Created
December 17, 2018 06:50
-
-
Save mungi/7f81988971b9dc00394c7394260de53c to your computer and use it in GitHub Desktop.
/etc/nginx/sites-enabled/redmine
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Redmine | |
upstream redmine { | |
server 127.0.0.1:8080 fail_timeout=0; | |
} | |
## Normal HTTP host | |
server { | |
listen 0.0.0.0:80; | |
listen [::]:80 default_server; | |
server_name _; | |
server_tokens off; | |
## Redirects all traffic to the HTTPS host | |
return 301 https://$host:443$request_uri; | |
} | |
## HTTPS host | |
server { | |
listen 0.0.0.0:443 ssl http2; | |
listen [::]:443 ssl http2 default_server; | |
server_tokens off; | |
root /home/redmine/redmine/public; | |
## Increase this if you want to upload large attachments | |
client_max_body_size 50m; | |
## Strong SSL Security | |
## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html | |
ssl on; | |
ssl_certificate /home/redmine/data/certs/redmine.crt; | |
ssl_certificate_key /home/redmine/data/certs/redmine.key; | |
ssl_verify_client off; | |
ssl_ciphers 'AES256+EECDH:AES256+EDH'; | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
ssl_session_cache builtin:1000 shared:SSL:10m; | |
ssl_prefer_server_ciphers on; | |
add_header Strict-Transport-Security "max-age=31536000;"; | |
# add_header X-Frame-Options SAMEORIGIN; | |
add_header X-Content-Type-Options nosniff; | |
## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL. | |
## Replace with your ssl_trusted_certificate. For more info see: | |
## - https://medium.com/devops-programming/4445f4862461 | |
## - https://www.ruby-forum.com/topic/4419319 | |
## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx | |
# ssl_stapling on; | |
# ssl_stapling_verify on; | |
# ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt; | |
# resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired | |
# resolver_timeout 10s; | |
## [Optional] Generate a stronger DHE parameter: | |
## cd /etc/ssl/certs | |
## sudo openssl dhparam -out dhparam.pem 4096 | |
## | |
## Individual nginx logs for this Redmine vhost | |
access_log /var/log/redmine/nginx/redmine_access.log; | |
error_log /var/log/redmine/nginx/redmine_error.log; | |
location / { | |
## Serve static files from defined root folder. | |
## @redmine is a named location for the upstream fallback, see below. | |
try_files $uri index.html $uri.html @redmine; | |
} | |
## If a file, which is not found in the root folder is requested, | |
## then the proxy passes the request to the upsteam (redmine unicorn). | |
location @redmine { | |
## If you use HTTPS make sure you disable gzip compression | |
## to be safe against BREACH attack. | |
gzip off; | |
## Some requests take more than 30 seconds. | |
proxy_read_timeout 300; | |
proxy_connect_timeout 300; | |
proxy_redirect off; | |
## Long issue filters require increasing proxy buffers | |
proxy_buffers 8 8k; | |
proxy_buffer_size 32k; | |
proxy_busy_buffers_size 32k; | |
proxy_set_header Host $http_host; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-Ssl on; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Forwarded-Proto https; | |
proxy_set_header X-Frame-Options SAMEORIGIN; | |
proxy_pass http://redmine; | |
} | |
error_page 500 /500.html; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment