lazd/nginx.conf

## nginx.conf

#user  nobody;
worker_processes  1;

# error_log  /usr/local/var/log/nginx/error.log;
# error_log  /usr/local/var/log/nginx/error.log notice;
error_log  /usr/local/var/log/nginx/error.log info;

#pid        logs/nginx.pid;


events {
	worker_connections  1024;
}

http {
	include       mime.types;
	default_type  application/octet-stream;

	#log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
	#                  '$status $body_bytes_sent "$http_referer" '
	#                  '"$http_user_agent" "$http_x_forwarded_for"';

	#access_log  logs/access.log  main;

	sendfile        on;
	#tcp_nopush     on;

	#keepalive_timeout  0;
	keepalive_timeout  65;

	#gzip  on;

	map $upstream_http_location $m_replaceHTTPS {
		""  "";
		"~^https://(.*)$" "http://$1";
		"~.*" "";
	}

	map $upstream_http_set_cookie $m_replaceCookie {
		""  "";
		"~secure;?$" "";
		"~.*" "";
	}

	server {
		listen 8080 default_server;

		location / {
			resolver 8.8.8.8;
			proxy_pass https://$host;

			# Ensure all content goes to http
			sub_filter_once off;
			sub_filter_types application/xhtml+xml application/xml text/xml application/rss+xml application/atom+xml text/plain text/javascript text/css application/json;
			sub_filter 'https://' 'http://';

			# Ensure redirects go to http
			proxy_hide_header location;
			add_header location $m_replaceHTTPS always;

			# Make the first cookie insecure
			proxy_hide_header set-cookie;
			add_header set-cookie $m_replaceCookie always;

			# don't allow gzip so sub_filter works
			proxy_set_header Accept-Encoding "";

			# spoof UA
			proxy_set_header User-Agent "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A";

			# run down redirects to avoid confusing the browser
			proxy_intercept_errors on;
			error_page 301 302 307 = @handle_redirect;
		}

		location @handle_redirect {
			resolver 8.8.8.8;
			set $saved_redirect_location '$upstream_http_location';
			proxy_pass $saved_redirect_location;

			sub_filter_once off;
			sub_filter_types application/xhtml+xml application/xml text/xml text/plain text/javascript text/css application/json;
			sub_filter 'https://' 'http://';

			# don't allow gzip so sub_filter works
			proxy_set_header Accept-Encoding "";

			proxy_hide_header location;
			add_header location $m_replaceHTTPS always;
		}
	}

	server {
		listen 4343 ssl;

		ssl_certificate nginx-selfsigned.crt;
		ssl_certificate_key nginx-selfsigned.key;
		ssl_dhparam dhparam.pem;

		ssl_prefer_server_ciphers on;
 		ssl_protocols SSLv3 TLSv1;
		ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";

		ssl_session_timeout 1d;
		ssl_session_cache shared:SSL:10m;
		ssl_session_tickets off;

		location / {
			proxy_pass http://127.0.0.1:8080;
			proxy_set_header Host $host;
			proxy_set_header X-Real-IP $remote_addr;
			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
			proxy_set_header X-Forwarded-Proto https;
		}
	}

	# server {
		# listen 4343 ssl;
		#
		# ssl_certificate nginx-selfsigned.crt;
		# ssl_certificate_key nginx-selfsigned.key;
		# ssl_dhparam dhparam.pem;
		#
		# ssl_session_timeout 1d;
		# ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
		# ssl_session_tickets off;
		#
		# ssl_verify_client off;
		# proxy_ssl_session_reuse off;

		# old configuration
		# ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
		# ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;
		# ssl_prefer_server_ciphers off;
		#
		# add_header Strict-Transport-Security "max-age=63072000" always;

		# ssl_prefer_server_ciphers off;
		# ssl_protocols SSLv3 TLSv1;
		# ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";

		# ssl_ecdh_curve secp384r1;
		# ssl_session_cache shared:SSL:10m;
		# ssl_session_tickets off;
		# ssl_stapling on;
		# ssl_stapling_verify on;

