katopz · May 2, 2016 04:59
diff --git a/default.conf b/default.conf
 server {
    listen 80 default_server;
    listen [::]:80 default_server;

    add_header Content-Security-Policy "default-src 'self';";
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Xss-Protection "1";

    # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
    return 301 https://$host$request_uri;
 }

 server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name rabbot.io www.rabbot.io;

    # enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner)
    # http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
    ssl_stapling on;
    ssl_stapling_verify on;

    # enables server-side protection from BEAST attacks
    # http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
    ssl_prefer_server_ciphers on;

    # disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    # https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
    ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
    ssl_certificate /etc/letsencrypt/live/rabbot.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/rabbot.io/privkey.pem;

    # enable session resumption to improve https performance
    # http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
    # With this shared session (of 10m), nginx will be able to handle 10 x 4000 sessions and the sessions will be valid for 1 hour.
    # https://leandromoreira.com.br/2015/10/12/how-to-optimize-nginx-configuration-for-http2-tls-ssl/
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 1h;

    # Diffie-Hellman for TLS
    # https://weakdh.org/sysadmin.html
    ssl_dhparam "/etc/dhparams.pem";

    # config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
    # to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
    add_header Strict-Transport-Security "max-age=31557600;" always;

    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Xss-Protection "1";

    # CSP
    add_header Content-Security-Policy "default-src 'none';
        script-src      'self' https: *.google-analytics.com cdn.ampproject.org 'sha256-SYto7HB+/GJNcLL8K8V2a/TcrYa7vjo31poLSaS1c54=' 'sha256-7eokZXuJHwaMyrDWeK2EfEy32uuqqDE746cI$
        font-src        fonts.googleapis.com fonts.gstatic.com;
        style-src       fonts.googleapis.com 'unsafe-inline';
        img-src         'self' data: amp-error-reporting.appspot.com;
        connect-src     https://www.google-analytics.com;";

    # AMP
    add_header Access-Control-Allow-Origin "*.ampproject.org";
    add_header AMP-Access-Control-Allow-Source-Origin "https://rabbot.io";
    add_header Access-Control-Expose-Headers "AMP-Access-Control-Allow-Source-Origin";

    # Your favorite resolver may be used instead of the Google one below
    #resolver 8.8.8.8;
    #root /var/www/rabbot.io;
    #index index.html;

    # Static File Caching
    #location ~* .(ico|png)$ {
    #    expires 365d;
    #}

    # Nginx logs every request that hits the VPS to a log file.
    access_log off;

    # Add a trailing slash to path
    rewrite ^([^?#]*/)([^?#./]+)([?#].*)?$ $1$2/$3 permanent;

    location / {
        # https://mtik00.com/2015/08/nginx-proxy-for-github-pages/
        proxy_pass https://rabbots.github.io;
        proxy_intercept_errors on;

        # allow GitHub to pass caching headers instead of using our own
        expires off;
    }
 }

 server {
    listen 80;
    listen [::]:80;
    server_name mon.rabbot.io;

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://localhost:19999/;
        proxy_redirect http://localhost:19999/ https://$server_name/;
    }
 }
diff --git a/nginx.conf b/nginx.conf
 user  nginx;
 worker_processes  1;

 error_log  /var/log/nginx/error.log warn;
 pid        /var/run/nginx.pid;


 events {
    worker_connections  1024;
 }


 http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout 40;

    # Compression

    # Enable Gzip compressed.
    gzip on;
    gzip_static on;

    # Enable compression both for HTTP/1.0 and HTTP/1.1.
    gzip_http_version  1.1;

    # Compression level (1-9).
    # 5 is a perfect compromise between size and cpu usage, offering about
    # 75% reduction for most ascii files (almost identical to level 9).
    gzip_comp_level    5;

    # Don't compress anything that's already small and unlikely to shrink much
    # if at all (the default is 20 bytes, which is bad as that usually leads to
    # larger files after gzipping).
    gzip_min_length    1000;

    # Compress data even for clients that are connecting to us via proxies,
    # identified by the "Via" header (required for CloudFront).
    gzip_proxied       any;

    # Tell proxies to cache both the gzipped and regular version of a resource
    # whenever the client's Accept-Encoding capabilities header varies;
    # Avoids the issue where a non-gzip capable client (which is extremely rare
    # today) would display gibberish if their proxy gave them the gzipped version.
    gzip_vary          on;

