nginx_reverseproxy_template/example.com.conf at master · MeerBiene/nginx_reverseproxy_template · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
# Usage:
# - For Basic Authentification uncomment everything with (1) in fron of it.
# - For Client Certificate Authentification uncomment everything with (2) in front of it.
# - For Caching uncomment everything with a (C) in front of it.
# - For Encrypted traffic between NGINX and your application, uncomment everything with (E) infront of it.


map $http_upgrade $connection_upgrade {
  default upgrade;
  ''      close;
}

# http server
server {
  listen 80;
  server_name example.com;
  return 301 https://$host$request_uri;
}

# ssl configuration

server {
  listen 443 ssl http2;

  ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

  # (ADVANCED AUTHENTIFICATION) Uncomment only for advanced authentification
  #(2) ssl_client_certificate          /etc/nginx/Client-CA.pem; # trusted CA used to issuing client certs
  #(2) ssl_verify_client                on;

  # Improve HTTPS performance with session resumption
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 5m;

  # Server tokens
  server_tokens off;

  # Enable server-side protection against BEAST attacks
  ssl_prefer_server_ciphers on;
  ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM';

  # Disable TLSv1 and 1.1 (date of writing: 04.07.2020)
  ssl_protocols TLSv1.3 TLSv1.2;

  # Diffie-Hellman parameter for DHE ciphersuites
  ssl_dhparam /etc/ssl/certs/dhparam.pem;

  # EDH CURVE
  ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;

  # Enable HSTS (https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security)
  add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";

  # Enable OCSP stapling (http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox)
  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_trusted_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
  resolver 8.8.8.8 8.8.4.4 valid=300s;
  resolver_timeout 5s;

# ----------------------------------------------------------------------
# | Compression                                                        |
# ----------------------------------------------------------------------
  include snippets/compression.conf;

  # Caching

  #(C) include snippets/caching.conf;

  # More Security stuff
  location ~* /\.(?!well-known\/) {
    deny all;
  }

  location ~* (?:#.*#|\.(?:bak|conf|dist|fla|in[ci]|log|orig|psd|sh|sql|sw[op])|~)$ {
    deny all;
  }


  # Actual proxy stuff
  location / {
     proxy_pass https://TARGETIP:PORT; # replace this with desired port
     # proxy_pass http://127.0.0.1:8080; # use this if you redirect to a http application
     proxy_set_header Host $host;
     proxy_set_header X-Real-IP  $remote_addr;
     proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
     proxy_set_header X-Forwarded-Proto  $scheme;
     satisfy                                 any;

     # Encrypt the traffic between the reverse proxy and your application

     #(E) proxy_ssl_protocols TLSv1.3 TLSv1.2;
     #(E) proxy_ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem
     #(E) proxy_ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem
     #(E) proxy_ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM';

     proxy_redirect http:// https://;
     proxy_http_version 1.1;
     proxy_set_header Upgrade $http_upgrade;
     proxy_set_header Connection $connection_upgrade;

     # Authentification stuff

     # BASIC
     # For Basic Authentification uncomment the two lines below
     # auth_basic "Username and Password Required"; # prompt that users will see
     # To generate a password and a user, use apache-utils and specify the path /etc/nginx/.htpasswd
     #(1) auth_basic_user_file /etc/nginx/.htpasswd;

     # ADVANCED
     # For advanced Authentification you will need client certificates and a certificate
     # authority. Tutorial: https://www.debiantutorials.com/create-your-private-certificate-authority-ca/
     # If you have your certificate authority, uncomment the 3 lines below, marked with (2) and
     # the section on top thats marked with (2) (client certificate) NOTE: replace the path with
     # the path to your Client-CA.pem !!

     # (ADVANCED AUTH)
     #(2) allow                                   192.168.0.1/24;
     #(2) allow                                   127.0.0.1;
     #(2) deny                                    all;
  }
}