PaulSec · January 26, 2020 07:27
diff --git a/nginx.conf b/nginx.conf
 user www-data;
 worker_processes 4;
 pid /run/nginx.pid;

 http {

    server {
        listen 80 default_server;
        listen [::]:80 default_server ipv6only=on;
        return 301 https://$host$request_uri;
    }

    server {
        listen 443;
        server_name cfptime.org;

        location / {
            proxy_pass         http://unix:/path/to/cfptime.sock:/;
            proxy_redirect     off;
            proxy_set_header   Host $host;
            proxy_set_header   X-Real-IP $remote_addr;
            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header   X-Forwarded-Host $server_name;
        }

        ssl on;
        # Use certificate and key provided by Let's Encrypt:
        ssl_certificate /path/to/certs/fullchain.pem;
        ssl_certificate_key /path/to/certs/privkey.pem;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        ssl_session_timeout 1d;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
        add_header strict-transport-security "max-age=31536000; includeSubdomains; preload";
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header Feature-Policy "geolocation none;midi none;notifications none;push none;sync-xhr none;microphone none;camera none;magnetometer none;gyroscope none;speaker self;vibrate none;fullscreen self;payment none;";

        error_page 404 = @myownredirect;
        error_page 403 = @myownredirect;

        # error page location redirect 302
        location @myownredirect {
            rewrite .* / permanent;
        }

    }
    server {
        listen 443;
        server_name domain.com www.domain.com;
        root /path/to/domain-website/app/;
        add_header Strict-Transport-Security max-age=31536000;
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
    }
 }
	user www-data;
	worker_processes 4;
	pid /run/nginx.pid;

	http {

	server {
	listen 80 default_server;
	listen [::]:80 default_server ipv6only=on;
	return 301 https://$host$request_uri;
	}

	server {
	listen 443;
	server_name cfptime.org;

	location / {
	proxy_pass http://unix:/path/to/cfptime.sock:/;
	proxy_redirect off;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Host $server_name;
	}

	ssl on;
	# Use certificate and key provided by Let's Encrypt:
	ssl_certificate /path/to/certs/fullchain.pem;
	ssl_certificate_key /path/to/certs/privkey.pem;
	ssl_dhparam /etc/ssl/certs/dhparam.pem;
	ssl_session_timeout 1d;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;
	ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
	add_header strict-transport-security "max-age=31536000; includeSubdomains; preload";
	add_header X-Content-Type-Options nosniff;
	add_header X-XSS-Protection "1; mode=block";
	add_header Feature-Policy "geolocation none;midi none;notifications none;push none;sync-xhr none;microphone none;camera none;magnetometer none;gyroscope none;speaker self;vibrate none;fullscreen self;payment none;";

	error_page 404 = @myownredirect;
	error_page 403 = @myownredirect;

	# error page location redirect 302
	location @myownredirect {
	rewrite .* / permanent;
	}

	}
	server {
	listen 443;
	server_name domain.com www.domain.com;
	root /path/to/domain-website/app/;
	add_header Strict-Transport-Security max-age=31536000;
	add_header X-Frame-Options DENY;
	add_header X-Content-Type-Options nosniff;
	add_header X-XSS-Protection "1; mode=block";
	}
	}