daily pastebin goal
40%
SHARE
TWEET

mydomain.com.conf

a guest Apr 26th, 2018 65 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. server {
  2.         listen 80 default_server;
  3.         server_name dyris.cc 5.189.162.219;
  4.  
  5.         root /var/www;
  6.  
  7.         location ^~ /.well-known/acme-challenge {
  8.                 proxy_pass http://127.0.0.1:81;
  9.                 proxy_redirect off;
  10.         }
  11.  
  12.         location / {
  13.                 root /var/www;
  14.                 index  index.html index.htm;
  15.                 return 301 https://$server_name$request_uri;
  16.         }
  17. }
  18.  
  19.  
  20. server {
  21.         listen 443 ssl http2;
  22.         server_name dyris.cc 5.189.162.219;
  23.  
  24.         #
  25.         # Configure SSL
  26.         #
  27.         ssl on;
  28.  
  29.         # Certificates used
  30.         ssl_certificate /etc/letsencrypt/live/dyris.cc/fullchain.pem;
  31.         ssl_certificate_key /etc/letsencrypt/live/dyris.cc/privkey.pem;
  32.  
  33.         # Not using TLSv1 will break:
  34.         #       Android <= 4.4.40
  35.         #       IE <= 10
  36.         #       IE mobile <=10
  37.         # Removing TLSv1.1 breaks nothing else!
  38.         # There are not many clients using TLSv1.3 so far, but this can be activated with nginx v1.13
  39.         ssl_protocols TLSv1.2 TLSv1.3;
  40.  
  41.         # Using the recommended cipher suite from: https://wiki.mozilla.org/Security/Server_Side_TLS
  42.         ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDS$
  43.  
  44.         # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
  45.         ssl_dhparam /etc/nginx/ssl/dhparams.pem;
  46.  
  47.         # Specifies a curve for ECDHE ciphers.
  48.         # High security, but will not work with Chrome:
  49.         #ssl_ecdh_curve secp521r1;  
  50.         # Works with Windows (Mobile), but not with Android (DavDroid):
  51.         #ssl_ecdh_curve secp384r1;
  52.         # Works with Android (DavDroid):
  53.         ssl_ecdh_curve prime256v1;
  54.  
  55.         # Server should determine the ciphers, not the client
  56.         ssl_prefer_server_ciphers on;
  57.  
  58.         # OCSP Stapling
  59.         # fetch OCSP records from URL in ssl_certificate and cache them
  60.         ssl_stapling on;
  61.         ssl_stapling_verify on;
  62.         ssl_trusted_certificate /etc/letsencrypt/live/dyris.cc/fullchain.pem;
  63.         resolver 5.189.162.1;
  64.  
  65.         # SSL session handling
  66.         ssl_session_timeout 24h;
  67.         ssl_session_cache shared:SSL:50m;
  68.         ssl_session_tickets off;
  69.  
  70.         #
  71.         # Add headers to serve security related headers
  72.         #  
  73.         # HSTS (ngx_http_headers_module is required)
  74.         # In order to be recoginzed by SSL test, there must be an index.hmtl in the server's root
  75.         add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always;
  76.         add_header X-Content-Type-Options "nosniff" always;
  77.         # Usually this should be "DENY", but when hosting sites using frames, it has to be "SAMEORIGIN"
  78.         add_header Referrer-Policy "same-origin" always;
  79.         add_header X-XSS-Protection "1; mode=block" always;
  80.         add_header X-Robots-Tag none;
  81.         add_header X-Download-Options noopen;
  82.         add_header X-Permitted-Cross-Domain-Policies none;
  83.  
  84.         location = / {
  85.                 # Disable access to the web root, the Nextcloud subdir should be used instead.
  86.                 deny all;
  87.  
  88.                 # If you want to be able to access the cloud using the webroot only, use the following command instea$
  89.                 # rewrite ^ /nextcloud;
  90.         }
  91.  
  92.         #
  93.         # Nextcloud
  94.         #
  95.         location ^~ /nextcloud {
  96.                 # Set max. size of a request (important for uploads to Nextcloud)
  97.                 client_max_body_size 10G;
  98.                 # Besides the timeout values have to be raised in nginx' Nextcloud config, these values have to be ra$
  99.                 proxy_connect_timeout 3600;
  100.                 proxy_send_timeout 3600;
  101.                 proxy_read_timeout 3600;
  102.                 send_timeout 3600;
  103.                 proxy_buffering off;
  104.                 proxy_request_buffering off;
  105.                 proxy_max_temp_file_size 10240m;
  106.                 proxy_set_header Host $host;
  107.                 proxy_set_header X-Real-IP $remote_addr;
  108.                 proxy_pass http://127.0.0.1:82;
  109.                 proxy_redirect off;
  110.         }
  111. }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top