    # Compress all output labeled with one of the following MIME-types.
    gzip_types
      application/atom+xml
      application/javascript
      application/json
      application/rss+xml
      application/vnd.ms-fontobject
      application/x-font-ttf
      application/x-web-app-manifest+json
      application/xhtml+xml
      application/xml
      font/opentype
      image/svg+xml
      image/x-icon
      text/css
      text/plain
      text/x-component;
    # text/html is always compressed by HttpGzipModule

    # no joy for ie6
    gzip_disable        "MSIE [1-6]\.";
    
    # https://leandromoreira.com.br/2015/10/12/how-to-optimize-nginx-configuration-for-http2-tls-ssl/
    # https://www.digitalocean.com/community/tutorials/how-to-optimize-nginx-configuration

    # This handles the client buffer size, meaning any POST actions sent to Nginx. POST actions are typically form submissions.
    client_body_buffer_size 8K;

    # Similar to the previous directive, only instead it handles the client header size. For all intents and purposes, 1K is usually a decent size for this directive.
    client_header_buffer_size 1k;

    # The maximum allowed size for a client request. If the maximum size is exceeded, then Nginx will spit out a 413 error or Request Entity Too Large.
    client_max_body_size 20m;

    # The maximum number and size of buffers for large client headers.
    large_client_header_buffers 2 16k;

    # The client_body_timeout and client_header_timeout directives are responsible for the time a server will wait for a client body or client header to be sent after request.
    # If neither a body or header is sent, the server will issue a 408 error or Request time out.
    client_body_timeout 12s;
    client_header_timeout 12s;

    # end_timeout is established not on the entire transfer of answer, but only between two operations of reading;
    # if after this time client will take nothing, then Nginx is shutting down the connection.
    send_timeout 10;

    # github page
    # proxy_cache_path /tmp/nginx_cache levels=1:2 keys_zone=gh-pages:10m inactive=360m;
    # proxy_cache_key "$scheme$request_method$host$request_uri";
    # proxy_temp_path /tmp/nginx;

    include /etc/nginx/conf.d/*.conf;
 }
	server {
	listen 80 default_server;
	listen [::]:80 default_server;

	add_header Content-Security-Policy "default-src 'self';";
	add_header X-Frame-Options "SAMEORIGIN" always;
	add_header X-Content-Type-Options "nosniff" always;
	add_header X-Xss-Protection "1";

	# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
	return 301 https://$host$request_uri;
	}

	server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	server_name rabbot.io www.rabbot.io;

	# enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner)
	# http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
	ssl_stapling on;
	ssl_stapling_verify on;

	# enables server-side protection from BEAST attacks
	# http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
	ssl_prefer_server_ciphers on;

	# disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

	# https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
	ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
	ssl_certificate /etc/letsencrypt/live/rabbot.io/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/rabbot.io/privkey.pem;

	# enable session resumption to improve https performance
	# http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
	# With this shared session (of 10m), nginx will be able to handle 10 x 4000 sessions and the sessions will be valid for 1 hour.
	# https://leandromoreira.com.br/2015/10/12/how-to-optimize-nginx-configuration-for-http2-tls-ssl/
	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 1h;

	# Diffie-Hellman for TLS
	# https://weakdh.org/sysadmin.html
	ssl_dhparam "/etc/dhparams.pem";

	# config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
	# to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
	add_header Strict-Transport-Security "max-age=31557600;" always;

	add_header X-Frame-Options "SAMEORIGIN" always;
	add_header X-Content-Type-Options "nosniff" always;
	add_header X-Xss-Protection "1";

	# CSP
	add_header Content-Security-Policy "default-src 'none';
	script-src 'self' https: *.google-analytics.com cdn.ampproject.org 'sha256-SYto7HB+/GJNcLL8K8V2a/TcrYa7vjo31poLSaS1c54=' 'sha256-7eokZXuJHwaMyrDWeK2EfEy32uuqqDE746cI$
	font-src fonts.googleapis.com fonts.gstatic.com;
	style-src fonts.googleapis.com 'unsafe-inline';
	img-src 'self' data: amp-error-reporting.appspot.com;
	connect-src https://www.google-analytics.com;";

	# AMP
	add_header Access-Control-Allow-Origin "*.ampproject.org";
	add_header AMP-Access-Control-Allow-Source-Origin "https://rabbot.io";
	add_header Access-Control-Expose-Headers "AMP-Access-Control-Allow-Source-Origin";

	# Your favorite resolver may be used instead of the Google one below
	#resolver 8.8.8.8;
	#root /var/www/rabbot.io;
	#index index.html;

