spacebrook.dev/nginx.conf at master · Spacebrook/spacebrook.dev · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
worker_processes     1;
worker_rlimit_nofile 32768;
pid                  nginx.pid;
daemon               off;
user                 root root;

events {
    multi_accept        on;
    worker_connections  8192;
    use                 epoll;
}

http {
    include                       /etc/nginx/mime.types;
    default_type                  application/octet-stream;
    keepalive_requests            100;
    keepalive_timeout             10s;
    client_max_body_size          2m;
    client_body_temp_path         /tmp/nginx_client_body_temp_path;
    proxy_temp_path               /tmp/nginx_proxy_temp_path;
    fastcgi_temp_path             /tmp/nginx_fastcgi_temp_path;
    sendfile                      on;
    gzip                          on;
    gzip_vary                     on;
    gzip_proxied                  any;
    gzip_types                    text/css
                                  application/javascript
                                  application/json;
    charset                       utf-8;
    server_names_hash_bucket_size 128;
    proxy_intercept_errors        on;
    tcp_nopush                    on;
    tcp_nodelay                   on;

    log_format main '{'
        '"remote_addr": "$remote_addr",'
        '"remote_user": "$remote_user",'
        '"server_name": "$server_name",'
        '"server_port": "$server_port",'
        '"host": "$host",'
        '"time_local": "$time_local",'
        '"request_time": $request_time,'
        '"request": "$request",'
        '"status": $status,'
        '"body_bytes_sent": $body_bytes_sent,'
        '"http_referer": "$http_referer",'
        '"http_user_agent": "$http_user_agent",'
        '"http_x_forwarded_for": "$http_x_forwarded_for",'
        '"request_uri": "$request_uri",'
        '"uri": "$uri",'
        '"args": "$args",'
        '"event_name": "NGINX_LOG"'
    '}';

    access_log /dev/stdout main;
    error_log  /dev/stderr;

    # Set HSTS header based on hostname.
    map $hostname $hsts_header {
        # Disable HSTS for dev.
        spacebrook-local "";

        # Enable HSTS everywhere else.
        default "max-age=63072000; includeSubdomains; preload";
    }

    server {
        listen 80;
        listen 443 ssl http2;
        server_name spacebrook 127.0.0.1;

        ssl_certificate           /etc/letsencrypt/live/spacebrook.dev/fullchain.pem;
        ssl_certificate_key       /etc/letsencrypt/live/spacebrook.dev/privkey.pem;
        ssl_dhparam               /etc/letsencrypt/live/spacebrook.dev/dhparam.pem;
        ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers               "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
        ssl_ecdh_curve            secp384r1;
        ssl_session_cache         shared:SSL:10m;
        ssl_session_tickets       off;
        ssl_stapling_verify       on;

        add_header Strict-Transport-Security $hsts_header;

        add_header X-Content-Type-Options nosniff;

        proxy_set_header Host $host;

        if ($scheme = http) {
            set $redirect_to_https true;
        }

        if ($hostname = spacebrook-local) {
            set $redirect_to_https false;
        }

        if ($redirect_to_https = true) {
            rewrite ^(.*) https://$host$1;
        }

        location ~ /.well-known {
            root /app/www;
        }

        location / {
            if ($hostname != spacebrook-local) {
                add_header Cache-Control 'public, max-age=3600';
            }

            root /public;
        }
    }
}