Created
January 10, 2023 07:20
-
-
Save rexdivakar/e53d1bd7578fc3f51ce22110b3a003bc to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
################################ | |
## our HTTP server at port 80 ## | |
################################ | |
server { | |
listen 80; | |
server_name <website_url>; | |
# HTTP STS | |
add_header Strict-Transport-Security "max-age=31533600; includeSubDomians; preload" always; | |
return 301 https://$host$request_uri; | |
} | |
######################################################################### | |
## Our HTTPS server at port 443. You need to provide ssl config below ### | |
######################################################################### | |
server { | |
listen 443 ssl; | |
server_name <website_url>; | |
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) | |
add_header X-XSS-Protection "1; mode=block"; | |
add_header Strict-Transport-Security "max-age=15768000" always; | |
add_header X-Content-Type-Options "nosniff" always; | |
add_header X-Frame-Options "SAMEORIGIN" always; | |
# Improves TTFB by using a smaller SSL buffer than the nginx default | |
ssl_buffer_size 8k; | |
# certs sent to the client in SERVER are concatenated in ssl_certificate | |
#ssl_certificate /etc/letsencrypt/live/<website_url>/fullchain.pem; | |
#ssl_certificate_key /etc/letsencrypt/live/<website_url>/privkey.pem; | |
#ssl_trusted_certificate /etc/letsencrypt/live/<website_url>/chain.pem; | |
ssl_certificate /etc/ssl/certs/cert.pem; | |
ssl_certificate_key /etc/ssl/private/key.pem; | |
ssl_prefer_server_ciphers on; | |
ssl_session_cache shared:SSL:50m; | |
ssl_session_timeout 5m; | |
ssl_session_tickets off; | |
# ssl_dhparam /etc/nginx/ssl/dhparam.pem; | |
# TLS Support restriction | |
ssl_protocols TLSv1.3 TLSv1.2; | |
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; | |
# Nginx Logging | |
access_log /var/log/nginx/access.log; | |
error_log /var/log/nginx/error.log; | |
## PROXY backend | |
location / { | |
# redirect all HTTP traffic to localhost:8088; | |
proxy_set_header Host $host; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
proxy_pass http://127.0.0.1:<port_no>; | |
proxy_redirect http://127.0.0.1:<port_no> https://<website_url>; | |
proxy_read_timeout 90; | |
# prevents 502 bad gateway error | |
proxy_buffers 8 32k; | |
proxy_buffer_size 64k; | |
# Enable support for web sockets | |
proxy_buffering off; | |
proxy_http_version 1.1; | |
proxy_set_header Upgrade $http_upgrade; | |
proxy_set_header Connection "Upgrade"; | |
proxy_hide_header 'Access-Control-Allow-Origin'; | |
# Protect from Click Jacking | |
proxy_hide_header X-Powered-By; | |
add_header X-Frame-Options SAMEORIGIN; | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment