diff options
Diffstat (limited to 'docker/nginx-ssl.conf')
-rw-r--r-- | docker/nginx-ssl.conf | 136 |
1 files changed, 136 insertions, 0 deletions
diff --git a/docker/nginx-ssl.conf b/docker/nginx-ssl.conf new file mode 100644 index 0000000..71c288a --- /dev/null +++ b/docker/nginx-ssl.conf @@ -0,0 +1,136 @@ +#daemon off; ##Included in CMD +error_log /dev/stdout info; +worker_processes 1; + +# user nobody nogroup; +pid /tmp/nginx.pid; + +events { + worker_connections 1024; + accept_mutex off; +} + +http { + include mime.types; + default_type application/octet-stream; + access_log /dev/stdout combined; + sendfile on; + client_max_body_size 16m; + large_client_header_buffers 4 2k; + + limit_req_zone $binary_remote_addr zone=login_ip:10m rate=30r/m; + limit_conn_zone $binary_remote_addr zone=conn_per_ip:10m; + limit_conn conn_per_ip 100; + + upstream app_server { + # For a TCP configuration: + server gitrefineryapp:5000 fail_timeout=0; + } + + server { + listen 80 default; + server_name _; + + keepalive_timeout 5; + + # path for static files + root /usr/share/nginx/html; + + return 301 https://layers.openembedded.org$request_uri; + } + + server { + listen 80; + server_name layers.openembedded.org; + + keepalive_timeout 5; + + # path for static files + root /usr/share/nginx/html; + + location /.well-known/acme-challenge/ { + limit_except GET POST OPTIONS { deny all; } + root /var/www/certbot; + } + + location / { + limit_except GET POST OPTIONS { deny all; } + return 301 https://layers.openembedded.org$request_uri; + } + } + + server { + listen 443 ssl default; + server_name _; + ssl_certificate /etc/letsencrypt/live/layers.openembedded.org/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/layers.openembedded.org/privkey.pem; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:!aNULL:!eNULL; + ssl_ecdh_curve secp521r1; + ssl_session_cache shared:SSL:12m; + ssl_session_timeout 12m; + gzip off; + + keepalive_timeout 5; + + # path for static files + root /usr/share/nginx/html; + + return 301 https://layers.openembedded.org$request_uri; + } + + server { + listen 443 ssl; + server_name layers.openembedded.org; + ssl_certificate /etc/letsencrypt/live/layers.openembedded.org/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/layers.openembedded.org/privkey.pem; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:!aNULL:!eNULL; + ssl_ecdh_curve secp521r1; + ssl_session_cache shared:SSL:12m; + ssl_session_timeout 12m; + gzip off; + + add_header X-Content-Type-Options nosniff; + + keepalive_timeout 20; + + # path for static files + root /usr/share/nginx/html; + + location /favicon.ico { + limit_except GET POST OPTIONS { deny all; } + return 301 https://layers.openembedded.org/static/img/favicon.ico; + } + + location /protected/imagecompare-patches { + internal; + add_header X-Status $upstream_http_x_status; + limit_except GET POST OPTIONS { deny all; } + root /opt/www; + } + + location / { + limit_except GET POST OPTIONS { deny all; } + try_files $uri @proxy_to_app; + } + + location /accounts/login { + limit_except GET POST OPTIONS { deny all; } + limit_req zone=login_ip burst=5; + try_files $uri @proxy_to_app; + } + + location @proxy_to_app { + limit_except GET POST OPTIONS { deny all; } + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $http_host; + proxy_redirect off; + + proxy_pass http://app_server; + } + } +} |