lkiesow/conf.d-host.conf

## conf.d-host.conf
server {
    # Enforce HTTPS by redirecting requests
    listen 80;
    listen [::]:80;
    server_name {{ inventory_hostname }};
    location / {
        return 301 https://$host$request_uri;
    }

    # Directly handle ACME challenges
    # This is for Let's Encrypt
    location /.well-known/acme-challenge {
        alias /srv/www/acme-challenges/;
    }
}

## conf.d-host.ssl.conf
server {
    listen      443 ssl http2;
    listen [::]:443 ssl http2;
    server_name opencast.example.com;

    ssl_certificate_key /etc/nginx/ssl/opencast.example.com.key;
    ssl_certificate     /etc/nginx/ssl/opencast.example.com.crt;

    # Secure SSL configuration
    include /etc/nginx/ssl.conf;

    # Accept large ingests
    client_max_body_size 0;

    # Proxy configuration for Opencast
    location / {

        proxy_set_header        Host $host;
        proxy_set_header        X-Real-IP $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto $scheme;

        proxy_pass              http://localhost:8080;

        # Make sure to redirect location headers to HTTPS
        proxy_redirect          http://$host https://$host;

        # Do not buffer responses
        proxy_buffering         off;

        # Do not buffer requests
        proxy_request_buffering off;
    }
}

## nginx.conf
# Defines user and group credentials used by worker processes. If group is
# omitted, a group whose name equals that of user is used.
user    nginx;

# Defines the number of worker processes.    Setting it to the number of
# available CPU cores should be a good start. The value `auto` will try to
# autodetect that.
worker_processes auto;

# Configures logging to `/var/log/...`. Log level `error` is used by default.
error_log    /var/log/nginx/error.log;

# Defines a file that will store the process ID of the main process. This needs
# to match the Systemd unit file.
pid /run/nginx.pid;


events {
# Sets the maximum number of simultaneous connections that can be opened by
# a worker process.
    worker_connections 1024;
}


http {
    # Include mime types for different file extensions.
    include /etc/nginx/mime.types;

    # Defines the default MIME type of a response.
    default_type application/octet-stream;

    # Sendfile copies data between one file descriptor and other from within the
    # kernel. This is more efficient than read() and write() since they require
    # transferring data to and from the user space.
    sendfile on;

    # Todo: Write explanation
    # https://t37.net/nginx-optimization-understanding-sendfile-tcp_nodelay-and-tcp_nopush.html
    tcp_nopush on;
    tcp_nodelay on;

    # Disable access log.
    access_log off;

    # Enable on-the-fly gzip compression for larger plain text files and for
    # proxies applications.
    gzip            on;
    gzip_comp_level 2;
    gzip_min_length 1000;
    gzip_proxied    expired no-cache no-store private auth;
    gzip_types      text/plain
                    application/x-javascript
                    text/xml
                    text/css
                    application/xml;

    # Do not send the nginx version number in error pages and Server header
    server_tokens off;

    # Config to not allow the browser to render the page inside an frame or
    # iframe and avoid clickjacking [1].    If you need to allow [i]frames, you
    # can use SAMEORIGIN or even set an uri with ALLOW-FROM uri [2].
    # [1] http://en.wikipedia.org/wiki/Clickjacking
    # [2] https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
    add_header X-Frame-Options SAMEORIGIN;

    # When serving user-supplied content, include a X-Content-Type-Options:
    # nosniff header along with the Content-Type: header, to disable
    # content-type sniffing on some browsers.
    # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
    add_header X-Content-Type-Options nosniff;

    # This header enables the cross-site scripting (XSS) filter built into most
    # recent web browsers.    It's usually enabled by default anyway, so the role
    # of this header is to re-enable the filter for this particular website if
    # it was disabled by the user.
    # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
    add_header X-XSS-Protection "1; mode=block";

    # With Content Security Policy (CSP) enabled and a browser that supports it
    # [1] you can tell the browser that it can only download content from the
    # domains you explicitly allow [2, 3]
    # [1] http://caniuse.com/#feat=contentsecuritypolicy
    # [2] http://www.html5rocks.com/en/tutorials/security/content-security-policy/
    # [3] https://www.owasp.org/index.php/Content_Security_Policy
    add_header Content-Security-Policy "default-src 'self'";


    # Turn off old and possibly unsafe SSL protocols. TLSv1 is still necessary
    # for some older devices but I do not care.
    ssl_protocols TLSv1.1 TLSv1.2;

    # The Online Certificate Status Protocol (OCSP) is an Internet protocol used
    # for obtaining the revocation status of an X.509 digital certificate.
    ssl_stapling on;
    ssl_stapling_verify on;

    # Defines files that will be used as an index. By default we will try for
    # html files.
    index index.html index.htm;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    include /etc/nginx/conf.d/*.conf;

}

## ssl.conf
# Enable session resumption to improve https performance
# http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;

# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/nginx/ssl/dhparam.pem;

# Enables server-side protection from BEAST attacks
# http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
ssl_prefer_server_ciphers on;

# Ciphers chosen for forward secrecy and compatibility
# http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

# Enable ocsp stapling (mechanism by which a site can convey certificate
# revocation information to visitors in a privacy-preserving, scalable
# manner)
# http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
#resolver 8.8.8.8;
#ssl_stapling on;
#ssl_trusted_certificate /etc/nginx/ssl/star_forgott_com.crt;

# Config to enable HSTS (HTTP Strict Transport Security) [1] to avoid ssl
# stripping [2].
# [1] https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
# [2] https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
	server {
	# Enforce HTTPS by redirecting requests
	listen 80;
	listen [::]:80;
	server_name {{ inventory_hostname }};
	location / {
	return 301 https://$host$request_uri;
	}

	# Directly handle ACME challenges
	# This is for Let's Encrypt
	location /.well-known/acme-challenge {
	alias /srv/www/acme-challenges/;
	}
	}
	server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	server_name opencast.example.com;

	ssl_certificate_key /etc/nginx/ssl/opencast.example.com.key;
	ssl_certificate /etc/nginx/ssl/opencast.example.com.crt;

	# Secure SSL configuration
	include /etc/nginx/ssl.conf;

	# Accept large ingests
	client_max_body_size 0;

	# Proxy configuration for Opencast
	location / {

	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;

	proxy_pass http://localhost:8080;

	# Make sure to redirect location headers to HTTPS
	proxy_redirect http://$host https://$host;

	# Do not buffer responses
	proxy_buffering off;

	# Do not buffer requests
	proxy_request_buffering off;
	}
	}
	# Defines user and group credentials used by worker processes. If group is
	# omitted, a group whose name equals that of user is used.
	user nginx;

	# Defines the number of worker processes. Setting it to the number of
	# available CPU cores should be a good start. The value `auto` will try to
	# autodetect that.
	worker_processes auto;

	# Configures logging to `/var/log/...`. Log level `error` is used by default.
	error_log /var/log/nginx/error.log;

	# Defines a file that will store the process ID of the main process. This needs
	# to match the Systemd unit file.
	pid /run/nginx.pid;


	events {
	# Sets the maximum number of simultaneous connections that can be opened by
	# a worker process.
	worker_connections 1024;
	}


	http {
	# Include mime types for different file extensions.
	include /etc/nginx/mime.types;

	# Defines the default MIME type of a response.
	default_type application/octet-stream;

	# Sendfile copies data between one file descriptor and other from within the
	# kernel. This is more efficient than read() and write() since they require
	# transferring data to and from the user space.
	sendfile on;

	# Todo: Write explanation
	# https://t37.net/nginx-optimization-understanding-sendfile-tcp_nodelay-and-tcp_nopush.html
	tcp_nopush on;
	tcp_nodelay on;

	# Disable access log.
	access_log off;

	# Enable on-the-fly gzip compression for larger plain text files and for
	# proxies applications.
	gzip on;
	gzip_comp_level 2;
	gzip_min_length 1000;
	gzip_proxied expired no-cache no-store private auth;
	gzip_types text/plain
	application/x-javascript
	text/xml
	text/css
	application/xml;

	# Do not send the nginx version number in error pages and Server header
	server_tokens off;

	# Config to not allow the browser to render the page inside an frame or
	# iframe and avoid clickjacking [1]. If you need to allow [i]frames, you
	# can use SAMEORIGIN or even set an uri with ALLOW-FROM uri [2].
	# [1] http://en.wikipedia.org/wiki/Clickjacking
	# [2] https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
	add_header X-Frame-Options SAMEORIGIN;

	# When serving user-supplied content, include a X-Content-Type-Options:
	# nosniff header along with the Content-Type: header, to disable
	# content-type sniffing on some browsers.
	# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
	add_header X-Content-Type-Options nosniff;

	# This header enables the cross-site scripting (XSS) filter built into most
	# recent web browsers. It's usually enabled by default anyway, so the role
	# of this header is to re-enable the filter for this particular website if
	# it was disabled by the user.
	# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
	add_header X-XSS-Protection "1; mode=block";

	# With Content Security Policy (CSP) enabled and a browser that supports it
	# [1] you can tell the browser that it can only download content from the
	# domains you explicitly allow [2, 3]
	# [1] http://caniuse.com/#feat=contentsecuritypolicy
	# [2] http://www.html5rocks.com/en/tutorials/security/content-security-policy/
	# [3] https://www.owasp.org/index.php/Content_Security_Policy
	add_header Content-Security-Policy "default-src 'self'";


	# Turn off old and possibly unsafe SSL protocols. TLSv1 is still necessary
	# for some older devices but I do not care.
	ssl_protocols TLSv1.1 TLSv1.2;

	# The Online Certificate Status Protocol (OCSP) is an Internet protocol used
	# for obtaining the revocation status of an X.509 digital certificate.
	ssl_stapling on;
	ssl_stapling_verify on;

	# Defines files that will be used as an index. By default we will try for
	# html files.
	index index.html index.htm;

	# Load modular configuration files from the /etc/nginx/conf.d directory.
	include /etc/nginx/conf.d/*.conf;

	}
	# Enable session resumption to improve https performance
	# http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
	ssl_session_cache shared:SSL:50m;
	ssl_session_timeout 5m;

	# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
	ssl_dhparam /etc/nginx/ssl/dhparam.pem;

	# Enables server-side protection from BEAST attacks
	# http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
	ssl_prefer_server_ciphers on;

	# Ciphers chosen for forward secrecy and compatibility
	# http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html
	ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

	# Enable ocsp stapling (mechanism by which a site can convey certificate
	# revocation information to visitors in a privacy-preserving, scalable
	# manner)
	# http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
	#resolver 8.8.8.8;
	#ssl_stapling on;
	#ssl_trusted_certificate /etc/nginx/ssl/star_forgott_com.crt;

	# Config to enable HSTS (HTTP Strict Transport Security) [1] to avoid ssl
	# stripping [2].
	# [1] https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
	# [2] https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";