diff options
Diffstat (limited to 'front/odiparpack/app/.nginx.conf')
| -rw-r--r-- | front/odiparpack/app/.nginx.conf | 112 |
1 files changed, 112 insertions, 0 deletions
diff --git a/front/odiparpack/app/.nginx.conf b/front/odiparpack/app/.nginx.conf new file mode 100644 index 0000000..6a71831 --- /dev/null +++ b/front/odiparpack/app/.nginx.conf @@ -0,0 +1,112 @@ +## +# Put this file in /etc/nginx/conf.d folder and make sure +# you have a line 'include /etc/nginx/conf.d/*.conf;' +# in your main nginx configuration file +## + +## +# Redirect to the same URL with https:// +## + +server { + + listen 80; + +# Type your domain name below + server_name example.com; + + return 301 https://$server_name$request_uri; + +} + +## +# HTTPS configurations +## + +server { + + listen 443 ssl; + +# Type your domain name below + server_name example.com; + +# Configure the Certificate and Key you got from your CA (e.g. Lets Encrypt) + ssl_certificate /path/to/certificate.crt; + ssl_certificate_key /path/to/server.key; + + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:50m; + ssl_session_tickets off; + +# Only use TLS v1.2 as Transport Security Protocol + ssl_protocols TLSv1.2; + +# Only use ciphersuites that are considered modern and secure by Mozilla + ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + +# Do not let attackers downgrade the ciphersuites in Client Hello +# Always use server-side offered ciphersuites + ssl_prefer_server_ciphers on; + +# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) + add_header Strict-Transport-Security max-age=15768000; + +# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits +# Uncomment if you want to use your own Diffie-Hellman parameter, which can be generated with: openssl ecparam -genkey -out dhparam.pem -name prime256v1 +# See https://wiki.mozilla.org/Security/Server_Side_TLS#DHE_handshake_and_dhparam +# ssl_dhparam /path/to/dhparam.pem; + + +## OCSP Configuration START +# If you want to provide OCSP Stapling, you can uncomment the following lines +# See https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx for more infos about OCSP and its use case +# fetch OCSP records from URL in ssl_certificate and cache them + +#ssl_stapling on; +#ssl_stapling_verify on; + +# verify chain of trust of OCSP response using Root CA and Intermediate certs (you will get this file from your CA) +#ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates; + +## OCSP Configuration END + +# To let nginx use its own DNS Resolver +# resolver <IP DNS resolver>; + + +# Always serve index.html for any request + location / { + # Set path + root /var/www/; + try_files $uri /index.html; + } + +# Do not cache sw.js, required for offline-first updates. + location /sw.js { + add_header Cache-Control "no-cache"; + proxy_cache_bypass $http_pragma; + proxy_cache_revalidate on; + expires off; + access_log off; + } + +## +# If you want to use Node/Rails/etc. API server +# on the same port (443) config Nginx as a reverse proxy. +# For security reasons use a firewall like ufw in Ubuntu +# and deny port 3000/tcp. +## + +# location /api/ { +# +# proxy_pass http://localhost:3000; +# proxy_http_version 1.1; +# proxy_set_header X-Forwarded-Proto https; +# proxy_set_header Upgrade $http_upgrade; +# proxy_set_header Connection 'upgrade'; +# proxy_set_header Host $host; +# proxy_cache_bypass $http_upgrade; +# +# } + +} |