vps/roles/reverse-proxy/templates/nginx.conf

user www-data;
worker_processes auto;
include /etc/nginx/modules-enabled/*.conf;

events {
	worker_connections 768;
	multi_accept off;
}

http {

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;

	gzip off;
	types_hash_max_size 2048;
	server_tokens off;
	keepalive_timeout 65;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings
	##

	ssl_certificate {{ reverse_proxy['ssl_certificate_file'] }};
	ssl_certificate_key {{ reverse_proxy['ssl_certificate_key_file'] }};
	ssl_trusted_certificate {{ reverse_proxy['ssl_trusted_certificate_file'] }};

	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
	# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
	ssl_dhparam /etc/nginx/dhparam.txt;

	ssl_prefer_server_ciphers on;

	ssl_session_timeout 1d;
	ssl_session_cache shared:MozSSL:10m;
	ssl_session_tickets off;

	ssl_stapling on;
	ssl_stapling_verify on;

	##
	# Logging Settings
	##

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# Headers
	##

	resolver {{ reverse_proxy['resolver'] }};

	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
	# add_header X-Robots-Tag "noindex, nofollow" always;
	add_header Set-Cookie "Path=/; HttpOnly; Secure";

	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-Port $server_port;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_set_header X-Forwarded-Scheme $scheme;

	# Needed to support websocket connections
	# See: https://nginx.org/en/docs/http/websocket.html
	# Instead of "close" as stated in the above link we send an empty value.
	# Else all keepalive connections will not work.
	map $http_upgrade $connection_upgrade {
		default upgrade;
		''      "";
	}

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
}
-												removed rootless nginx-rp

											
										
										
											2023-12-06 16:15:33 +01:00
+								user www-data;
-												fjeaj

											
										
										
											2023-11-22 08:26:10 +01:00
+								worker_processes auto;
-												Moved reverse proxy outside of docker

											
										
										
											2023-12-01 11:27:02 +01:00
+								include /etc/nginx/modules-enabled/*.conf;
-												fjeaj

											
										
										
											2023-11-22 08:26:10 +01:00
 								events {
-												Moved reverse proxy outside of docker

											
										
										
											2023-12-01 11:27:02 +01:00
+									worker_connections 768;
-												NGINX: Set ssl_prefer_server_ciphers to on & remove robot tags.

											
										
										
											2024-02-13 13:58:10 +01:00
+									multi_accept off;
-												fjeaj

											
										
										
											2023-11-22 08:26:10 +01:00
+								}
 								http {
-												Moved reverse proxy outside of docker

											
										
										
											2023-12-01 11:27:02 +01:00
 									##
 									# Basic Settings
 									##
-												fjeaj

											
										
										
											2023-11-22 08:26:10 +01:00
+									sendfile on;
 									tcp_nopush on;
 									tcp_nodelay on;
 									gzip off;
-												Moved reverse proxy outside of docker

											
										
										
											2023-12-01 11:27:02 +01:00
+									types_hash_max_size 2048;
-												fjeaj

											
										
										
											2023-11-22 08:26:10 +01:00
+									server_tokens off;
-												Moved reverse proxy outside of docker

											
										
										
											2023-12-01 11:27:02 +01:00
+									keepalive_timeout 65;
 									# server_names_hash_bucket_size 64;
 									# server_name_in_redirect off;
-												fjeaj

											
										
										
											2023-11-22 08:26:10 +01:00
+									include /etc/nginx/mime.types;
 									default_type application/octet-stream;
-												Moved reverse proxy outside of docker

											
										
										
											2023-12-01 11:27:02 +01:00
+									##
 									# SSL Settings
 									##
-												fjeaj

											
										
										
											2023-11-22 08:26:10 +01:00
-												The Great Ansible Update.

											
										
										
											2024-02-17 19:01:04 +01:00
+									ssl_certificate {{ reverse_proxy['ssl_certificate_file'] }};
 									ssl_certificate_key {{ reverse_proxy['ssl_certificate_key_file'] }};
 									ssl_trusted_certificate {{ reverse_proxy['ssl_trusted_certificate_file'] }};
-												fjeaj

											
										
										
											2023-11-22 08:26:10 +01:00
-												NGINX RP : Downgrade params SSL pr Firefox android

Pour jsp quelle raison firefox android balance une erreur si on essaie
d'ajouter SearXNG aux moteurs de recherche en ayant que SSL 1.3
d'activé. Du coup j'ai baissé les exigeances pr autoriser SSL 1.2.

