aegyed91 · September 18, 2018 20:48
diff --git a/mime.types b/mime.types
 types {

  # Data interchange

    application/atom+xml                  atom;
    application/json                      json map topojson;
    application/ld+json                   jsonld;
    application/rss+xml                   rss;
    application/vnd.geo+json              geojson;
    application/xml                       rdf xml;


  # JavaScript

    # Normalize to standard type.
    # https://tools.ietf.org/html/rfc4329#section-7.2
    application/javascript                js;


  # Manifest files

    application/manifest+json             webmanifest;
    application/x-web-app-manifest+json   webapp;
    text/cache-manifest                   appcache;


  # Media files

    audio/midi                            mid midi kar;
    audio/mp4                             aac f4a f4b m4a;
    audio/mpeg                            mp3;
    audio/ogg                             oga ogg opus;
    audio/x-realaudio                     ra;
    audio/x-wav                           wav;
    image/bmp                             bmp;
    image/gif                             gif;
    image/jpeg                            jpeg jpg;
    image/png                             png;
    image/svg+xml                         svg svgz;
    image/tiff                            tif tiff;
    image/vnd.wap.wbmp                    wbmp;
    image/webp                            webp;
    image/x-jng                           jng;
    video/3gpp                            3gp 3gpp;
    video/mp4                             f4p f4v m4v mp4;
    video/mpeg                            mpeg mpg;
    video/ogg                             ogv;
    video/quicktime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-mng                           mng;
    video/x-ms-asf                        asf asx;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;

    # Serving `.ico` image files with a different media type
    # prevents Internet Explorer from displaying then as images:
    # https://github.com/h5bp/html5-boilerplate/commit/37b5fec090d00f38de64b591bcddcb205aadf8ee

    image/x-icon                          cur ico;


  # Microsoft Office

    application/msword                                                         doc;
    application/vnd.ms-excel                                                   xls;
    application/vnd.ms-powerpoint                                              ppt;
    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;


  # Web fonts

    application/font-woff                 woff;
    application/font-woff2                woff2;
    application/vnd.ms-fontobject         eot;

    # Browsers usually ignore the font media types and simply sniff
    # the bytes to figure out the font type.
    # https://mimesniff.spec.whatwg.org/#matching-a-font-type-pattern
    #
    # However, Blink and WebKit based browsers will show a warning
    # in the console if the following font types are served with any
    # other media types.

    application/x-font-ttf                ttc ttf;
    font/opentype                         otf;


  # Other

    application/java-archive              ear jar war;
    application/mac-binhex40              hqx;
    application/octet-stream              bin deb dll dmg exe img iso msi msm msp safariextz;
    application/pdf                       pdf;
    application/postscript                ai eps ps;
    application/rtf                       rtf;
    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/vnd.wap.wmlc              wmlc;
    application/x-7z-compressed           7z;
    application/x-bb-appworld             bbaw;
    application/x-bittorrent              torrent;
    application/x-chrome-extension        crx;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-opera-extension         oex;
    application/x-perl                    pl pm;
    application/x-pilot                   pdb prc;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            crt der pem;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xslt+xml                  xsl;
    application/zip                       zip;
    text/css                              css;
    text/html                             htm html shtml;
    text/mathml                           mml;
    text/plain                            txt;
    text/vcard                            vcard vcf;
    text/vnd.rim.location.xloc            xloc;
    text/vnd.sun.j2me.app-descriptor      jad;
    text/vnd.wap.wml                      wml;
    text/vtt                              vtt;
    text/x-component                      htc;

 }
diff --git a/nginx.conf b/nginx.conf
 user www-data;
 worker_processes 4;
 pid /run/nginx.pid;

 events {
    worker_connections 768;
    # multi_accept on;
 }

 http {

    ##
    # Basic Configs
    ##

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    server_tokens off;

    proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=one:8m max_size=3000m inactive=600m;
    proxy_temp_path /var/tmp;

    client_body_buffer_size 10K;
    client_header_buffer_size 1k;
    client_max_body_size 8m;
    large_client_header_buffers 2 1k;

    client_body_timeout 12;
    client_header_timeout 12;
    send_timeout 10;

    server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ##
    # Logging Configs
    ##

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    ##
    # Gzip Configs
    ##

    gzip on;
    gzip_disable "msie6";

    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_buffers 16 8k;
    gzip_http_version 1.1;
    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

    ##
    # nginx-naxsi config
    ##
    # Uncomment it if you installed nginx-naxsi
    ##

    #include /etc/nginx/naxsi_core.rules;

    ##
    # nginx-passenger config
    ##
    # Uncomment it if you installed nginx-passenger
    ##

    #passenger_root /usr;
    #passenger_ruby /usr/bin/ruby;

