236 lines
8.9 KiB
Nginx Configuration File
236 lines
8.9 KiB
Nginx Configuration File
## Version 2018/08/16 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx.conf
|
|
|
|
# handige sites:
|
|
# https://www.humankode.com/ssl/how-to-set-up-free-ssl-certificates-from-lets-encrypt-using-docker-and-nginx
|
|
|
|
# https://securityheaders.com/
|
|
# https://www.ssllabs.com/
|
|
|
|
|
|
## DH-Param maken:
|
|
#sudo openssl dhparam -out /docker/nginx/nginx/conf_split/dhparam-2048.pem 2048
|
|
#sudo openssl dhparam -out /docker/nginx/nginx/conf_split/dhparam-4096.pem 4096
|
|
|
|
|
|
## controleren of dit bestand goed is:
|
|
# docker exec nginx sh -c "nginx -t -c /config/nginx/nginx.conf"
|
|
|
|
## zonder downtime nginx reloaden:
|
|
# docker exec -it nginx s6-svc -h /var/run/s6/services/nginx
|
|
|
|
## Cert aanmaken
|
|
#sudo docker run -it --rm \
|
|
#-v /docker/nginx/letsencrypt:/etc/letsencrypt \
|
|
#-v /docker/nginx/letsencrypt_var:/var/lib/letsencrypt \
|
|
#-v /docker/nginx/letsencrypt/letsencrypt-site:/data/letsencrypt \
|
|
#-v "/docker/nginx/letsencrypt/log:/var/log/letsencrypt" \
|
|
#certbot/certbot \
|
|
#certonly --webroot \
|
|
#--email "example@example.nl" \
|
|
#--agree-tos \
|
|
#--rsa-key-size "4096" \
|
|
#--cert-name "example.example.com" \
|
|
#--webroot-path=/data/letsencrypt \
|
|
#-d example.example.com
|
|
|
|
## Cert vernieuwen:
|
|
# docker run --rm -it --name certbot \
|
|
# -v "/docker/nginx/letsencrypt:/etc/letsencrypt" \
|
|
# -v "/docker/nginx/letsencrypt_var:/var/lib/letsencrypt" \
|
|
# -v "/docker/nginx/letsencrypt/letsencrypt-site:/data/letsencrypt" \
|
|
# -v "/docker/nginx/letsencrypt/log:/var/log/letsencrypt" \
|
|
# certbot/certbot renew \
|
|
# --webroot -w /data/letsencrypt \
|
|
# --quiet && docker exec -it nginx s6-svc -h /var/run/s6/services/nginx
|
|
|
|
# cronjob: (dagelijks auto vernieuwen)
|
|
# sudo docker run --rm --name certbot -v /docker/nginx/letsencrypt:/etc/letsencrypt -v /docker/nginx/letsencrypt_var:/var/lib/letsencrypt -v /docker/nginx/letsencrypt/letsencrypt-site:/data/letsencrypt -v /docker/nginx/letsencrypt/log:/var/log/letsencrypt certbot/certbot renew --webroot -w /data/letsencrypt --quiet && docker restart nginx
|
|
|
|
user abc;
|
|
worker_processes auto;
|
|
pid /run/nginx.pid;
|
|
include /etc/nginx/modules/*.conf;
|
|
|
|
events {
|
|
worker_connections 4096;
|
|
use epoll;
|
|
multi_accept on;
|
|
}
|
|
|
|
#############################################################################################
|
|
# #
|
|
# http config #
|
|
# #
|
|
#############################################################################################
|
|
|
|
http {
|
|
|
|
charset utf-8;
|
|
sendfile on;
|
|
tcp_nopush on;
|
|
tcp_nodelay on;
|
|
server_tokens off;
|
|
log_not_found off;
|
|
types_hash_max_size 2048;
|
|
client_max_body_size 16M;
|
|
|
|
|
|
# MIME
|
|
include /config/nginx/conf_split//mime.types;
|
|
default_type application/octet-stream;
|
|
|
|
# logging
|
|
#access_log /var/log/nginx/access.log;
|
|
#error_log /var/log/nginx/error.log crit;
|
|
# to boost I/O on HDD we can disable access logs
|
|
access_log off;
|
|
|
|
# SSL
|
|
ssl_session_timeout 1d;
|
|
ssl_session_cache shared:SSL:10m;
|
|
ssl_session_tickets off;
|
|
|
|
# Diffie-Hellman parameter for DHE ciphersuites
|
|
include "/config/nginx/conf_split/ssl_dhparam_4096.conf";
|
|
|
|
# cache informations about FDs, frequently accessed files
|
|
# can boost performance, but you need to test those values
|
|
open_file_cache max=200000 inactive=20s;
|
|
open_file_cache_valid 30s;
|
|
open_file_cache_min_uses 2;
|
|
open_file_cache_errors on;
|
|
|
|
# copies data between one FD and other from within the kernel
|
|
# faster than read() + write()
|
|
# sendfile on;
|
|
|
|
# send headers in one piece, it is better than sending them one by one
|
|
# tcp_nopush on;
|
|
|
|
# don't buffer data sent, good for small data bursts in real time
|
|
# tcp_nodelay on;
|
|
|
|
## Compression
|
|
gzip on;
|
|
gzip_buffers 16 8k;
|
|
gzip_comp_level 9;
|
|
gzip_http_version 1.1;
|
|
gzip_min_length 10;
|
|
gzip_types text/plain text/css application/x-javascript text/xml;
|
|
gzip_vary on;
|
|
gzip_static on; #Needs compilation with gzip_static support
|
|
gzip_proxied any;
|
|
gzip_disable "MSIE [1-6]\.";
|
|
|
|
|
|
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=1g;
|
|
|
|
}
|
|
|
|
#############################################################################################
|
|
# #
|
|
# webservers zonder beveileging #
|
|
# #
|
|
#############################################################################################
|
|
|
|
|
|
server {
|
|
listen 80 default_server;
|
|
listen [::]:80 default_server;
|
|
server_name _;
|
|
|
|
#Alle overige doorverwijzen naar https:
|
|
location / {
|
|
rewrite ^ https://$host$request_uri? permanent;
|
|
}
|
|
#voor de ACME challange:
|
|
location ~ /.well-known/acme-challenge {
|
|
allow all;
|
|
root /config/letsencrypt/letsencrypt-site/;
|
|
}
|
|
}
|
|
|
|
#############################################################################################
|
|
# #
|
|
# webservers met beveileging #
|
|
# #
|
|
#############################################################################################
|
|
|
|
server {
|
|
include "/config/nginx/conf_split/listen443.conf";
|
|
server_name example.com www.example.com;
|
|
ssl_certificate /config/letsencrypt/live/example.com/fullchain.pem;
|
|
ssl_certificate_key /config/letsencrypt/live/example.com/privkey.pem;
|
|
ssl_trusted_certificate /config/letsencrypt/live/example.com/chain.pem;
|
|
#include "/config/nginx/conf_split/ssl_dhparam_2048.conf";
|
|
include "/config/nginx/conf_split/ssl_dhparam_4096.conf";
|
|
include "/config/nginx/conf_split/ssl_protocol.conf";
|
|
include "/config/nginx/conf_split/headers.conf";
|
|
|
|
add_header Content-Security-Policy "default-src 'self'; connect-src *; font-src *; frame-src *; img-src * data:; media-src *; object-src *; script-src * 'unsafe-inline' 'unsafe-eval'; style-src * 'unsafe-inline';";
|
|
|
|
|
|
location / {
|
|
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
# Fix the “It appears that your reverse proxy set up is broken" error.
|
|
proxy_pass http://192.168.0.101:8281;
|
|
proxy_read_timeout 90;
|
|
|
|
|
|
}
|
|
}
|
|
|
|
|
|
#############################################################################################
|
|
|
|
server {
|
|
include "/config/nginx/conf_split/listen443.conf";
|
|
server_name test.example.com;
|
|
ssl_certificate /config/letsencrypt/live/test.example.com/fullchain.pem;
|
|
ssl_certificate_key /config/letsencrypt/live/test.example.com/privkey.pem;
|
|
ssl_trusted_certificate /config/letsencrypt/live/test.example.com/chain.pem;
|
|
#include "/config/nginx/conf_split/ssl_dhparam_2048.conf";
|
|
include "/config/nginx/conf_split/ssl_dhparam_4096.conf";
|
|
|
|
include "/config/nginx/conf_split/ssl_protocol_strong.conf";
|
|
include "/config/nginx/conf_split/headers.conf";
|
|
|
|
add_header Content-Security-Policy "default-src 'self'; connect-src *; font-src *; frame-src *; img-src * data:; media-src *; object-src *; script-src * 'unsafe-inline' 'unsafe-eval'; style-src * 'unsafe-inline';";
|
|
|
|
root /config/test/;
|
|
|
|
location / {
|
|
root /config/test/;
|
|
index index.html ;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
|
|
location ~ ^/(images|javascript|js|css|flash|media|static)/ {
|
|
root /config/test/;
|
|
expires 30d;
|
|
}
|
|
|
|
error_page 404 =200 /404.html;
|
|
error_page 403 /404.html;
|
|
error_page 404 /404.html;
|
|
error_page 405 /404.html;
|
|
error_page 500 501 502 503 504 /404.html;
|
|
|
|
}
|
|
|
|
#############################################################################################
|
|
# #
|
|
# End #
|
|
# #
|
|
#############################################################################################
|
|
|
|
}
|
|
daemon off; |