		# location / {
		# 	resolver 8.8.8.8;
		# 	proxy_pass https://$host;
		# }
	# }

	include servers/*;
}

	#user nobody;
	worker_processes 1;

	# error_log /usr/local/var/log/nginx/error.log;
	# error_log /usr/local/var/log/nginx/error.log notice;
	error_log /usr/local/var/log/nginx/error.log info;

	#pid logs/nginx.pid;


	events {
	worker_connections 1024;
	}

	http {
	include mime.types;
	default_type application/octet-stream;

	#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
	# '$status $body_bytes_sent "$http_referer" '
	# '"$http_user_agent" "$http_x_forwarded_for"';

	#access_log logs/access.log main;

	sendfile on;
	#tcp_nopush on;

	#keepalive_timeout 0;
	keepalive_timeout 65;

	#gzip on;

	map $upstream_http_location $m_replaceHTTPS {
	"" "";
	"~^https://(.*)$" "http://$1";
	"~.*" "";
	}

	map $upstream_http_set_cookie $m_replaceCookie {
	"" "";
	"~secure;?$" "";
	"~.*" "";
	}

	server {
	listen 8080 default_server;

	location / {
	resolver 8.8.8.8;
	proxy_pass https://$host;

	# Ensure all content goes to http
	sub_filter_once off;
	sub_filter_types application/xhtml+xml application/xml text/xml application/rss+xml application/atom+xml text/plain text/javascript text/css application/json;
	sub_filter 'https://' 'http://';

	# Ensure redirects go to http
	proxy_hide_header location;
	add_header location $m_replaceHTTPS always;

	# Make the first cookie insecure
	proxy_hide_header set-cookie;
	add_header set-cookie $m_replaceCookie always;

	# don't allow gzip so sub_filter works
	proxy_set_header Accept-Encoding "";

	# spoof UA
	proxy_set_header User-Agent "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A";

	# run down redirects to avoid confusing the browser
	proxy_intercept_errors on;
	error_page 301 302 307 = @handle_redirect;
	}

	location @handle_redirect {
	resolver 8.8.8.8;
	set $saved_redirect_location '$upstream_http_location';
	proxy_pass $saved_redirect_location;

	sub_filter_once off;
	sub_filter_types application/xhtml+xml application/xml text/xml text/plain text/javascript text/css application/json;
	sub_filter 'https://' 'http://';

	# don't allow gzip so sub_filter works
	proxy_set_header Accept-Encoding "";

	proxy_hide_header location;
	add_header location $m_replaceHTTPS always;
	}
	}

	server {
	listen 4343 ssl;

	ssl_certificate nginx-selfsigned.crt;
	ssl_certificate_key nginx-selfsigned.key;
	ssl_dhparam dhparam.pem;

	ssl_prefer_server_ciphers on;
	ssl_protocols SSLv3 TLSv1;
	ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";

	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:10m;
	ssl_session_tickets off;

	location / {
	proxy_pass http://127.0.0.1:8080;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto https;
	}
	}

	# server {
	# listen 4343 ssl;
	#
	# ssl_certificate nginx-selfsigned.crt;
	# ssl_certificate_key nginx-selfsigned.key;
	# ssl_dhparam dhparam.pem;
	#
	# ssl_session_timeout 1d;
	# ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
	# ssl_session_tickets off;
	#
	# ssl_verify_client off;
	# proxy_ssl_session_reuse off;

	# old configuration
	# ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
	# ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;
	# ssl_prefer_server_ciphers off;
	#
	# add_header Strict-Transport-Security "max-age=63072000" always;

	# ssl_prefer_server_ciphers off;
	# ssl_protocols SSLv3 TLSv1;
	# ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";

	# ssl_ecdh_curve secp384r1;
	# ssl_session_cache shared:SSL:10m;
	# ssl_session_tickets off;
	# ssl_stapling on;
	# ssl_stapling_verify on;

	# location / {
	# resolver 8.8.8.8;
	# proxy_pass https://$host;
	# }
	# }

	include servers/*;
	}