vps/roles/reverse-proxy/templates/nginx.conf

94 lines
2.3 KiB
Nginx Configuration File
Raw Normal View History

2023-12-06 16:15:33 +01:00
user www-data;
2023-11-22 08:26:10 +01:00
worker_processes auto;
worker_rlimit_nofile 1024;
2023-12-01 11:27:02 +01:00
include /etc/nginx/modules-enabled/*.conf;
2023-11-22 08:26:10 +01:00
events {
worker_connections 512;
multi_accept off;
2023-11-22 08:26:10 +01:00
}
http {
2023-12-01 11:27:02 +01:00
##
# Basic Settings
##
2023-11-22 08:26:10 +01:00
sendfile on;
tcp_nopush on;
tcp_nodelay on;
gzip off;
2023-12-01 11:27:02 +01:00
types_hash_max_size 2048;
2023-11-22 08:26:10 +01:00
server_tokens off;
keepalive_timeout 30;
2023-12-01 11:27:02 +01:00
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
2023-11-22 08:26:10 +01:00
include /etc/nginx/mime.types;
default_type application/octet-stream;
2023-12-01 11:27:02 +01:00
##
# SSL Settings
##
2023-11-22 08:26:10 +01:00
2024-02-17 19:01:04 +01:00
ssl_certificate {{ reverse_proxy['ssl_certificate_file'] }};
ssl_certificate_key {{ reverse_proxy['ssl_certificate_key_file'] }};
ssl_trusted_certificate {{ reverse_proxy['ssl_trusted_certificate_file'] }};
2023-11-22 08:26:10 +01:00
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
2023-11-22 08:26:10 +01:00
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
2023-12-01 11:27:02 +01:00
ssl_dhparam /etc/nginx/dhparam.txt;
2023-11-22 08:26:10 +01:00
ssl_prefer_server_ciphers on;
2023-11-22 08:26:10 +01:00
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
2023-12-01 11:27:02 +01:00
ssl_stapling on;
ssl_stapling_verify on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
2023-11-22 08:26:10 +01:00
2023-12-01 11:27:02 +01:00
##
# Headers
##
2023-11-22 08:26:10 +01:00
2024-02-17 19:08:41 +01:00
resolver {{ reverse_proxy['resolver'] }};
2023-11-25 17:40:25 +01:00
2023-12-06 13:59:07 +01:00
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# add_header X-Robots-Tag "noindex, nofollow" always;
2023-12-01 11:27:02 +01:00
add_header Set-Cookie "Path=/; HttpOnly; Secure";
2023-11-22 08:26:10 +01:00
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
2023-12-05 17:45:59 +01:00
proxy_set_header X-Forwarded-Proto $scheme;
2023-11-22 08:26:10 +01:00
proxy_set_header X-Forwarded-Scheme $scheme;
# Needed to support websocket connections
# See: https://nginx.org/en/docs/http/websocket.html
# Instead of "close" as stated in the above link we send an empty value.
# Else all keepalive connections will not work.
map $http_upgrade $connection_upgrade {
default upgrade;
'' "";
}
2023-12-01 11:27:02 +01:00
##
# Virtual Host Configs
##
2023-11-22 08:26:10 +01:00
2023-12-01 11:27:02 +01:00
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
2023-11-22 08:26:10 +01:00
}