    ##
    # Virtual Host Configs
    ##

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
 }
diff --git a/vita.hu_server_block b/vita.hu_server_block
 # redirect block
 server {
    listen 80;
    listen 443 ssl;
    server_name www.vita.hu;

    ssl_certificate /etc/nginx/ssl/vita.hu.chained.crt;
    ssl_certificate_key /etc/nginx/ssl/vita.hu.key;

    return 301 https://vita.hu$request_uri;
 }

 # main block
 upstream nodejs {
    server 127.0.0.1:3080 max_fails=0;
 }
 server {
    listen 443 ssl default deferred;

    ssl_certificate /etc/nginx/ssl/vita.hu.chained.crt;
    ssl_certificate_key /etc/nginx/ssl/vita.hu.key;

    # enable session resumption to improve https performance
    # http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
    ssl_session_cache shared:SSL:50m;
    ssl_session_timeout 5m;

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    ssl_dhparam /etc/nginx/ssl/dhparam.pem;

    # enables server-side protection from BEAST attacks
    # http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
    ssl_prefer_server_ciphers on;
    # disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    # ciphers chosen for forward secrecy and compatibility
    # http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html
    ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

    # enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner)
    # http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
    resolver 8.8.8.8;
    ssl_stapling on;
    ssl_trusted_certificate /etc/nginx/ssl/vita.hu.chained.crt;

    # config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
    # to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
    # included in https://github.com/helmetjs/helmet
    # add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

    root /var/www/vita.hu;
    server_name vita.hu;

    # Handle static files so they are not proxied to NodeJS
    location ~ ^/(css/|js/|fonts/|robots.txt|favicon.ico|crossdomain.xml) {
      root /var/www/vita.hu/dist;
      access_log off;
      expires max;
    }

    # pass the request to the node.js server
    location / {
        # auth_basic "Restricted Content";
        # auth_basic_user_file /etc/nginx/.htpasswd;

        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header Host $host;

        proxy_pass  http://nodejs;
        proxy_redirect off;

        # Handle Web Socket connections
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_cache_bypass $http_upgrade;

        # performance
        # proxy_cache one;
        # proxy_cache_key $scheme$proxy_host$uri$is_args$args;
        etag on;
    }
 }
	types {

	# Data interchange

	application/atom+xml atom;
	application/json json map topojson;
	application/ld+json jsonld;
	application/rss+xml rss;
	application/vnd.geo+json geojson;
	application/xml rdf xml;


	# JavaScript

	# Normalize to standard type.
	# https://tools.ietf.org/html/rfc4329#section-7.2
	application/javascript js;


	# Manifest files

	application/manifest+json webmanifest;
	application/x-web-app-manifest+json webapp;
	text/cache-manifest appcache;


	# Media files

	audio/midi mid midi kar;
	audio/mp4 aac f4a f4b m4a;
	audio/mpeg mp3;
	audio/ogg oga ogg opus;
	audio/x-realaudio ra;
	audio/x-wav wav;
	image/bmp bmp;
	image/gif gif;
	image/jpeg jpeg jpg;
	image/png png;
	image/svg+xml svg svgz;
	image/tiff tif tiff;
	image/vnd.wap.wbmp wbmp;
	image/webp webp;
	image/x-jng jng;
	video/3gpp 3gp 3gpp;
	video/mp4 f4p f4v m4v mp4;
	video/mpeg mpeg mpg;
	video/ogg ogv;
	video/quicktime mov;
	video/webm webm;
	video/x-flv flv;
	video/x-mng mng;
	video/x-ms-asf asf asx;
	video/x-ms-wmv wmv;
	video/x-msvideo avi;

	# Serving `.ico` image files with a different media type
	# prevents Internet Explorer from displaying then as images:
	# https://github.com/h5bp/html5-boilerplate/commit/37b5fec090d00f38de64b591bcddcb205aadf8ee

	image/x-icon cur ico;


	# Microsoft Office

	application/msword doc;
	application/vnd.ms-excel xls;
	application/vnd.ms-powerpoint ppt;
	application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
	application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
	application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;


	# Web fonts

	application/font-woff woff;
	application/font-woff2 woff2;
	application/vnd.ms-fontobject eot;

	# Browsers usually ignore the font media types and simply sniff
	# the bytes to figure out the font type.
	# https://mimesniff.spec.whatwg.org/#matching-a-font-type-pattern
	#
	# However, Blink and WebKit based browsers will show a warning
	# in the console if the following font types are served with any
	# other media types.

	application/x-font-ttf ttc ttf;
	font/opentype otf;


	# Other

	application/java-archive ear jar war;
	application/mac-binhex40 hqx;
	application/octet-stream bin deb dll dmg exe img iso msi msm msp safariextz;
	application/pdf pdf;
	application/postscript ai eps ps;
	application/rtf rtf;
	application/vnd.google-earth.kml+xml kml;
	application/vnd.google-earth.kmz kmz;
	application/vnd.wap.wmlc wmlc;
	application/x-7z-compressed 7z;
	application/x-bb-appworld bbaw;
	application/x-bittorrent torrent;
	application/x-chrome-extension crx;
	application/x-cocoa cco;
	application/x-java-archive-diff jardiff;
	application/x-java-jnlp-file jnlp;
	application/x-makeself run;
	application/x-opera-extension oex;
	application/x-perl pl pm;
	application/x-pilot pdb prc;
	application/x-rar-compressed rar;
	application/x-redhat-package-manager rpm;
	application/x-sea sea;
	application/x-shockwave-flash swf;
	application/x-stuffit sit;
	application/x-tcl tcl tk;
	application/x-x509-ca-cert crt der pem;
	application/x-xpinstall xpi;
	application/xhtml+xml xhtml;
	application/xslt+xml xsl;
	application/zip zip;
	text/css css;
	text/html htm html shtml;
	text/mathml mml;
	text/plain txt;
	text/vcard vcard vcf;
	text/vnd.rim.location.xloc xloc;
	text/vnd.sun.j2me.app-descriptor jad;
	text/vnd.wap.wml wml;
	text/vtt vtt;
	text/x-component htc;

	}
	user www-data;
	worker_processes 4;
	pid /run/nginx.pid;

	events {
	worker_connections 768;
	# multi_accept on;
	}

	http {

	##
	# Basic Configs
	##

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;
	server_tokens off;

	proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=one:8m max_size=3000m inactive=600m;
	proxy_temp_path /var/tmp;

	client_body_buffer_size 10K;
	client_header_buffer_size 1k;
	client_max_body_size 8m;
	large_client_header_buffers 2 1k;

	client_body_timeout 12;
	client_header_timeout 12;
	send_timeout 10;

	server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# Logging Configs
	##

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Configs
	##

	gzip on;
	gzip_disable "msie6";

	gzip_vary on;
	gzip_proxied any;
	gzip_comp_level 6;
	gzip_buffers 16 8k;
	gzip_http_version 1.1;
	gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

	##
	# nginx-naxsi config
	##
	# Uncomment it if you installed nginx-naxsi
	##

	#include /etc/nginx/naxsi_core.rules;

	##
	# nginx-passenger config
	##
	# Uncomment it if you installed nginx-passenger
	##

	#passenger_root /usr;
	#passenger_ruby /usr/bin/ruby;

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
	}
	# redirect block
	server {
	listen 80;
	listen 443 ssl;
	server_name www.vita.hu;

	ssl_certificate /etc/nginx/ssl/vita.hu.chained.crt;
	ssl_certificate_key /etc/nginx/ssl/vita.hu.key;

	return 301 https://vita.hu$request_uri;
	}

	# main block
	upstream nodejs {
	server 127.0.0.1:3080 max_fails=0;
	}
	server {
	listen 443 ssl default deferred;

	ssl_certificate /etc/nginx/ssl/vita.hu.chained.crt;
	ssl_certificate_key /etc/nginx/ssl/vita.hu.key;

	# enable session resumption to improve https performance
	# http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
	ssl_session_cache shared:SSL:50m;
	ssl_session_timeout 5m;

	# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
	ssl_dhparam /etc/nginx/ssl/dhparam.pem;

	# enables server-side protection from BEAST attacks
	# http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
	ssl_prefer_server_ciphers on;
	# disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	# ciphers chosen for forward secrecy and compatibility
	# http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html
	ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

	# enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner)
	# http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
	resolver 8.8.8.8;
	ssl_stapling on;
	ssl_trusted_certificate /etc/nginx/ssl/vita.hu.chained.crt;

	# config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
	# to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
	# included in https://github.com/helmetjs/helmet
	# add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

	root /var/www/vita.hu;
	server_name vita.hu;

	# Handle static files so they are not proxied to NodeJS
	location ~ ^/(css/\|js/\|fonts/\|robots.txt\|favicon.ico\|crossdomain.xml) {
	root /var/www/vita.hu/dist;
	access_log off;
	expires max;
	}

	# pass the request to the node.js server
	location / {
	# auth_basic "Restricted Content";
	# auth_basic_user_file /etc/nginx/.htpasswd;

	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto https;
	proxy_set_header Host $host;

	proxy_pass http://nodejs;
	proxy_redirect off;

	# Handle Web Socket connections
	proxy_http_version 1.1;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "upgrade";
	proxy_cache_bypass $http_upgrade;

	# performance
	# proxy_cache one;
	# proxy_cache_key $scheme$proxy_host$uri$is_args$args;
	etag on;
	}
	}