Content-Type;
# }
# We forward all other requests to our internal app server over plain HTTP (on a secure internal network).
location / {
proxy_pass http://internal-ip-of-app-server;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $remote_addr;
}
}
Raw
nginx.conf
http {
...
## Support the X-Forwarded-Proto header with a nice variable.
map $http_x_forwarded_proto $forwarded_https {
default $https;
http '';
https on;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment