Last active
September 7, 2017 12:54
-
-
Save praisegeek/4760e9c47e00d5c4c051daf221cd7504 to your computer and use it in GitHub Desktop.
VestaCP: Phoenix Nginx SSL Conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Getting Started. | |
# 1. Enter visual mode V, then use s/myapp/domain/g to replace all myapp to domain. | |
# 2. Change upstream port to PORT ENV variable defined in /etc/init.d/myapp | |
# hide server information | |
http { | |
server_tokens off; | |
} | |
server { | |
listen 80 default_server; | |
listen [::]:80 default_server; | |
server_name myapp.com www.myapp.com; | |
return 301 https://$server_name$request_uri; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Getting Started. | |
# 1. Enter visual mode V, then use s/myapp.com/domain.com/g to replace all myapp to domain. | |
# 2. Change upstream port to PORT ENV variable defined in /etc/init.d/myapp | |
upstream myapp { | |
server localhost:34567; | |
} | |
# hide server information | |
http { | |
server_tokens off; | |
} | |
# the main server directive for ssl connections | |
# where we also use http2 (see asset delivery) | |
server { | |
listen 443 ssl http2 default_server; | |
listen [::]:443 ssl http2 default_server; | |
server_name myapp.com www.myapp.com; | |
# paths to certificate and key provided by Let's Encrypt | |
#ssl_certificate /etc/letsencrypt/live/myapp.com/fullchain.pem; | |
#ssl_certificate_key /etc/letsencrypt/live/myapp.com/privkey.pem; | |
ssl_certificate /home/admin/conf/web/myapp.com.pem; | |
ssl_certificate /home/admin/conf/web/myapp.com.key; | |
# SSL settings that currently offer good results in the SSL check | |
# and have a reasonable backwards-compatibility, taken from | |
# - https://cipherli.st/ | |
# - https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
ssl_prefer_server_ciphers on; | |
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; | |
ssl_ecdh_curve secp384r1; | |
ssl_session_cache shared:SSL:10m; | |
ssl_session_tickets off; | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
ssl_dhparam /etc/ssl/certs/dhparam.pem; | |
# security enhancements | |
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; | |
add_header X-Frame-Options DENY; | |
add_header X-Content-Type-Options nosniff; | |
# Let's Encrypt keeps its files here | |
location ~ /.well-known { | |
root /home/admin/conf/web/myapp.com/public_html; | |
allow all; | |
} | |
# besides referencing the extracted upstream this stays the same | |
location / { | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header Host $http_host; | |
proxy_redirect off; | |
proxy_pass http://myapp; | |
proxy_set_header Upgrade $http_upgrade; | |
proxy_set_header Connection "upgrade"; | |
# asset delivery using NGINX | |
location ~* ^.+\.(css|cur|gif|gz|ico|jpg|jpeg|js|png|svg|woff|woff2|mp3|mp4)$ { | |
root /home/admin/myapp/priv/static; | |
etag off; | |
expires max; | |
add_header Cache-Control public; | |
} | |
# php support for Vesta | |
location ~ [^/]\.php(/|$) { | |
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |
if (!-f $document_root$fastcgi_script_name) { | |
return 404; | |
} | |
fastcgi_pass 127.0.0.1:9002; | |
fastcgi_index index.php; | |
include /etc/nginx/fastcgi_params; | |
} | |
} | |
error_page 403 /error/404.html; | |
error_page 404 /error/404.html; | |
error_page 500 502 503 504 /error/50x.html; | |
location /error/ { | |
alias /home/admin/web/myapp.com/document_errors/; | |
} | |
location ~* "/\.(htaccess|htpasswd)$" { | |
deny all; | |
return 404; | |
} | |
location /vstats/ { | |
alias /home/admin/web/myapp.com/stats/; | |
include /home/admin/web/myapp.com/stats/auth.conf*; | |
} | |
include /etc/nginx/conf.d/phpmyadmin.inc*; | |
include /etc/nginx/conf.d/phppgadmin.inc*; | |
include /etc/nginx/conf.d/webmail.inc*; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Configuration file for a phoenix app running on a subdirectory. | |
upstream myapp { | |
server localhost:34567; | |
} | |
# hide server information | |
http { | |
server_tokens off; | |
} | |
server { | |
listen 443 ssl http2 default_server; | |
listen [::]:443 ssl http2 default_server; | |
server_name myapp.com www.myapp.com; | |
root /home/admin/web/myapp.com/public_html; | |
index index.html; | |
location / { | |
try_files $uri $uri/ =404; | |
} | |
location /subdirectory { | |
# pass the requests on to our proxy | |
try_files $uri @proxy; | |
} | |
location @proxy { | |
include proxy_params; | |
proxy_redirect off; | |
proxy_pass http://myapp_phoenix; | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Configuration file for a phoenix app running on a subdirectory. | |
upstream myapp { | |
server localhost:37340; | |
} | |
# hide server information | |
http { | |
server_tokens off; | |
} | |
server { | |
listen 443 ssl http2 default_server; | |
listen [::]:443 ssl http2 default_server; | |
server_name myapp.com www.myapp.com; | |
root /home/admin/web/myapp.com/public_html; | |
index index.html; | |
# paths to certificate and key provided by Let's Encrypt | |
#ssl_certificate /etc/letsencrypt/live/myapp.com/fullchain.pem; | |
#ssl_certificate_key /etc/letsencrypt/live/myapp.com/privkey.pem; | |
ssl_certificate /home/admin/conf/web/myapp.com.pem; | |
ssl_certificate /home/admin/conf/web/myapp.com.key; | |
# SSL settings that currently offer good results in the SSL check | |
# and have a reasonable backwards-compatibility, taken from | |
# - https://cipherli.st/ | |
# - https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
ssl_prefer_server_ciphers on; | |
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; | |
ssl_ecdh_curve secp384r1; | |
ssl_session_cache shared:SSL:10m; | |
ssl_session_tickets off; | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
ssl_dhparam /etc/ssl/certs/dhparam.pem; | |
# security enhancements | |
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; | |
add_header X-Frame-Options DENY; | |
add_header X-Content-Type-Options nosniff; | |
location / { | |
# pass the requests on to our proxy | |
try_files $uri @proxy; | |
# asset delivery using NGINX | |
location ~* ^.+\.(css|cur|gif|gz|ico|jpg|jpeg|js|png|svg|woff|woff2|mp3|mp4)$ { | |
root /home/admin/myapp/priv/static; | |
etag off; | |
expires max; | |
add_header Cache-Control public; | |
} | |
# php delivery support | |
location ~ [^/]\.php(/|$) { | |
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |
if (!-f $document_root$fastcgi_script_name) { | |
return 404; | |
} | |
fastcgi_pass 127.0.0.1:9002; | |
fastcgi_index index.php; | |
include /etc/nginx/fastcgi_params; | |
} | |
} | |
location @proxy { | |
include proxy_params; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header Host $http_host; | |
proxy_redirect off; | |
proxy_pass http://myapp; | |
proxy_set_header Upgrade $http_upgrade; | |
proxy_set_header Connection "upgrade"; | |
} | |
# Let's Encrypt keeps its files here | |
location ~ /.well-known { | |
root /home/admin/web/myapp.com/public_html; | |
allow all; | |
} | |
include /etc/nginx/conf.d/phpmyadmin.inc*; | |
include /etc/nginx/conf.d/phppgadmin.inc*; | |
include /etc/nginx/conf.d/webmail.inc*; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment