VirtuBox · August 21, 2017 04:36
diff --git a/mastodon.conf b/mastodon.conf
 map $http_upgrade $connection_upgrade {
 default upgrade;
 '' close;
 }
 # redirection http vers https
 server {
 listen 80;
 listen [::]:80;
 server_name www.votredomaine.com votredomaine.com;
 return 301 https://votredomaine.com$request_uri;

 access_log /dev/null;
 error_log /dev/null;
 }

 # block https
 server {
 listen 443 ssl http2;
 listen [::]:443 ssl http2;
 server_name www.votredomaine.com votredomaine.com;

 if ($host = www.votredomaine.com) {
  return 301 https://votredomaine.com$request_uri;
 }


 access_log /var/log/nginx/votredomaine.com-access.log;
 error_log /var/log/nginx/votredomaine.com-error.log;

 # configuration ssl avec letsencrypt
 ssl_certificate /etc/letsencrypt/live/votredomaine.com/fullchain.pem;
 ssl_certificate_key /etc/letsencrypt/live/votredomaine.com/privkey.pem;;
 ssl_protocols TLSv1.2;
 ssl_ciphers EECDH+AESGCM:EECDH+CHACHA20:EECDH+AES;
 ssl_prefer_server_ciphers on;

 # ajout des headers pour le HSTS, CSP et Referrer-Policy
 add_header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload";
 add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self' wss://votredomaine.com;";
 add_header Referrer-Policy "strict-origin-when-cross-origin";

 keepalive_timeout 70;
 sendfile on;
 client_max_body_size 0;
 gzip off;

 root /home/mastodon/live/public;

 location / {
  try_files $uri @proxy;
 }

 location @proxy {
  proxy_set_header Host $host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Forwarded-Proto https;
  proxy_pass_header Server;
  proxy_pass http://127.0.0.1:3000;
  proxy_buffering off;
  proxy_redirect off;
  proxy_http_version 1.1;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection $connection_upgrade;
  tcp_nodelay on;
 }

 location /api/v1/streaming {
  proxy_set_header Host $host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Forwarded-Proto https;
  proxy_pass http://127.0.0.1:4000;
  proxy_buffering off;
  proxy_redirect off;
  proxy_http_version 1.1;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection $connection_upgrade;
  tcp_nodelay on;
 }

 error_page 500 501 502 503 504 /500.html;

 }
	map $http_upgrade $connection_upgrade {
	default upgrade;
	'' close;
	}
	# redirection http vers https
	server {
	listen 80;
	listen [::]:80;
	server_name www.votredomaine.com votredomaine.com;
	return 301 https://votredomaine.com$request_uri;

	access_log /dev/null;
	error_log /dev/null;
	}

	# block https
	server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	server_name www.votredomaine.com votredomaine.com;

	if ($host = www.votredomaine.com) {
	return 301 https://votredomaine.com$request_uri;
	}


	access_log /var/log/nginx/votredomaine.com-access.log;
	error_log /var/log/nginx/votredomaine.com-error.log;

	# configuration ssl avec letsencrypt
	ssl_certificate /etc/letsencrypt/live/votredomaine.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/votredomaine.com/privkey.pem;;
	ssl_protocols TLSv1.2;
	ssl_ciphers EECDH+AESGCM:EECDH+CHACHA20:EECDH+AES;
	ssl_prefer_server_ciphers on;

	# ajout des headers pour le HSTS, CSP et Referrer-Policy
	add_header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload";
	add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self' wss://votredomaine.com;";
	add_header Referrer-Policy "strict-origin-when-cross-origin";

	keepalive_timeout 70;
	sendfile on;
	client_max_body_size 0;
	gzip off;

	root /home/mastodon/live/public;

	location / {
	try_files $uri @proxy;
	}

	location @proxy {
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto https;
	proxy_pass_header Server;
	proxy_pass http://127.0.0.1:3000;
	proxy_buffering off;
	proxy_redirect off;
	proxy_http_version 1.1;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection $connection_upgrade;
	tcp_nodelay on;
	}

	location /api/v1/streaming {
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto https;
	proxy_pass http://127.0.0.1:4000;
	proxy_buffering off;
	proxy_redirect off;
	proxy_http_version 1.1;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection $connection_upgrade;
	tcp_nodelay on;
	}

	error_page 500 501 502 503 504 /500.html;

	}