'nginx/nginx/nginx.conf' toevoegen

This commit is contained in:
Mathijs Lermer 2020-08-14 16:00:42 +02:00
parent e43ea2bb7b
commit b97d19c687

221
nginx/nginx/nginx.conf Normal file
View file

@ -0,0 +1,221 @@
## Version 2018/08/16 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx.conf
# handige sites:
# https://www.humankode.com/ssl/how-to-set-up-free-ssl-certificates-from-lets-encrypt-using-docker-and-nginx
# https://securityheaders.com/
# https://www.ssllabs.com/
#DH-Param maken:
#sudo openssl dhparam -out /docker/nginx/nginx/conf_split/dhparam-2048.pem 2048
#sudo openssl dhparam -out /docker/nginx/nginx/conf_split/dhparam-4096.pem 4096
# controleren of dit bestand goed is:
# docker exec nginx sh -c "nginx -t -c /config/nginx/nginx.conf"
#zonder downtime nginx reloaden:
# docker exec -it nginx s6-svc -h /var/run/s6/services/nginx
#Cert vernieuwen:
# docker run --rm -it --name certbot \
# -v "/docker/nginx/letsencrypt:/etc/letsencrypt" \
# -v "/docker/nginx/letsencrypt_var:/var/lib/letsencrypt" \
# -v "/docker/nginx/letsencrypt/letsencrypt-site:/data/letsencrypt" \
# -v "/docker/nginx/letsencrypt/log:/var/log/letsencrypt" \
# certbot/certbot renew \
# --webroot -w /data/letsencrypt \
# --quiet && docker exec -it nginx s6-svc -h /var/run/s6/services/nginx
# cronjob: (dagelijks auto vernieuwen)
# sudo docker run --rm --name certbot -v /docker/nginx/letsencrypt:/etc/letsencrypt -v /docker/nginx/letsencrypt_var:/var/lib/letsencrypt -v /docker/nginx/letsencrypt/letsencrypt-site:/data/letsencrypt -v /docker/nginx/letsencrypt/log:/var/log/letsencrypt certbot/certbot renew --webroot -w /data/letsencrypt --quiet && docker restart nginx
user abc;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules/*.conf;
events {
worker_connections 4096;
use epoll;
multi_accept on;
}
#############################################################################################
# #
# http config #
# #
#############################################################################################
http {
charset utf-8;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
log_not_found off;
types_hash_max_size 2048;
client_max_body_size 16M;
# MIME
include /config/nginx/conf_split//mime.types;
default_type application/octet-stream;
# logging
#access_log /var/log/nginx/access.log;
#error_log /var/log/nginx/error.log crit;
# to boost I/O on HDD we can disable access logs
access_log off;
# SSL
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites
include "/config/nginx/conf_split/ssl_dhparam_4096.conf";
# cache informations about FDs, frequently accessed files
# can boost performance, but you need to test those values
open_file_cache max=200000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
# copies data between one FD and other from within the kernel
# faster than read() + write()
# sendfile on;
# send headers in one piece, it is better than sending them one by one
# tcp_nopush on;
# don't buffer data sent, good for small data bursts in real time
# tcp_nodelay on;
## Compression
gzip on;
gzip_buffers 16 8k;
gzip_comp_level 9;
gzip_http_version 1.1;
gzip_min_length 10;
gzip_types text/plain text/css application/x-javascript text/xml;
gzip_vary on;
gzip_static on; #Needs compilation with gzip_static support
gzip_proxied any;
gzip_disable "MSIE [1-6]\.";
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=1g;
}
#############################################################################################
# #
# webservers zonder beveileging #
# #
#############################################################################################
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
#Alle overige doorverwijzen naar https:
location / {
rewrite ^ https://$host$request_uri? permanent;
}
#voor de ACME challange:
location ~ /.well-known/acme-challenge {
allow all;
root /config/letsencrypt/letsencrypt-site/;
}
}
#############################################################################################
# #
# webservers met beveileging #
# #
#############################################################################################
server {
include "/config/nginx/conf_split/listen443.conf";
server_name lermer.nl www.lermer.nl;
ssl_certificate /config/letsencrypt/live/lermer.nl/fullchain.pem;
ssl_certificate_key /config/letsencrypt/live/lermer.nl/privkey.pem;
ssl_trusted_certificate /config/letsencrypt/live/lermer.nl/chain.pem;
#include "/config/nginx/conf_split/ssl_dhparam_2048.conf";
include "/config/nginx/conf_split/ssl_dhparam_4096.conf";
include "/config/nginx/conf_split/ssl_protocol.conf";
include "/config/nginx/conf_split/headers.conf";
add_header Content-Security-Policy "default-src 'self'; connect-src *; font-src *; frame-src *; img-src * data:; media-src *; object-src *; script-src * 'unsafe-inline' 'unsafe-eval'; style-src * 'unsafe-inline';";
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Fix the “It appears that your reverse proxy set up is broken" error.
proxy_pass http://192.168.0.101:8281;
proxy_read_timeout 90;
}
}
#############################################################################################
server {
include "/config/nginx/conf_split/listen443.conf";
server_name test.lermer.nl;
ssl_certificate /config/letsencrypt/live/test.lermer.nl/fullchain.pem;
ssl_certificate_key /config/letsencrypt/live/test.lermer.nl/privkey.pem;
ssl_trusted_certificate /config/letsencrypt/live/test.lermer.nl/chain.pem;
#include "/config/nginx/conf_split/ssl_dhparam_2048.conf";
include "/config/nginx/conf_split/ssl_dhparam_4096.conf";
include "/config/nginx/conf_split/ssl_protocol.conf";
include "/config/nginx/conf_split/headers.conf";
add_header Content-Security-Policy "default-src 'self'; connect-src *; font-src *; frame-src *; img-src * data:; media-src *; object-src *; script-src * 'unsafe-inline' 'unsafe-eval'; style-src * 'unsafe-inline';";
root /config/test/;
location / {
root /config/test/;
index index.html ;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location ~ ^/(images|javascript|js|css|flash|media|static)/ {
root /config/test/;
expires 30d;
}
error_page 404 =200 /404.html;
error_page 403 /404.html;
error_page 404 /404.html;
error_page 405 /404.html;
error_page 500 501 502 503 504 /404.html;
}
#############################################################################################
# #
# End #
# #
#############################################################################################
}
daemon off;