											
										
										
											2023-11-23 14:04:15 +01:00
+									ssl_protocols TLSv1.2 TLSv1.3;
 									ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
-												fjeaj

											
										
										
											2023-11-22 08:26:10 +01:00
+									# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
-												Moved reverse proxy outside of docker

											
										
										
											2023-12-01 11:27:02 +01:00
+									ssl_dhparam /etc/nginx/dhparam.txt;
-												fjeaj

											
										
										
											2023-11-22 08:26:10 +01:00
-												NGINX: Set ssl_prefer_server_ciphers to on & remove robot tags.

											
										
										
											2024-02-13 13:58:10 +01:00
+									ssl_prefer_server_ciphers on;
-												fjeaj

											
										
										
											2023-11-22 08:26:10 +01:00
 									ssl_session_timeout 1d;
 									ssl_session_cache shared:MozSSL:10m;
 									ssl_session_tickets off;
-												Moved reverse proxy outside of docker

											
										
										
											2023-12-01 11:27:02 +01:00
+									ssl_stapling on;
 									ssl_stapling_verify on;
 									##
 									# Logging Settings
 									##
 									access_log /var/log/nginx/access.log;
 									error_log /var/log/nginx/error.log;
-												fjeaj

											
										
										
											2023-11-22 08:26:10 +01:00
-												Moved reverse proxy outside of docker

											
										
										
											2023-12-01 11:27:02 +01:00
+									##
 									# Headers
 									##
-												fjeaj

											
										
										
											2023-11-22 08:26:10 +01:00
-												The Great Ansible Update.

											
										
										
											2024-02-17 19:01:04 +01:00
+									resolver {{ reverse_proxy['resolver'] }};
-												Utiliser IPv6 parce que c'est cool.

											
										
										
											2023-11-25 17:40:25 +01:00
-												nginx-rp fix padding + add collabora

											
										
										
											2023-12-06 13:59:07 +01:00
+									add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
-												NGINX: Set ssl_prefer_server_ciphers to on & remove robot tags.

											
										
										
											2024-02-13 13:58:10 +01:00
+									# add_header X-Robots-Tag "noindex, nofollow" always;
-												Moved reverse proxy outside of docker

											
										
										
											2023-12-01 11:27:02 +01:00
+									add_header Set-Cookie "Path=/; HttpOnly; Secure";
-												fjeaj

											
										
										
											2023-11-22 08:26:10 +01:00
+									proxy_set_header Host $host;
 									proxy_set_header X-Real-IP $remote_addr;
 									proxy_set_header X-Forwarded-Port $server_port;
 									proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-												add rootless + matrix server discovery

											
										
										
											2023-12-05 17:45:59 +01:00
+									proxy_set_header X-Forwarded-Proto $scheme;
-												fjeaj

											
										
										
											2023-11-22 08:26:10 +01:00
+									proxy_set_header X-Forwarded-Scheme $scheme;
 									# Needed to support websocket connections
 									# See: https://nginx.org/en/docs/http/websocket.html
 									# Instead of "close" as stated in the above link we send an empty value.
 									# Else all keepalive connections will not work.
 									map $http_upgrade $connection_upgrade {
 										default upgrade;
 										''      "";
 									}
-												Moved reverse proxy outside of docker

											
										
										
											2023-12-01 11:27:02 +01:00
+									##
 									# Virtual Host Configs
 									##
-												fjeaj

											
										
										
											2023-11-22 08:26:10 +01:00
-												Moved reverse proxy outside of docker

											
										
										
											2023-12-01 11:27:02 +01:00
+									include /etc/nginx/conf.d/*.conf;
 									include /etc/nginx/sites-enabled/*;
-												fjeaj

											
										
										
											2023-11-22 08:26:10 +01:00
+								}