Last active
February 17, 2017 22:48
-
-
Save Yinchie/02c8d4afffe726f32a0a2d7e84d43b58 to your computer and use it in GitHub Desktop.
Server block for my Jekyll generated website.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # main server | |
| server { | |
| listen 443 default_server fastopen=256 ssl http2; | |
| listen [::]:443 fastopen=256 ssl http2 ipv6only=on; | |
| server_name itchy.nl www.itchy.nl; | |
| charset utf-8; | |
| # Modify certain headers for security. | |
| more_set_headers "Server: itchy.nl"; | |
| more_set_headers "X-Server-Admin: Yee Chie Tu"; | |
| more_set_headers "X-PGP-Fingerprint: 49C3 0DF3 6393 CD95 E93F A457 16CF E267 6760 8DB6"; | |
| more_set_headers "X-Powered-By: Vultr - www.vultr.com/?ref=6878145"; | |
| # Include my SSL/TLS settings. | |
| include /etc/nginx/includes/tls.conf; | |
| root /var/www/itchy; | |
| index index.html; | |
| # root | |
| location / { | |
| # Block Bad Bots | |
| include /etc/nginx/bots.d/blockbots.conf; | |
| include /etc/nginx/bots.d/ddos.conf; | |
| # Allow only requests to our host. Drop connection otherwise. | |
| if ($host !~ ^(www.itchy.nl|itchy.nl)$ ) { return 444; } | |
| # Drop connection if listed on Spamhaus DROP/EDROP list. | |
| if ($is_spamhaus_drop) { return 444; } | |
| # Allow only GET, HEAD and POST requests. | |
| if ($request_method !~ ^(GET|HEAD|POST)$ ) { return 444; } | |
| # Empty user agent not allowed. | |
| if ($http_user_agent = "") { return 444; } | |
| # prettier url when used with jekyll. | |
| if ($request_uri ~* "/index.html") { | |
| rewrite (?i)^(.*)index\.html$ $1 permanent; | |
| } | |
| if ($request_uri ~* ".html") { | |
| rewrite (?i)^(.*)/(.*)\.html $1/$2 permanent; | |
| } | |
| # Allow logging. | |
| access_log /var/log/nginx/access.log main buffer=1m flush=10s; | |
| # Include my security header parameters. | |
| include /etc/nginx/includes/security_headers.conf; | |
| add_header Vary "Accept-Encoding"; | |
| brotli on; | |
| brotli_static on; | |
| try_files $uri.html $uri $uri/ /index.html; | |
| expires -1; | |
| } | |
| # static resources. | |
| location ^~ /assets/ { | |
| log_not_found off; | |
| add_header Cache-Control "public"; | |
| expires max; | |
| # Enable serving static compressed resources. | |
| brotli on; | |
| brotli_static on; | |
| gzip_static on; | |
| gzip_vary on; | |
| location ~* ^/assets/fonts/.+\.(ttf|eot|woff|woff2)$ { | |
| add_header Cache-Control "public"; | |
| add_header Vary "Accept-Encoding"; | |
| add_header Access-Control-Allow-Origin *; | |
| } | |
| # serve Webp images over jpg/png for supported clients. | |
| location ~* ^/assets/icons/.+\.(png|jpg)$ { | |
| add_header Cache-Control "public, no-transform"; | |
| try_files $uri$webp_suffix $uri =404; | |
| } | |
| } | |
| # serve Webp images over jpg/png for supported clients. | |
| location ~* ^/content/images/.+\.(png|jpg)$ { | |
| log_not_found off; | |
| add_header Cache-Control "public, no-transform"; | |
| add_header Vary "Accept-Encoding"; | |
| try_files $uri$webp_suffix $uri =404; | |
| expires max; | |
| } | |
| # Serve files not located in the Jekyll build directory. | |
| location = /67608DB6.pub.asc { alias /var/www/public/67608DB6.pub.asc; } | |
| location = /humans.txt { alias /var/www/public/humans.txt; } | |
| location = /robots.txt { alias /var/www/public/robots.txt; } | |
| # Let's Encrypt / Certbot, renewel location. | |
| location ^~ /.well-known/acme-challenge/ { | |
| default_type "text/plain"; | |
| alias /var/www/acme-challenge/; | |
| } | |
| # Hide /acme-challenge subdirectory and return 404 on all requests. | |
| # It is somewhat more secure than letting Nginx return 403. | |
| # Ending slash is important! | |
| location = /.well-known/acme-challenge/ { | |
| return 404; | |
| } | |
| # 410 gone error for unsupported file extensions. | |
| # Disallowing these file extensions. | |
| location ~ \.(aspx|php|jsp|cgi)$ { return 410; } | |
| # Prevent clients from accessing to backup/config/source files. | |
| location ~* (?:\.(?:bak|conf|dist|fla|in[ci]|log|psd|sh|sql|sw[op])|~)$ { | |
| deny all; | |
| } | |
| # 404 error page | |
| error_page 404 /404; | |
| # default nginx error pages. | |
| error_page 500 502 503 504 /50x.html; | |
| location = /50x.html { root /etc/nginx/html; } | |
| } | |
| # 301 permanent redirects. | |
| # required for HSTS preload. | |
| # When HTTP, 301 permanent redirect to HTTPS. | |
| server { | |
| listen 80 fastopen=256; | |
| listen [::]:80 ipv6only=on; | |
| server_name itchy.nl www.itchy.nl; | |
| charset utf-8; | |
| more_set_headers "Server: itchy.nl"; | |
| more_set_headers "X-Server-Admin: Yee Chie Tu"; | |
| more_set_headers "X-PGP-Fingerprint: 49C3 0DF3 6393 CD95 E93F A457 16CF E267 6760 8DB6"; | |
| more_set_headers "X-Powered-By: Vultr - www.vultr.com/?ref=6878145"; | |
| # Block Bad Bots | |
| include /etc/nginx/bots.d/blockbots.conf; | |
| include /etc/nginx/bots.d/ddos.conf; | |
| return 301 https://$host$request_uri; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment