2019-11-14, updated 2019-11-14 next - previous

This page will be maybe useful for others.

My /etc/nginx/nginx.conf:

user www-data;
worker_processes  2;

error_log  /var/log/nginx/error.log;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
}



http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
    access_log  /var/log/nginx/access.log;
    server_names_hash_bucket_size 64;
    sendfile        on;
    tcp_nopush     on;
    #keepalive_timeout  0;
    keepalive_timeout  65;
    tcp_nodelay        on;
    gzip  on;
    gzip_comp_level   5;
    gzip_http_version 1.0;
    gzip_min_length   0;
    # gzip_types        text/plain text/html text/css image/x-icon  application/x-javascript;
    gzip_types        text/plain text/css image/x-icon  application/x-javascript;
    gzip_vary         on;
    # include /etc/nginx/conf.d/*.conf;
    # include /etc/nginx/sites-enabled/*;

   map $sent_http_content_type $expires {
    "text/html"                 epoch;
    "text/html; charset=utf-8"  epoch;
    default                     off;
}

# From https://gist.github.com/nrollr/9a39bb636a820fb97eec2ed85e473d38
# UPDATED 17 February 2019                       
# Redirect all HTTP traffic to HTTPS                                                                                                                                                         
server {
   listen 80;
   listen [::]:80;
          root /var/www/vidal-rosset/html;
        index index.html index.htm index.nginx-debian.html;
   server_name vidal-rosset.net;
   return 301 https://$host$request_uri;
      }

# SSL configuration                                                                                                                                                                           
server {
   listen 443 ssl http2;
   listen [::]:443 ssl http2;
   server_name vidal-rosset.net;
        ssl_certificate      /etc/letsencrypt/live/vidal-rosset.net-0001/fullchain.pem;
        ssl_certificate_key  /etc/letsencrypt/live/vidal-rosset.net-0001/privkey.pem;

        # Improve HTTPS performance with session resumption                                                                                                                                   
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 10m;

        # Enable server-side protection against BEAST attacks                                                                                                                                 
        ssl_protocols TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";

        # RFC-7919 recommended: https://wiki.mozilla.org/Security/Server_Side_TLS#ffdhe4096                                                                                                   
        # ssl_dhparam /etc/ssl/ffdhe4096.pem;
        # ssl_ecdh_curve secp521r1:secp384r1;

        # Aditional Security Headers                                                                                                                                                          
        # ref: https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security                                                                                               
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

        # ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options                                                                                                      
        add_header X-Frame-Options DENY always;

      # ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options                                                                                               
      add_header X-Content-Type-Options nosniff always;

        # ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection                                                                                                     
      add_header X-Xss-Protection "1; mode=block" always;

      # Enable OCSP stapling                                                                                                                                                                
      # ref. http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox                                                                                                           
      ssl_stapling on;
      ssl_stapling_verify on;
        ssl_trusted_certificate /etc/letsencrypt/live/vidal-rosset.net-0001/fullchain.pem;
        resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; # Cloudflare                                                                                       
        resolver_timeout 5s;

# Required for LE certificate enrollment using certbot                                                                                                                                        
   location '/.well-known/acme-challenge' {
        default_type "text/plain";
        root /var/www/vidal-rosset/html;
   }
   location / {
        root /var/www/vidal-rosset/html;
    }
 }

server {
    listen          443;             # le port sur lequel nginx écoute
    server_name     remark42.vidal-rosset.net;    # mettre votre domaine ici

     ssl_certificate      /etc/letsencrypt/live/vidal-rosset.net-0001/fullchain.pem;
     ssl_certificate_key  /etc/letsencrypt/live/vidal-rosset.net-0001/privkey.pem;

    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

    # limit_conn perip 10;

    gzip            on;
    gzip_types      text/plain application/xml text/css application/javascript;
    gzip_min_length 1000;

    location / {
        expires $expires;
        proxy_redirect                      off;
        # proxy_set_header Host               $host;
        proxy_set_header Host               $http_host;
        proxy_set_header X-Real-IP          $remote_addr;
        proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto  $scheme;
        proxy_read_timeout          1m;
        proxy_connect_timeout       1m;
        proxy_pass                          http://127.0.0.1:8080; # mettre l'URL de l'instance Node.js ici
    }
  }
}

That’s it. Note that etc/nginx/sites-enabled is void.

Were helphful:


Author: Joseph Vidal-Rosset

Date: 2019-11-14 jeu. 08:08

Blog: https://wwww.vidal-rosset.net

Made with Emacs 26.1 (Org mode 9.2.6) and Org export head (Many thanks to Ivan Tadeu Ferreira Antunes Filho!;)