Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- user www-data;
- worker_processes auto;
- pid /run/nginx.pid;
- include /etc/nginx/modules-enabled/*.conf;
- events {
- worker_connections 768;
- # multi_accept on;
- }
- http {
- ##
- # Basic Settings
- ##
- sendfile on;
- tcp_nopush on;
- tcp_nodelay on;
- keepalive_timeout 65;
- types_hash_max_size 2048;
- # server_tokens off;
- # server_names_hash_bucket_size 64;
- # server_name_in_redirect off;
- include /etc/nginx/mime.types;
- default_type application/octet-stream;
- ##
- # SSL Settings
- ##
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
- ssl_prefer_server_ciphers on;
- ##
- # Logging Settings
- ##
- access_log /var/log/nginx/access.log;
- error_log /var/log/nginx/error.log;
- ##
- # Gzip Settings
- ##
- gzip on;
- # gzip_vary on;
- # gzip_proxied any;
- # gzip_comp_level 6;
- # gzip_buffers 16 8k;
- # gzip_http_version 1.1;
- # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
- ##
- # Virtual Host Configs
- ##
- include /etc/nginx/conf.d/*.conf;
- include /etc/nginx/sites-enabled/*;
- server {
- # If your host is not IPv6 ready use listen 80; here.
- # Add ipv6only=off to your listen directive that has default_server.
- # Or this one if this is your only vhost. Do not add it to both!
- listen [::]:80;
- server_name diaspora.domain.tld www.diaspora.domain.tld;
- location / {
- return 301 https://$server_name$request_uri;
- }
- }
- # Redirect https://www.diaspora.example.org to https://diaspora.example.org
- server {
- # the below line will ONLY do ipv6
- #listen [::]:443 ssl; # Same rules as for listen [::]:80 apply.
- # the below line will ONLY do ipv4
- listen *:443 ssl; # Same rules as for listen [::]:80 apply.
- server_name www.diaspora.domain.tld;
- location / {
- return 301 https://diaspora.domain.tld$request_uri;
- }
- # SSL setup
- # This file should also include any necessary intermediate certificates.
- # For example for StartSSL that would be https://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca.pem
- # For Let's Encrypt use /etc/letsencrypt/live/diaspora.example.org/fullchain.pem
- # and /etc/letsencrypt/diaspora.example.org/privkey.pem
- ssl_certificate /home/diaspora/certs/diaspora.domain.tld.certchain.crt;
- ssl_certificate_key /home/diaspora/certs/diaspora.domain.tld.key;
- # Taken from https://wiki.mozilla.org/Security/Server_Side_TLS
- # You might want to make these global
- # generate with openssl dhparam 2048 > /path/to/dhparam.pem
- #ssl_dhparam /path/to/dhparam.pem;
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK';
- ssl_session_timeout 5m;
- ssl_prefer_server_ciphers on;
- ssl_session_cache shared:SSL:50m;
- }
- # Actual proxy
- server {
- # the below line will ONLY do ipv6
- #listen [::]:443 ssl; # Same rules as for listen [::]:80 apply.
- # the below line will ONLY do ipv4
- listen *:443 ssl; # Same rules as for listen [::]:80 apply.
- server_name diaspora.domain.tld;
- root /home/diaspora/diaspora/public;
- # Configure maximum picture size
- # Note that Diaspora has a client side check set at 4M
- client_max_body_size 5M;
- client_body_buffer_size 256K;
- # SSL setup
- # This file should also include any necessary intermediate certificates.
- # For example for StartSSL that would be https://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca.pem
- # For Let's Encrypt use /etc/letsencrypt/live/diaspora.example.org/fullchain.pem
- # and /etc/letsencrypt/diaspora.example.org/privkey.pem
- ssl_certificate /home/diaspora/certs/diaspora.domain.tld.certchain.crt;
- ssl_certificate_key /home/diaspora/certs/diaspora.domain.tld.key;
- # Taken from https://wiki.mozilla.org/Security/Server_Side_TLS
- # You might want to make these global
- # generate with openssl dhparam 2048 > /path/to/dhparam.pem
- #ssl_dhparam /path/to/dhparam.pem;
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK';
- ssl_session_timeout 5m;
- ssl_prefer_server_ciphers on;
- ssl_session_cache shared:SSL:50m;
- # Proxy if requested file not found
- try_files $uri @diaspora;
- location /assets/ {
- expires max;
- add_header Cache-Control public;
- }
- # Camo support
- #location /camo/ {
- # proxy_redirect off;
- # proxy_pass http://camo/;
- # break;
- #}
- location @diaspora {
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Proto https;
- proxy_set_header Host $http_host;
- proxy_redirect off;
- proxy_pass http://diaspora_server;
- }
- }
- # Proxy destination
- # Add as many server directives as you want
- # Also takes a socket, like unix:/path/to/some/socket.sock
- upstream diaspora_server {
- server unix:/home/diaspora/diaspora/tmp/diaspora.sock;
- }
- # Camo support
- #upstream camo {
- # server 127.0.0.1:8081;
- #}
- }
- #mail {
- # # See sample authentication script at:
- # # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
- #
- # # auth_http localhost/auth.php;
- # # pop3_capabilities "TOP" "USER";
- # # imap_capabilities "IMAP4rev1" "UIDPLUS";
- #
- # server {
- # listen localhost:110;
- # protocol pop3;
- # proxy on;
- # }
- #
- # server {
- # listen localhost:143;
- # protocol imap;
- # proxy on;
- # }
- #}
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement