Last active
March 21, 2024 03:55
-
-
Save ktwrd/7c36ffc51aa1edce2f8ddd46c43b81be to your computer and use it in GitHub Desktop.
Xenia Dashboard NGINX Config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt; | |
| ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # from https://cipherli.st/ | |
| # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html | |
| ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
| ssl_prefer_server_ciphers on; | |
| ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; | |
| ssl_ecdh_curve secp384r1; | |
| ssl_session_cache shared:SSL:10m; | |
| ssl_session_tickets off; | |
| ssl_stapling on; | |
| ssl_stapling_verify on; | |
| resolver 8.8.8.8 8.8.4.4 valid=300s; | |
| resolver_timeout 5s; | |
| # Disable preloading HSTS for now. You can use the commented out header line that includes | |
| # the "preload" directive if you understand the implications. | |
| #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; | |
| add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; | |
| add_header X-Content-Type-Options nosniff; | |
| proxy_hide_header X-Frame-Options; | |
| add_header X-Frame-Options "sameorigin"; | |
| ssl_dhparam /etc/ssl/certs/dhparam.pem; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Used for updating the local environment | |
| mkdir ./config-backups/ | |
| dateFormatted=$(date +"%Y%m%d-%H%M") | |
| backupConfigBot="./config-backups/config-$dateFormatted-bot.json" | |
| backupConfigDash="./config-backups/config-$dateFormatted-dash.json" | |
| cp ./data/config.json $backupConfigBot | |
| cp ./data-dash/config.json $backupConfigDash | |
| docker compose down | |
| docker compose pull | |
| chmod a+rwx ./data/config.json | |
| chmod a+rwx ./data-dash/config.json | |
| docker compose up -d |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| upstream xenia_dashboard_prod { | |
| server localhost:8080 fail_timeout=0; | |
| } | |
| # Redirect all HTTP traffic to HTTPS | |
| server { | |
| # HTTP server config | |
| listen 80; | |
| server_name xb.kate.pet; | |
| # 301 redirect to HTTPS | |
| location / { | |
| return 301 https://$host$request_uri; | |
| } | |
| } | |
| server { | |
| # HTTPS server config | |
| listen 443 ssl http2; | |
| server_name xb.kate.pet; | |
| # create certs with the following command; | |
| # openssl req -x509 -nodes -newkey rsa:4096 -keyout /etc/ssl/private/nginx-selfsigned-xeniadash.key -out /etc/ssl/certs/nginx-selfsigned-xeniadash.crt | |
| ssl_certificate /etc/ssl/certs/nginx-selfsigned-xeniadash.crt; | |
| ssl_certificate_key /etc/ssl/private/nginx-selfsigned-xeniadash.key; | |
| # SSL Parameters | |
| # from https://cipherli.st/ | |
| # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html | |
| ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
| ssl_prefer_server_ciphers on; | |
| ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; | |
| ssl_ecdh_curve secp384r1; | |
| ssl_session_cache shared:SSL:10m; | |
| ssl_session_tickets off; | |
| ssl_stapling on; | |
| ssl_stapling_verify on; | |
| resolver 8.8.8.8 8.8.4.4 valid=300s; | |
| resolver_timeout 5s; | |
| add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; | |
| add_header X-Content-Type-Options nosniff; | |
| proxy_hide_header X-Frame-Options; | |
| add_header X-Frame-Options "sameorigin"; | |
| ssl_dhparam /etc/ssl/certs/dhparam.pem; | |
| # SSL Parameters end | |
| # Proxy site | |
| location / { | |
| proxy_http_version 1.1; | |
| proxy_set_header Upgrade $http_upgrade; | |
| proxy_set_header Connection keep-alive; | |
| proxy_set_header Host $host; | |
| proxy_cache_bypass $http_upgrade; | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| proxy_set_header X-Forwarded-Proto $scheme; | |
| proxy_pass http://xenia_dashboard_prod; | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment