Skip to content

Instantly share code, notes, and snippets.

@lesstif

lesstif/confluence-nginx-vhost.conf

Last active July 2, 2020 05:11
Show Gist options
  • Save lesstif/20d86a94a9c6e15076187b2237659044 to your computer and use it in GitHub Desktop.
Save lesstif/20d86a94a9c6e15076187b2237659044 to your computer and use it in GitHub Desktop.
Download ZIP
specific domain(ex: example.com)'s nginx virtual host configuration for confluence server.
Raw
confluence-nginx-vhost.conf
## confluence vhost
server {
listen 80;
server_name example.com default_server;
root /var/www/www.example.com;
error_page 502 = /http_502.html;
return 301 https://www.example.com$request_uri;
}
server {
listen 80;
server_name www.example.com ;
root /var/www/www.example.com;
error_page 502 = /http_502.html;
## force redirect to https://www.example.com
return 301 https://www.example.com$request_uri;
}
server {
root /var/www/www.example.com;
server_name example.com;
listen 443 ssl;
error_page 502 = /http_502.html;
return 301 https://www.example.com$request_uri;
ssl_certificate /etc/letsencrypt/live/jira.example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/jira.example.com/privkey.pem; # managed by Certbot
include ssl-secure.conf;
}
server {
root /var/www/www.example.com;
listen 443 ssl http2;
error_page 502 = /http_502.html;
#server_name www.example.com example.com;
server_name www.example.com;
charset utf-8;
access_log /var/log/nginx/example.com-ssl.access.log combined;
error_log /var/log/nginx/example.com-ssl.error.log notice;
client_max_body_size 50M;
## prevent search engine indexing
location = /robots.txt {
alias /etc/nginx/global-robots.txt;
}
location = /favicon.ico {
alias /my-precious/logo/favicon.ico;
access_log off;
}
location = /confluence-logo.png {
alias /my-precious/logo/hatchful-logo.png;
access_log off;
}
# for naver web master
location /naver977eb9fc8b7dfecf59da586537291a6a.html {
root /var/www;
}
# avoid an upstream response is buffered to a temporary file
proxy_buffering on;
proxy_buffer_size 1024k;
proxy_buffers 1024 1024k;
client_body_buffer_size 1024k;
proxy_busy_buffers_size 1024k;
location /synchrony {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:8091/synchrony;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
location / {
proxy_pass http://127.0.0.1:8090;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
}
## refer ssl-secure.conf
##add_header X-Frame-Options SAMEORIGIN;
add_header Content-Security-Policy "frame-ancestors www.example.com example.com";
location ~ /\.ht {
deny all;
}
#location = /robots.txt { access_log off; log_not_found off; }
ssl_certificate /etc/letsencrypt/live/jira.example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/jira.example.com/privkey.pem; # managed by Certbot
include ssl-secure.conf;
}
Raw
ssl-secure.conf
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
#resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=108000";
#add_header Strict-Transport-Security "max-age=108000; includeSubdomains; preload";
#add_header Strict-Transport-Security "max-age=0";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment