Created
March 28, 2017 09:29
-
-
Save lkiesow/baef7abc4f031ddb6931a965fdb46a3d to your computer and use it in GitHub Desktop.
Nginx for Opencast
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
server { | |
# Enforce HTTPS by redirecting requests | |
listen 80; | |
listen [::]:80; | |
server_name {{ inventory_hostname }}; | |
location / { | |
return 301 https://$host$request_uri; | |
} | |
# Directly handle ACME challenges | |
# This is for Let's Encrypt | |
location /.well-known/acme-challenge { | |
alias /srv/www/acme-challenges/; | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
server { | |
listen 443 ssl http2; | |
listen [::]:443 ssl http2; | |
server_name opencast.example.com; | |
ssl_certificate_key /etc/nginx/ssl/opencast.example.com.key; | |
ssl_certificate /etc/nginx/ssl/opencast.example.com.crt; | |
# Secure SSL configuration | |
include /etc/nginx/ssl.conf; | |
# Accept large ingests | |
client_max_body_size 0; | |
# Proxy configuration for Opencast | |
location / { | |
proxy_set_header Host $host; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
proxy_pass http://localhost:8080; | |
# Make sure to redirect location headers to HTTPS | |
proxy_redirect http://$host https://$host; | |
# Do not buffer responses | |
proxy_buffering off; | |
# Do not buffer requests | |
proxy_request_buffering off; | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Defines user and group credentials used by worker processes. If group is | |
# omitted, a group whose name equals that of user is used. | |
user nginx; | |
# Defines the number of worker processes. Setting it to the number of | |
# available CPU cores should be a good start. The value `auto` will try to | |
# autodetect that. | |
worker_processes auto; | |
# Configures logging to `/var/log/...`. Log level `error` is used by default. | |
error_log /var/log/nginx/error.log; | |
# Defines a file that will store the process ID of the main process. This needs | |
# to match the Systemd unit file. | |
pid /run/nginx.pid; | |
events { | |
# Sets the maximum number of simultaneous connections that can be opened by | |
# a worker process. | |
worker_connections 1024; | |
} | |
http { | |
# Include mime types for different file extensions. | |
include /etc/nginx/mime.types; | |
# Defines the default MIME type of a response. | |
default_type application/octet-stream; | |
# Sendfile copies data between one file descriptor and other from within the | |
# kernel. This is more efficient than read() and write() since they require | |
# transferring data to and from the user space. | |
sendfile on; | |
# Todo: Write explanation | |
# https://t37.net/nginx-optimization-understanding-sendfile-tcp_nodelay-and-tcp_nopush.html | |
tcp_nopush on; | |
tcp_nodelay on; | |
# Disable access log. | |
access_log off; | |
# Enable on-the-fly gzip compression for larger plain text files and for | |
# proxies applications. | |
gzip on; | |
gzip_comp_level 2; | |
gzip_min_length 1000; | |
gzip_proxied expired no-cache no-store private auth; | |
gzip_types text/plain | |
application/x-javascript | |
text/xml | |
text/css | |
application/xml; | |
# Do not send the nginx version number in error pages and Server header | |
server_tokens off; | |
# Config to not allow the browser to render the page inside an frame or | |
# iframe and avoid clickjacking [1]. If you need to allow [i]frames, you | |
# can use SAMEORIGIN or even set an uri with ALLOW-FROM uri [2]. | |
# [1] http://en.wikipedia.org/wiki/Clickjacking | |
# [2] https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options | |
add_header X-Frame-Options SAMEORIGIN; | |
# When serving user-supplied content, include a X-Content-Type-Options: | |
# nosniff header along with the Content-Type: header, to disable | |
# content-type sniffing on some browsers. | |
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers | |
add_header X-Content-Type-Options nosniff; | |
# This header enables the cross-site scripting (XSS) filter built into most | |
# recent web browsers. It's usually enabled by default anyway, so the role | |
# of this header is to re-enable the filter for this particular website if | |
# it was disabled by the user. | |
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers | |
add_header X-XSS-Protection "1; mode=block"; | |
# With Content Security Policy (CSP) enabled and a browser that supports it | |
# [1] you can tell the browser that it can only download content from the | |
# domains you explicitly allow [2, 3] | |
# [1] http://caniuse.com/#feat=contentsecuritypolicy | |
# [2] http://www.html5rocks.com/en/tutorials/security/content-security-policy/ | |
# [3] https://www.owasp.org/index.php/Content_Security_Policy | |
add_header Content-Security-Policy "default-src 'self'"; | |
# Turn off old and possibly unsafe SSL protocols. TLSv1 is still necessary | |
# for some older devices but I do not care. | |
ssl_protocols TLSv1.1 TLSv1.2; | |
# The Online Certificate Status Protocol (OCSP) is an Internet protocol used | |
# for obtaining the revocation status of an X.509 digital certificate. | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
# Defines files that will be used as an index. By default we will try for | |
# html files. | |
index index.html index.htm; | |
# Load modular configuration files from the /etc/nginx/conf.d directory. | |
include /etc/nginx/conf.d/*.conf; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Enable session resumption to improve https performance | |
# http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html | |
ssl_session_cache shared:SSL:50m; | |
ssl_session_timeout 5m; | |
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits | |
ssl_dhparam /etc/nginx/ssl/dhparam.pem; | |
# Enables server-side protection from BEAST attacks | |
# http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html | |
ssl_prefer_server_ciphers on; | |
# Ciphers chosen for forward secrecy and compatibility | |
# http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html | |
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; | |
# Enable ocsp stapling (mechanism by which a site can convey certificate | |
# revocation information to visitors in a privacy-preserving, scalable | |
# manner) | |
# http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ | |
#resolver 8.8.8.8; | |
#ssl_stapling on; | |
#ssl_trusted_certificate /etc/nginx/ssl/star_forgott_com.crt; | |
# Config to enable HSTS (HTTP Strict Transport Security) [1] to avoid ssl | |
# stripping [2]. | |
# [1] https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security | |
# [2] https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping | |
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment