rexdivakar/nginx_template

## nginx_template
################################
## our HTTP server at port 80 ##
################################
server {
    listen 80;
    server_name                     <website_url>;

    # HTTP STS
    add_header Strict-Transport-Security "max-age=31533600; includeSubDomians; preload" always;

    return 301 https://$host$request_uri;
}

#########################################################################
## Our HTTPS server at port 443. You need to provide ssl config below ###
#########################################################################

server {
    listen 443 ssl;
    server_name                     <website_url>;


    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)

    add_header X-XSS-Protection             "1; mode=block";
    add_header Strict-Transport-Security    "max-age=15768000" always;
    add_header X-Content-Type-Options       "nosniff" always;
    add_header X-Frame-Options              "SAMEORIGIN" always;

    # Improves TTFB by using a smaller SSL buffer than the nginx default
    ssl_buffer_size 8k;

    # certs sent to the client in SERVER are concatenated in ssl_certificate
    #ssl_certificate                 /etc/letsencrypt/live/<website_url>/fullchain.pem;
    #ssl_certificate_key             /etc/letsencrypt/live/<website_url>/privkey.pem;
    #ssl_trusted_certificate         /etc/letsencrypt/live/<website_url>/chain.pem;
    ssl_certificate                 /etc/ssl/certs/cert.pem;
    ssl_certificate_key             /etc/ssl/private/key.pem;

    ssl_prefer_server_ciphers       on;
    ssl_session_cache               shared:SSL:50m;
    ssl_session_timeout             5m;
    ssl_session_tickets             off;
    # ssl_dhparam                     /etc/nginx/ssl/dhparam.pem;

    # TLS Support restriction
    ssl_protocols TLSv1.3 TLSv1.2;
    ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

    # Nginx Logging
    access_log                      /var/log/nginx/access.log;
    error_log                       /var/log/nginx/error.log;

    ## PROXY backend
    location / {
        # redirect all HTTP traffic to localhost:8088;
        proxy_set_header        Host $host;
        proxy_set_header        X-Real-IP $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto $scheme;
        proxy_pass              http://127.0.0.1:<port_no>;
        proxy_redirect          http://127.0.0.1:<port_no> https://<website_url>;
        proxy_read_timeout      90;

        # prevents 502 bad gateway error
        proxy_buffers 8 32k;
        proxy_buffer_size 64k;

        # Enable support for web sockets
        proxy_buffering         off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_hide_header 'Access-Control-Allow-Origin';

        # Protect from Click Jacking
        proxy_hide_header X-Powered-By;
        add_header X-Frame-Options SAMEORIGIN;
    }
}
	################################
	## our HTTP server at port 80 ##
	################################
	server {
	listen 80;
	server_name <website_url>;

	# HTTP STS
	add_header Strict-Transport-Security "max-age=31533600; includeSubDomians; preload" always;

	return 301 https://$host$request_uri;
	}

	#########################################################################
	## Our HTTPS server at port 443. You need to provide ssl config below ###
	#########################################################################

	server {
	listen 443 ssl;
	server_name <website_url>;


	# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)

	add_header X-XSS-Protection "1; mode=block";
	add_header Strict-Transport-Security "max-age=15768000" always;
	add_header X-Content-Type-Options "nosniff" always;
	add_header X-Frame-Options "SAMEORIGIN" always;

	# Improves TTFB by using a smaller SSL buffer than the nginx default
	ssl_buffer_size 8k;

	# certs sent to the client in SERVER are concatenated in ssl_certificate
	#ssl_certificate /etc/letsencrypt/live/<website_url>/fullchain.pem;
	#ssl_certificate_key /etc/letsencrypt/live/<website_url>/privkey.pem;
	#ssl_trusted_certificate /etc/letsencrypt/live/<website_url>/chain.pem;
	ssl_certificate /etc/ssl/certs/cert.pem;
	ssl_certificate_key /etc/ssl/private/key.pem;

	ssl_prefer_server_ciphers on;
	ssl_session_cache shared:SSL:50m;
	ssl_session_timeout 5m;
	ssl_session_tickets off;
	# ssl_dhparam /etc/nginx/ssl/dhparam.pem;

	# TLS Support restriction
	ssl_protocols TLSv1.3 TLSv1.2;
	ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

	# Nginx Logging
	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	## PROXY backend
	location / {
	# redirect all HTTP traffic to localhost:8088;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_pass http://127.0.0.1:<port_no>;
	proxy_redirect http://127.0.0.1:<port_no> https://<website_url>;
	proxy_read_timeout 90;

	# prevents 502 bad gateway error
	proxy_buffers 8 32k;
	proxy_buffer_size 64k;

	# Enable support for web sockets
	proxy_buffering off;
	proxy_http_version 1.1;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "Upgrade";
	proxy_hide_header 'Access-Control-Allow-Origin';

	# Protect from Click Jacking
	proxy_hide_header X-Powered-By;
	add_header X-Frame-Options SAMEORIGIN;
	}
	}