-
Notifications
You must be signed in to change notification settings - Fork 5
/
nginx.conf
208 lines (172 loc) · 5.44 KB
/
nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
# general settings
client_max_body_size 3M;
# compression
gzip_disable msie6;
gzip_proxied any;
gzip_comp_level 7;
gzip_vary on;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/octet-stream application/xhtml+xml;
gzip on;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /etc/letsencrypt/live/privatebin.info/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/privatebin.info/privkey.pem;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 30m;
ssl_session_tickets off;
# Mozilla intermediate configuration, generated 2023-12-07
# https://ssl-config.mozilla.org/#server=nginx&version=1.24.0&config=modern&openssl=1.1.1k&guideline=5.7
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
resolver [2001:1620:2057:1::1];
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/privatebin.info/chain.pem;
# cache static files in nginx
proxy_cache_path /var/cache/nginx/proxy_cache levels=1:2 keys_zone=privatebin:10m
max_size=5g inactive=60m use_temp_path=off;
# HTTP server
# serve Letsencrypt challenge, otherwise redirect
server {
server_name .privatebin.info .privatebin.org;
listen 80;
listen [::]:80;
location /.well-known/acme-challenge/ {
alias /srv/acme-challenge/;
try_files $uri =404;
}
location / {
return 301 https://privatebin.info$request_uri;
}
}
server {
server_name .privatebin.net;
listen 80;
listen [::]:80;
location /.well-known/acme-challenge/ {
alias /srv/acme-challenge/;
try_files $uri =404;
}
location / {
return 301 https://privatebin.net$request_uri;
}
}
# HTTPS server
# redirect to main address
server {
server_name *.privatebin.info .privatebin.org;
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
location / {
return 301 https://privatebin.info$request_uri;
}
}
server {
server_name *.privatebin.net;
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
location / {
return 301 https://privatebin.net$request_uri;
}
}
# directory site
upstream directory {
server privatebin-directory:8000 max_conns=8;
keepalive 16;
}
# static project site
server {
server_name privatebin.info;
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
# HSTS (15768000 seconds = 6 months)
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload";
# Other security headers
add_header Content-Security-Policy "default-src 'none'; font-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; frame-ancestors 'none'";
add_header Permissions-Policy "browsing-topics=()";
add_header Referrer-Policy no-referrer;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options DENY;
add_header X-XSS-Protection "1; mode=block";
location / {
root /usr/share/nginx/html;
index index.html;
}
# proxy to demo site container
location /directory {
proxy_pass http://directory/;
proxy_cache privatebin;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Connection "keep-alive";
sub_filter '"/' '"/directory/';
sub_filter_once off;
}
location /directory/update {
deny all;
}
location /favicon.ico {
return 301 https://$host/theme/img/favicon.ico;
}
location /robots.txt {
default_type text/plain;
return 204; # No Content
}
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
# demo site
upstream demo {
server privatebin-demo:8080;
keepalive 16;
}
server {
server_name privatebin.net;
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
# HSTS (15768000 seconds = 6 months)
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload";
# proxy to demo site container
location / {
if ($request_method = OPTIONS) {
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE";
add_header Access-Control-Allow-Headers "X-Requested-With, Content-Type";
return 204;
}
proxy_pass http://demo;
proxy_cache privatebin;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Connection "keep-alive";
}
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# deny access to sensitive folders
location ~ /(cfg|doc|data|lib|tpl|tst|vendor) {
deny all;
}
# deny access to .htaccess files
location ~ /\.ht {
deny all;
}
}