	# Static File Caching
	#location ~* .(ico\|png)$ {
	# expires 365d;
	#}

	# Nginx logs every request that hits the VPS to a log file.
	access_log off;

	# Add a trailing slash to path
	rewrite ^([^?#]/)([^?#./]+)([?#].)?$ $1$2/$3 permanent;

	location / {
	# https://mtik00.com/2015/08/nginx-proxy-for-github-pages/
	proxy_pass https://rabbots.github.io;
	proxy_intercept_errors on;

	# allow GitHub to pass caching headers instead of using our own
	expires off;
	}
	}

	server {
	listen 80;
	listen [::]:80;
	server_name mon.rabbot.io;

	location / {
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header Host $host;
	proxy_set_header X-NginX-Proxy true;
	proxy_pass http://localhost:19999/;
	proxy_redirect http://localhost:19999/ https://$server_name/;
	}
	}
	user nginx;
	worker_processes 1;

	error_log /var/log/nginx/error.log warn;
	pid /var/run/nginx.pid;


	events {
	worker_connections 1024;
	}


	http {
	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
	'$status $body_bytes_sent "$http_referer" '
	'"$http_user_agent" "$http_x_forwarded_for"';

	access_log /var/log/nginx/access.log main;

	sendfile on;
	#tcp_nopush on;

	keepalive_timeout 40;

	# Compression

	# Enable Gzip compressed.
	gzip on;
	gzip_static on;

	# Enable compression both for HTTP/1.0 and HTTP/1.1.
	gzip_http_version 1.1;

	# Compression level (1-9).
	# 5 is a perfect compromise between size and cpu usage, offering about
	# 75% reduction for most ascii files (almost identical to level 9).
	gzip_comp_level 5;

	# Don't compress anything that's already small and unlikely to shrink much
	# if at all (the default is 20 bytes, which is bad as that usually leads to
	# larger files after gzipping).
	gzip_min_length 1000;

	# Compress data even for clients that are connecting to us via proxies,
	# identified by the "Via" header (required for CloudFront).
	gzip_proxied any;

	# Tell proxies to cache both the gzipped and regular version of a resource
	# whenever the client's Accept-Encoding capabilities header varies;
	# Avoids the issue where a non-gzip capable client (which is extremely rare
	# today) would display gibberish if their proxy gave them the gzipped version.
	gzip_vary on;

	# Compress all output labeled with one of the following MIME-types.
	gzip_types
	application/atom+xml
	application/javascript
	application/json
	application/rss+xml
	application/vnd.ms-fontobject
	application/x-font-ttf
	application/x-web-app-manifest+json
	application/xhtml+xml
	application/xml
	font/opentype
	image/svg+xml
	image/x-icon
	text/css
	text/plain
	text/x-component;
	# text/html is always compressed by HttpGzipModule

	# no joy for ie6
	gzip_disable "MSIE [1-6]\.";

	# https://leandromoreira.com.br/2015/10/12/how-to-optimize-nginx-configuration-for-http2-tls-ssl/
	# https://www.digitalocean.com/community/tutorials/how-to-optimize-nginx-configuration

	# This handles the client buffer size, meaning any POST actions sent to Nginx. POST actions are typically form submissions.
	client_body_buffer_size 8K;

	# Similar to the previous directive, only instead it handles the client header size. For all intents and purposes, 1K is usually a decent size for this directive.
	client_header_buffer_size 1k;

	# The maximum allowed size for a client request. If the maximum size is exceeded, then Nginx will spit out a 413 error or Request Entity Too Large.
	client_max_body_size 20m;

	# The maximum number and size of buffers for large client headers.
	large_client_header_buffers 2 16k;

	# The client_body_timeout and client_header_timeout directives are responsible for the time a server will wait for a client body or client header to be sent after request.
	# If neither a body or header is sent, the server will issue a 408 error or Request time out.
	client_body_timeout 12s;
	client_header_timeout 12s;

	# end_timeout is established not on the entire transfer of answer, but only between two operations of reading;
	# if after this time client will take nothing, then Nginx is shutting down the connection.
	send_timeout 10;

	# github page
	# proxy_cache_path /tmp/nginx_cache levels=1:2 keys_zone=gh-pages:10m inactive=360m;
	# proxy_cache_key "$scheme$request_method$host$request_uri";
	# proxy_temp_path /tmp/nginx;

	include /etc/nginx/conf.d/*.conf;
	}