From b97d19c68795012387ab954d68a2657b91e46628 Mon Sep 17 00:00:00 2001 From: Mathijs Lermer Date: Fri, 14 Aug 2020 16:00:42 +0200 Subject: [PATCH] 'nginx/nginx/nginx.conf' toevoegen --- nginx/nginx/nginx.conf | 221 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 221 insertions(+) create mode 100644 nginx/nginx/nginx.conf diff --git a/nginx/nginx/nginx.conf b/nginx/nginx/nginx.conf new file mode 100644 index 0000000..843c1e8 --- /dev/null +++ b/nginx/nginx/nginx.conf @@ -0,0 +1,221 @@ +## Version 2018/08/16 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx.conf + +# handige sites: +# https://www.humankode.com/ssl/how-to-set-up-free-ssl-certificates-from-lets-encrypt-using-docker-and-nginx + +# https://securityheaders.com/ +# https://www.ssllabs.com/ + + +#DH-Param maken: +#sudo openssl dhparam -out /docker/nginx/nginx/conf_split/dhparam-2048.pem 2048 +#sudo openssl dhparam -out /docker/nginx/nginx/conf_split/dhparam-4096.pem 4096 + + +# controleren of dit bestand goed is: +# docker exec nginx sh -c "nginx -t -c /config/nginx/nginx.conf" + +#zonder downtime nginx reloaden: +# docker exec -it nginx s6-svc -h /var/run/s6/services/nginx + +#Cert vernieuwen: +# docker run --rm -it --name certbot \ +# -v "/docker/nginx/letsencrypt:/etc/letsencrypt" \ +# -v "/docker/nginx/letsencrypt_var:/var/lib/letsencrypt" \ +# -v "/docker/nginx/letsencrypt/letsencrypt-site:/data/letsencrypt" \ +# -v "/docker/nginx/letsencrypt/log:/var/log/letsencrypt" \ +# certbot/certbot renew \ +# --webroot -w /data/letsencrypt \ +# --quiet && docker exec -it nginx s6-svc -h /var/run/s6/services/nginx + +# cronjob: (dagelijks auto vernieuwen) +# sudo docker run --rm --name certbot -v /docker/nginx/letsencrypt:/etc/letsencrypt -v /docker/nginx/letsencrypt_var:/var/lib/letsencrypt -v /docker/nginx/letsencrypt/letsencrypt-site:/data/letsencrypt -v /docker/nginx/letsencrypt/log:/var/log/letsencrypt certbot/certbot renew --webroot -w /data/letsencrypt --quiet && docker restart nginx + +user abc; +worker_processes auto; +pid /run/nginx.pid; +include /etc/nginx/modules/*.conf; + +events { + worker_connections 4096; + use epoll; + multi_accept on; +} + +############################################################################################# +# # +# http config # +# # +############################################################################################# + +http { + + charset utf-8; + sendfile on; + tcp_nopush on; + tcp_nodelay on; + server_tokens off; + log_not_found off; + types_hash_max_size 2048; + client_max_body_size 16M; + + + # MIME + include /config/nginx/conf_split//mime.types; + default_type application/octet-stream; + + # logging + #access_log /var/log/nginx/access.log; + #error_log /var/log/nginx/error.log crit; + # to boost I/O on HDD we can disable access logs + access_log off; + + # SSL + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:10m; + ssl_session_tickets off; + + # Diffie-Hellman parameter for DHE ciphersuites + include "/config/nginx/conf_split/ssl_dhparam_4096.conf"; + + # cache informations about FDs, frequently accessed files + # can boost performance, but you need to test those values + open_file_cache max=200000 inactive=20s; + open_file_cache_valid 30s; + open_file_cache_min_uses 2; + open_file_cache_errors on; + + # copies data between one FD and other from within the kernel + # faster than read() + write() + # sendfile on; + + # send headers in one piece, it is better than sending them one by one + # tcp_nopush on; + + # don't buffer data sent, good for small data bursts in real time + # tcp_nodelay on; + + ## Compression + gzip on; + gzip_buffers 16 8k; + gzip_comp_level 9; + gzip_http_version 1.1; + gzip_min_length 10; + gzip_types text/plain text/css application/x-javascript text/xml; + gzip_vary on; + gzip_static on; #Needs compilation with gzip_static support + gzip_proxied any; + gzip_disable "MSIE [1-6]\."; + + +proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=1g; + +} + +############################################################################################# +# # +# webservers zonder beveileging # +# # +############################################################################################# + + +server { + listen 80 default_server; + listen [::]:80 default_server; + server_name _; + +#Alle overige doorverwijzen naar https: + location / { + rewrite ^ https://$host$request_uri? permanent; + } +#voor de ACME challange: + location ~ /.well-known/acme-challenge { + allow all; + root /config/letsencrypt/letsencrypt-site/; + } +} + +############################################################################################# +# # +# webservers met beveileging # +# # +############################################################################################# + + server { + include "/config/nginx/conf_split/listen443.conf"; + server_name lermer.nl www.lermer.nl; + ssl_certificate /config/letsencrypt/live/lermer.nl/fullchain.pem; + ssl_certificate_key /config/letsencrypt/live/lermer.nl/privkey.pem; + ssl_trusted_certificate /config/letsencrypt/live/lermer.nl/chain.pem; + #include "/config/nginx/conf_split/ssl_dhparam_2048.conf"; + include "/config/nginx/conf_split/ssl_dhparam_4096.conf"; + include "/config/nginx/conf_split/ssl_protocol.conf"; + include "/config/nginx/conf_split/headers.conf"; + + add_header Content-Security-Policy "default-src 'self'; connect-src *; font-src *; frame-src *; img-src * data:; media-src *; object-src *; script-src * 'unsafe-inline' 'unsafe-eval'; style-src * 'unsafe-inline';"; + + + location / { + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # Fix the “It appears that your reverse proxy set up is broken" error. + proxy_pass http://192.168.0.101:8281; + proxy_read_timeout 90; + + + } + } + + +############################################################################################# + + server { + include "/config/nginx/conf_split/listen443.conf"; + server_name test.lermer.nl; + ssl_certificate /config/letsencrypt/live/test.lermer.nl/fullchain.pem; + ssl_certificate_key /config/letsencrypt/live/test.lermer.nl/privkey.pem; + ssl_trusted_certificate /config/letsencrypt/live/test.lermer.nl/chain.pem; + #include "/config/nginx/conf_split/ssl_dhparam_2048.conf"; + include "/config/nginx/conf_split/ssl_dhparam_4096.conf"; + + include "/config/nginx/conf_split/ssl_protocol.conf"; + include "/config/nginx/conf_split/headers.conf"; + + add_header Content-Security-Policy "default-src 'self'; connect-src *; font-src *; frame-src *; img-src * data:; media-src *; object-src *; script-src * 'unsafe-inline' 'unsafe-eval'; style-src * 'unsafe-inline';"; + + root /config/test/; + + location / { + root /config/test/; + index index.html ; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location ~ ^/(images|javascript|js|css|flash|media|static)/ { + root /config/test/; + expires 30d; + } + + error_page 404 =200 /404.html; + error_page 403 /404.html; + error_page 404 /404.html; + error_page 405 /404.html; + error_page 500 501 502 503 504 /404.html; + +} + +############################################################################################# +# # +# End # +# # +############################################################################################# + +} +daemon off; \ No newline at end of file