|
1 | 1 |
|
2 | | - server { |
3 | | - listen 80; |
4 | | - server_name merginmaps.company.com; # FIXME |
| 2 | +server { |
| 3 | + listen 80; |
| 4 | + server_name merginmaps.company.com; # FIXME |
5 | 5 |
|
6 | | - if ($scheme != "https") { |
7 | | - return 301 https://$host$request_uri; |
8 | | - } |
| 6 | + if ($scheme != "https") { |
| 7 | + return 301 https://$host$request_uri; |
9 | 8 | } |
10 | | - |
11 | | - upstream app_server { |
12 | | - # route to the application proxy |
13 | | - server 127.0.0.1:8080 fail_timeout=0; |
14 | | - } |
15 | | - |
16 | | - server { |
17 | | - listen 443 ssl; |
18 | | - server_name merginmaps.company.com; # FIXME |
19 | | - client_max_body_size 4G; |
20 | | - |
21 | | - ssl_certificate_key /etc/letsencrypt/live/merginmaps.company.com/privkey.pem; # FIXME |
22 | | - ssl_certificate /etc/letsencrypt/live/merginmaps.company.com/fullchain.pem; # FIXME |
23 | | - |
24 | | - # Don't show version information |
25 | | - server_tokens off; |
26 | | - |
27 | | - # Enable gzip compression |
28 | | - gzip on; |
29 | | - gzip_min_length 10240; |
30 | | - gzip_comp_level 1; |
31 | | - gzip_vary on; |
32 | | - gzip_proxied any; |
33 | | - gzip_types |
34 | | - text/css |
35 | | - text/javascript |
36 | | - application/javascript |
37 | | - application/x-javascript; |
38 | | - |
39 | | - # Prevent crawlers from indexing and following links for all content served from the mergin app |
40 | | - add_header X-Robots-Tag "none"; |
41 | | - |
42 | | - # Protect against clickjacking iframe |
43 | | - add_header Content-Security-Policy "frame-ancestors 'self';" always; |
44 | | - |
45 | | - # Add a HSTS policy to prevent plain http from browser |
46 | | - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; |
47 | | - |
48 | | - # Set cookies security flags |
49 | | - proxy_cookie_flags ~ secure httponly samesite=strict; |
50 | | - |
51 | | - location / { |
52 | | - root /var/www/html; |
53 | | - |
54 | | - # The lines below were copied from application proxy |
55 | | - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
56 | | - proxy_set_header X-Forwarded-Proto $scheme; |
57 | | - proxy_set_header Host $http_host; |
58 | | - # we don't want nginx trying to do something clever with |
59 | | - # redirects, we set the Host: header above already. |
60 | | - proxy_redirect off; |
61 | | - proxy_pass http://app_server; |
62 | | - } |
| 9 | +} |
| 10 | + |
| 11 | +upstream app_server { |
| 12 | + # route to the application proxy |
| 13 | + server 127.0.0.1:8080 fail_timeout=0; |
| 14 | +} |
| 15 | + |
| 16 | +server { |
| 17 | + listen 443 ssl; |
| 18 | + server_name merginmaps.company.com; # FIXME |
| 19 | + client_max_body_size 4G; |
| 20 | + |
| 21 | + ssl_certificate_key /etc/letsencrypt/live/merginmaps.company.com/privkey.pem; # FIXME |
| 22 | + ssl_certificate /etc/letsencrypt/live/merginmaps.company.com/fullchain.pem; # FIXME |
| 23 | + |
| 24 | + # Don't show version information |
| 25 | + server_tokens off; |
| 26 | + |
| 27 | + # Enable gzip compression |
| 28 | + gzip on; |
| 29 | + gzip_min_length 10240; |
| 30 | + gzip_comp_level 1; |
| 31 | + gzip_vary on; |
| 32 | + gzip_proxied any; |
| 33 | + gzip_types |
| 34 | + text/css |
| 35 | + text/javascript |
| 36 | + application/javascript |
| 37 | + application/x-javascript; |
| 38 | + |
| 39 | + # Prevent crawlers from indexing and following links for all content served from the mergin app |
| 40 | + add_header X-Robots-Tag "none"; |
| 41 | + |
| 42 | + # Protect against clickjacking iframe |
| 43 | + add_header Content-Security-Policy "frame-ancestors 'self';" always; |
| 44 | + |
| 45 | + # Add a HSTS policy to prevent plain http from browser |
| 46 | + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; |
| 47 | + |
| 48 | + # Set cookies security flags |
| 49 | + proxy_cookie_flags ~ secure httponly samesite=strict; |
| 50 | + |
| 51 | + location / { |
| 52 | + root /var/www/html; |
| 53 | + |
| 54 | + # The lines below were copied from application proxy |
| 55 | + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
| 56 | + proxy_set_header X-Forwarded-Proto $scheme; |
| 57 | + proxy_set_header Host $http_host; |
| 58 | + # we don't want nginx trying to do something clever with |
| 59 | + # redirects, we set the Host: header above already. |
| 60 | + proxy_redirect off; |
| 61 | + proxy_pass http://app_server; |
63 | 62 | } |
| 63 | +} |
0 commit comments