Created
November 30, 2016 06:59
-
-
Save pepelsbey/07a0133b3521fad53678af8413567aea to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
server { | |
listen 80; | |
listen [::]:80; | |
server_name wsd.events www.wsd.events; | |
return 301 https://wsd.events$request_uri; | |
} | |
server { | |
listen 443 ssl http2; | |
listen [::]:443 ssl http2; | |
server_name www.wsd.events; | |
return 301 https://wsd.events$request_uri; | |
ssl_certificate /etc/letsencrypt/live/wsd.events/fullchain.pem; | |
ssl_certificate_key /etc/letsencrypt/live/wsd.events/privkey.pem; | |
ssl_trusted_certificate /etc/letsencrypt/live/wsd.events/chain.pem; | |
include snippets/ssl-params.conf; | |
} | |
server { | |
listen 443 ssl http2; | |
listen [::]:443 ssl http2; | |
server_name wsd.events; | |
root /var/www/wsd.events/html; | |
index index.html; | |
location ~ ^/([0-9]+)/([0-9]+)/([0-9]+)/pres/(.+)$ { | |
rewrite ^/([0-9]+)/([0-9]+)/([0-9]+)/pres/(.+)$ /$1-$2-$3/$4; | |
} | |
location ~ ^/[0-9]+\-[0-9]+\-[0-9]+/.*$ { | |
root /var/www/wsd.events/www/pres; | |
} | |
ssl_certificate /etc/letsencrypt/live/wsd.events/fullchain.pem; | |
ssl_certificate_key /etc/letsencrypt/live/wsd.events/privkey.pem; | |
ssl_trusted_certificate /etc/letsencrypt/live/wsd.events/chain.pem; | |
include snippets/ssl-params.conf; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
server { | |
listen 80; | |
listen 443; | |
server_name www.wsd.events; | |
rewrite ^ https://wsd.events$request_uri? permanent; | |
} | |
server { | |
listen 80; | |
listen 443 default_server ssl; | |
server_name wsd.events; | |
error_log /var/www/wsd.events/www/logs/error.log; | |
access_log /var/www/wsd.events/www/logs/access.log; | |
index index.html index.htm; | |
charset utf-8; | |
error_page 404 /404.html; | |
root /var/www/wsd.events/www/htdocs; | |
# fix issue when http-only domains were accessed by https and served by this server section | |
# to fix we redirect other domains outta here | |
# see: http://nginx.org/ru/docs/http/configuring_https_servers.html#name_based_https_servers | |
# note: might be removed in case when there is only one domain on IP | |
if ($http_host !~ wsd.events ) { | |
return 302 http://$http_host$request_uri; | |
} | |
# redirect to ssl version | |
if ($ssl_protocol = "") { | |
return 301 https://$server_name$request_uri; | |
} | |
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits | |
# Generate with: | |
# openssl dhparam -out /etc/nginx/dhparam.pem 2048 | |
ssl_dhparam /etc/nginx/dhparam.pem; | |
ssl_certificate /etc/letsencrypt/live/wsd.events/fullchain.pem; | |
ssl_certificate_key /etc/letsencrypt/live/wsd.events/privkey.pem; | |
ssl_trusted_certificate /etc/letsencrypt/live/wsd.events/fullchain.pem; | |
ssl_session_cache shared:SSL:50m; | |
ssl_session_timeout 1d; | |
# What Mozilla calls "Intermediate configuration" | |
# Copied from https://mozilla.github.io/server-side-tls/ssl-config-generator/ | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # omit SSLv3 because of POODLE (CVE-2014-3566) | |
ssl_prefer_server_ciphers on; | |
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; | |
# OCSP Stapling | |
# fetch OCSP records from URL in ssl_certificate and cache them | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
# If you want to specify a DNS resolver for stapling, you can uncomment the below | |
# line. If you leave it commented, nginx will use your system resolver, which will probably | |
# work just fine! | |
# resolver <IP DNS resolver>; | |
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) | |
add_header Strict-Transport-Security max-age=15768000; | |
# tells the browser whether you want to allow your site to be framed or not | |
# https://scotthelme.co.uk/hardening-your-http-response-headers/#x-frame-options | |
add_header X-Frame-Options "SAMEORIGIN" always; | |
# the configuration for the cross-site scripting filter built into most browsers | |
# https://scotthelme.co.uk/hardening-your-http-response-headers/#x-xss-protection | |
add_header X-Xss-Protection "1; mode=block" always; | |
# stop a browser from trying to MIME-sniff the content type and force it to stick with the declared content-type | |
# https://scotthelme.co.uk/hardening-your-http-response-headers/#x-content-type-options | |
add_header X-Content-Type-Options "nosniff" always; | |
if ($new) { | |
return 301 $new; | |
} | |
location / { | |
root /var/www/wsd.events/www/htdocs; | |
} | |
location ~ ^/([0-9]+)/([0-9]+)/([0-9]+)/pres/(.+)$ { | |
rewrite ^/([0-9]+)/([0-9]+)/([0-9]+)/pres/(.+)$ /$1-$2-$3/$4; | |
} | |
location ~ ^/[0-9]+\-[0-9]+\-[0-9]+/.*$ { | |
root /var/www/wsd.events/www/pres; | |
} | |
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ { | |
expires 1M; | |
add_header Cache-Control "public"; | |
} | |
location ~* \.(?:css|js)$ { | |
expires max; | |
add_header Cache-Control "public"; | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment