tvdhout

Nginx template

Jan 28th, 2022 (edited)
2,061
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. server_tokens off;
  2. add_header X-Frame-Options SAMEORIGIN;
  3. add_header X-Content-Type-Options nosniff;
  4. add_header X-XSS-Protection "1; mode=block";
  5. add_header Strict-Transport-Security "max-age=31536000" always;
  6. add_header Content-Security-Policy "default-src 'self'; frame-ancestors 'none'" always;
  7. add_header Referrer-Policy "strict-origin" always;
  8.  
  9. ssl_stapling on;
  10. ssl_stapling_verify on;
  11. ssl_trusted_certificate /etc/letsencrypt/live/example.nl/fullchain.pem;
  12.  
  13. # Rate limiting 20 requests/s
  14. limit_req_zone $binary_remote_addr zone=mylimit:10m rate=20r/s;
  15.  
  16. # http://example.nl -> https://example.nl
  17. server {
  18.     listen 80;
  19.     listen [::]:80;
  20.     server_name example.nl;
  21.  
  22.     location /.well-known/acme-challenge/ {
  23.         root /var/www/certbot;
  24.     }
  25.  
  26.     location / {
  27.         return 301 https://example.nl$request_uri;
  28.     }
  29. }
  30.  
  31. # http://(www|api).example.nl -> https://(www|api).example.nl
  32. server {
  33.     listen 80;
  34.     listen [::]:80;
  35.     server_name www.example.nl api.example.nl;
  36.  
  37.     return 301 https://$host$request_uri;
  38. }
  39.  
  40. # https://example.nl -> https://www.example.nl
  41. server {
  42.     listen 443 ssl http2;
  43.     listen [::]:443 ssl http2;
  44.     server_name example.nl;
  45.  
  46.     ssl_certificate /etc/letsencrypt/live/example.nl/fullchain.pem;
  47.     ssl_certificate_key /etc/letsencrypt/live/example.nl/privkey.pem;
  48.  
  49.     ssl_session_cache shared:SSL:50m;
  50.     ssl_session_timeout 1d;
  51.     ssl_session_tickets on;
  52.  
  53.     ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
  54.  
  55.     ssl_protocols TLSv1.2 TLSv1.3;
  56.     ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
  57.     ssl_prefer_server_ciphers on;
  58.  
  59.     return 301 https://www.$host$request_uri;
  60. }
  61.  
  62. # serve https://(www|api).example.nl
  63. server {
  64.     listen 443 ssl http2;
  65.     listen [::]:443 ssl http2;
  66.     server_name www.example.nl api.example.nl;
  67.  
  68.     ssl_certificate /etc/letsencrypt/live/example.nl/fullchain.pem;
  69.     ssl_certificate_key /etc/letsencrypt/live/example.nl/privkey.pem;
  70.  
  71.     ssl_session_cache shared:SSL:50m;
  72.     ssl_session_timeout 1d;
  73.     ssl_session_tickets on;
  74.  
  75.     ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
  76.  
  77.     ssl_protocols TLSv1.2 TLSv1.3;
  78.     ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
  79.     ssl_prefer_server_ciphers on;
  80.  
  81.     # Example location for a Flask application running on port 8080
  82.     location / {
  83.         limit_req zone=mylimit burst=100 nodelay;
  84.  
  85.         include uwsgi_params;
  86.         uwsgi_pass flask:8080;
  87.         uwsgi_ignore_client_abort on;
  88.     }
  89. }
RAW Paste Data Copied