Skip to content

Instantly share code, notes, and snippets.

@pepelsbey
Created November 30, 2016 06:59
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save pepelsbey/07a0133b3521fad53678af8413567aea to your computer and use it in GitHub Desktop.
Save pepelsbey/07a0133b3521fad53678af8413567aea to your computer and use it in GitHub Desktop.
server {
listen 80;
listen [::]:80;
server_name wsd.events www.wsd.events;
return 301 https://wsd.events$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.wsd.events;
return 301 https://wsd.events$request_uri;
ssl_certificate /etc/letsencrypt/live/wsd.events/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/wsd.events/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/wsd.events/chain.pem;
include snippets/ssl-params.conf;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name wsd.events;
root /var/www/wsd.events/html;
index index.html;
location ~ ^/([0-9]+)/([0-9]+)/([0-9]+)/pres/(.+)$ {
rewrite ^/([0-9]+)/([0-9]+)/([0-9]+)/pres/(.+)$ /$1-$2-$3/$4;
}
location ~ ^/[0-9]+\-[0-9]+\-[0-9]+/.*$ {
root /var/www/wsd.events/www/pres;
}
ssl_certificate /etc/letsencrypt/live/wsd.events/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/wsd.events/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/wsd.events/chain.pem;
include snippets/ssl-params.conf;
}
server {
listen 80;
listen 443;
server_name www.wsd.events;
rewrite ^ https://wsd.events$request_uri? permanent;
}
server {
listen 80;
listen 443 default_server ssl;
server_name wsd.events;
error_log /var/www/wsd.events/www/logs/error.log;
access_log /var/www/wsd.events/www/logs/access.log;
index index.html index.htm;
charset utf-8;
error_page 404 /404.html;
root /var/www/wsd.events/www/htdocs;
# fix issue when http-only domains were accessed by https and served by this server section
# to fix we redirect other domains outta here
# see: http://nginx.org/ru/docs/http/configuring_https_servers.html#name_based_https_servers
# note: might be removed in case when there is only one domain on IP
if ($http_host !~ wsd.events ) {
return 302 http://$http_host$request_uri;
}
# redirect to ssl version
if ($ssl_protocol = "") {
return 301 https://$server_name$request_uri;
}
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
# Generate with:
# openssl dhparam -out /etc/nginx/dhparam.pem 2048
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_certificate /etc/letsencrypt/live/wsd.events/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/wsd.events/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/wsd.events/fullchain.pem;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
# What Mozilla calls "Intermediate configuration"
# Copied from https://mozilla.github.io/server-side-tls/ssl-config-generator/
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # omit SSLv3 because of POODLE (CVE-2014-3566)
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
# OCSP Stapling
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
# If you want to specify a DNS resolver for stapling, you can uncomment the below
# line. If you leave it commented, nginx will use your system resolver, which will probably
# work just fine!
# resolver <IP DNS resolver>;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# tells the browser whether you want to allow your site to be framed or not
# https://scotthelme.co.uk/hardening-your-http-response-headers/#x-frame-options
add_header X-Frame-Options "SAMEORIGIN" always;
# the configuration for the cross-site scripting filter built into most browsers
# https://scotthelme.co.uk/hardening-your-http-response-headers/#x-xss-protection
add_header X-Xss-Protection "1; mode=block" always;
# stop a browser from trying to MIME-sniff the content type and force it to stick with the declared content-type
# https://scotthelme.co.uk/hardening-your-http-response-headers/#x-content-type-options
add_header X-Content-Type-Options "nosniff" always;
if ($new) {
return 301 $new;
}
location / {
root /var/www/wsd.events/www/htdocs;
}
location ~ ^/([0-9]+)/([0-9]+)/([0-9]+)/pres/(.+)$ {
rewrite ^/([0-9]+)/([0-9]+)/([0-9]+)/pres/(.+)$ /$1-$2-$3/$4;
}
location ~ ^/[0-9]+\-[0-9]+\-[0-9]+/.*$ {
root /var/www/wsd.events/www/pres;
}
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
expires 1M;
add_header Cache-Control "public";
}
location ~* \.(?:css|js)$ {
expires max;
add_header Cache-Control "public";
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment