Fastcast nginx config

gistfile1.txt

## /etc/nginx/sites-available/fastcast

server {
	listen 80 default_server;
	listen [::]:80 default_server;

	return 301 https://$host$request_uri;
}

server {
	listen 443 ssl spdy;
	listen [::]:443 ssl spdy;

	server_name fastcast.nz;

        include /etc/nginx/ssl.conf;
        ssl_certificate /etc/letsencrypt/live/fastcast.nz/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/fastcast.nz/privkey.pem;
        ssl_trusted_certificate /etc/letsencrypt/live/fastcast.nz/chain.pem;

	root /var/www/fastcast;

	error_page 403 404 /404.html;

	location / {
		index index.html;

		try_files $uri $uri/ =404;

                if ($request_method = 'OPTIONS') {
                   add_header 'Access-Control-Allow-Origin' '*';
                   add_header 'Access-Control-Allow-Credentials' 'true';
                   add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
                   add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,range';
                   add_header 'Access-Control-Max-Age' 1728000;
                   add_header 'Content-Type' 'text/plain charset=UTF-8';
                   add_header 'Content-Length' 0;
                   return 204;
                }
                if ($request_method = 'GET') {
                   add_header 'Access-Control-Allow-Origin' '*';
                   add_header 'Access-Control-Allow-Credentials' 'true';
                   add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
                   add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
                }
	}

	location ~ /\.git {
		deny all;
	}
}

server {
	listen 443 ssl spdy;	
	listen [::]:443 ssl spdy;

	server_name tracker.fastcast.nz;
	
	include /etc/nginx/ssl.conf;
  	ssl_certificate /etc/letsencrypt/live/fastcast.nz/fullchain.pem;
  	ssl_certificate_key /etc/letsencrypt/live/fastcast.nz/privkey.pem;
	ssl_trusted_certificate /etc/letsencrypt/live/fastcast.nz/chain.pem;

	location / {
		proxy_pass http://129.0.0.1:9003;
                proxy_http_version 1.1;
                proxy_set_header        Upgrade         $http_upgrade;
                proxy_set_header        Connection      "upgrade";
                proxy_set_header        X-Real-IP       $remote_addr;
                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header        X-Forwarded-Proto       $scheme;
                proxy_set_header        X-NginX-Proxy   true;
                proxy_read_timeout      15m;
	}
}


## /etc/nginx/ssl.conf

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/ssl/dhparam.pem;

# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;

# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header "Strict-Transport-Security" "max-age=15768000; includeSubDomains; preload";

# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;

resolver 8.8.8.8;