dpaste/server/nginx.conf

121 lines
4.2 KiB
Nginx Configuration File
Raw Permalink Normal View History

limit_req_zone $binary_remote_addr zone=login:10m rate=2r/s;
2014-12-13 08:25:43 +11:00
upstream app_server {
server 127.0.0.1:12000 fail_timeout=0;
}
# Combined log with remote:local port logged
log_format combined_port '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" "$remote_port:$server_port"';
2013-06-06 04:44:31 +10:00
# -----------------------------------------------------------------------------
# Redirect all sort of non-ssl (with and without www) to ssl without www
# -----------------------------------------------------------------------------
server {
listen 80;
2015-10-25 22:28:19 +11:00
2014-12-13 06:16:51 +11:00
server_name dpaste.de
www.dpaste.de
dpaste.org
www.dpaste.org;
2013-05-29 08:35:01 +10:00
location / {
rewrite ^ https://$server_name$request_uri? permanent;
}
2015-12-09 02:12:55 +11:00
location /.well-known/acme-challenge/ {
alias /var/www/challenges/;
try_files $uri =404;
}
2013-05-27 19:26:36 +10:00
}
2013-06-06 04:44:31 +10:00
# -----------------------------------------------------------------------------
# SSL Hosts
# -----------------------------------------------------------------------------
server {
2014-12-13 06:16:51 +11:00
listen 443 ssl spdy;
2015-10-25 22:28:19 +11:00
server_name dpaste.org www.dpaste.org;
2015-12-09 02:12:55 +11:00
ssl on;
ssl_certificate /srv/dpaste.de/etc/ssl/dpaste_org_chained.pem;
ssl_certificate_key /srv/dpaste.de/etc/ssl/dpaste_org.key;
ssl_dhparam /etc/ssl/dhparam.pem;
# SSL modern config for modern browsers Pete told me
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=25200;
# Redirect to dpaste.de
location / {
rewrite ^/(.*)$ https://dpaste.de/$1 permanent;
}
}
2013-05-27 19:26:36 +10:00
server {
2014-12-13 06:16:51 +11:00
listen 443 ssl spdy;
2015-10-25 22:28:19 +11:00
2013-06-06 04:46:55 +10:00
server_name dpaste.de www.dpaste.de;
2013-05-31 19:47:02 +10:00
2015-12-09 02:12:55 +11:00
ssl on;
ssl_certificate /srv/dpaste.de/etc/ssl/dpaste_de_chained.pem;
ssl_certificate_key /srv/dpaste.de/etc/ssl/dpaste_de.key;
ssl_dhparam /etc/ssl/dhparam.pem;
# SSL modern config for modern browsers Pete told me
ssl_prefer_server_ciphers on;
2015-12-09 02:12:55 +11:00
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=25200;
2013-06-06 04:44:31 +10:00
# Rewrite www to non-www
2013-09-28 05:28:07 +10:00
if ($host = www.dpaste.de) {
2013-06-06 04:44:31 +10:00
rewrite ^/(.*)$ https://dpaste.de/$1 permanent;
}
access_log /srv/dpaste.de/var/nginx.access.log combined_port;
error_log /srv/dpaste.de/var/nginx.error.log;
2013-06-06 04:44:31 +10:00
keepalive_timeout 5;
2015-11-04 02:49:28 +11:00
client_max_body_size 10M;
2014-12-15 09:19:03 +11:00
location ~ /(favicon.ico|robots.txt) {
access_log off;
log_not_found off;
expires 3d;
}
2014-12-25 23:56:39 +11:00
location /webalizer/ {
alias /srv/dpaste.de/var/webalizer/;
auth_basic "Restricted";
auth_basic_user_file /srv/dpaste.de/var/.htpasswd;
}
location /static/ {
alias /srv/dpaste.de/var/static/;
2013-06-06 04:44:31 +10:00
}
location / {
2014-12-13 08:25:43 +11:00
limit_req zone=login burst=5;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_buffering off;
2014-12-13 06:16:51 +11:00
proxy_pass http://app_server;
break;
}
}