Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- server {
- listen 80 default_server;
- server_name dyris.cc 5.189.162.219;
- root /var/www;
- location ^~ /.well-known/acme-challenge {
- proxy_pass http://127.0.0.1:81;
- proxy_redirect off;
- }
- location / {
- root /var/www;
- index index.html index.htm;
- return 301 https://$server_name$request_uri;
- }
- }
- server {
- listen 443 ssl http2;
- server_name dyris.cc 5.189.162.219;
- #
- # Configure SSL
- #
- ssl on;
- # Certificates used
- ssl_certificate /etc/letsencrypt/live/dyris.cc/fullchain.pem;
- ssl_certificate_key /etc/letsencrypt/live/dyris.cc/privkey.pem;
- # Not using TLSv1 will break:
- # Android <= 4.4.40
- # IE <= 10
- # IE mobile <=10
- # Removing TLSv1.1 breaks nothing else!
- # There are not many clients using TLSv1.3 so far, but this can be activated with nginx v1.13
- ssl_protocols TLSv1.2 TLSv1.3;
- # Using the recommended cipher suite from: https://wiki.mozilla.org/Security/Server_Side_TLS
- ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDS$
- # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
- ssl_dhparam /etc/nginx/ssl/dhparams.pem;
- # Specifies a curve for ECDHE ciphers.
- # High security, but will not work with Chrome:
- #ssl_ecdh_curve secp521r1;
- # Works with Windows (Mobile), but not with Android (DavDroid):
- #ssl_ecdh_curve secp384r1;
- # Works with Android (DavDroid):
- ssl_ecdh_curve prime256v1;
- # Server should determine the ciphers, not the client
- ssl_prefer_server_ciphers on;
- # OCSP Stapling
- # fetch OCSP records from URL in ssl_certificate and cache them
- ssl_stapling on;
- ssl_stapling_verify on;
- ssl_trusted_certificate /etc/letsencrypt/live/dyris.cc/fullchain.pem;
- resolver 5.189.162.1;
- # SSL session handling
- ssl_session_timeout 24h;
- ssl_session_cache shared:SSL:50m;
- ssl_session_tickets off;
- #
- # Add headers to serve security related headers
- #
- # HSTS (ngx_http_headers_module is required)
- # In order to be recoginzed by SSL test, there must be an index.hmtl in the server's root
- add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always;
- add_header X-Content-Type-Options "nosniff" always;
- # Usually this should be "DENY", but when hosting sites using frames, it has to be "SAMEORIGIN"
- add_header Referrer-Policy "same-origin" always;
- add_header X-XSS-Protection "1; mode=block" always;
- add_header X-Robots-Tag none;
- add_header X-Download-Options noopen;
- add_header X-Permitted-Cross-Domain-Policies none;
- location = / {
- # Disable access to the web root, the Nextcloud subdir should be used instead.
- deny all;
- # If you want to be able to access the cloud using the webroot only, use the following command instea$
- # rewrite ^ /nextcloud;
- }
- #
- # Nextcloud
- #
- location ^~ /nextcloud {
- # Set max. size of a request (important for uploads to Nextcloud)
- client_max_body_size 10G;
- # Besides the timeout values have to be raised in nginx' Nextcloud config, these values have to be ra$
- proxy_connect_timeout 3600;
- proxy_send_timeout 3600;
- proxy_read_timeout 3600;
- send_timeout 3600;
- proxy_buffering off;
- proxy_request_buffering off;
- proxy_max_temp_file_size 10240m;
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_pass http://127.0.0.1:82;
- proxy_redirect off;
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
