-
-
Save rublev/c75cc58a5ca051ddafa99c00673ea911 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
server { | |
listen 80 default_server; | |
listen [::]:80 default_server; | |
server_name rublev.io www.rublev.io; | |
return 301 https://$server_name$request_uri; | |
} | |
server { | |
listen 443 ssl http2 default_server; | |
listen [::]:443 ssl http2 default_server; | |
include snippets/ssl-rublev.io.conf; | |
include snippets/ssl-params.conf; | |
server_name rublev.io www.rublev.io; | |
root /home/rublev/sites/rublev.io; | |
index index.html; | |
location / { | |
try_files $uri $uri/ =404; | |
} | |
location ~ /.well-known { | |
allow all; | |
} | |
} | |
upstream jenkins { | |
server 127.0.0.1:8081 fail_timeout=0; | |
} | |
server { | |
listen 80; | |
server_name jenkins.rublev.io; | |
return 301 https://$host$request_uri; | |
} | |
server { | |
listen 443 ssl http2; | |
listen [::]:443 ssl http2; | |
server_name jenkins.rublev.io; | |
ssl_certificate /etc/letsencrypt/live/jenkins.rublev.io/fullchain.pem; | |
ssl_certificate_key /etc/letsencrypt/live/jenkins.rublev.io/privkey.pem; | |
location ~ /.well-known { | |
allow all; | |
} | |
location / { | |
proxy_set_header Host $host:$server_port; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
proxy_redirect http:// https://; | |
proxy_pass http://jenkins; | |
# Required for new HTTP-based CLI | |
proxy_http_version 1.1; | |
proxy_request_buffering off; | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# ORIGINAL PARAMS FROM CYPHERLI.ST | |
# from https://cipherli.st/ | |
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html | |
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
# ssl_prefer_server_ciphers on; | |
# ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; | |
# ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 | |
# ssl_session_cache shared:SSL:10m; | |
# ssl_session_tickets off; # Requires nginx >= 1.5.9 | |
# ssl_stapling on; # Requires nginx >= 1.3.7 | |
# ssl_stapling_verify on; # Requires nginx => 1.3.7 | |
# resolver $DNS-IP-1 $DNS-IP-2 valid=300s; | |
# resolver_timeout 5s; | |
# add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; | |
# add_header X-Frame-Options DENY; | |
# add_header X-Content-Type-Options nosniff; | |
# MODIFIED DIGITALOCEAN PARAMS | |
# https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04#step-1-install-let's-encrypt-client | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
ssl_prefer_server_ciphers on; | |
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; | |
ssl_ecdh_curve secp384r1; | |
ssl_session_cache shared:SSL:10m; | |
ssl_session_tickets off; | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
resolver 8.8.8.8 8.8.4.4 valid=300s; | |
resolver_timeout 5s; | |
# Disable preloading HSTS for now. You can use the commented out header line that includes | |
# the "preload" directive if you understand the implications. | |
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; | |
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; | |
add_header X-Frame-Options DENY; | |
add_header X-Content-Type-Options nosniff; | |
ssl_dhparam /etc/ssl/certs/dhparam.pem; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ssl_certificate /etc/letsencrypt/live/rublev.io/fullchain.pem; | |
ssl_certificate_key /etc/letsencrypt/live/rublev.io/privkey.pem; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment