my eye
Angelo Gladding
Hacker for right homesteading into the future.
@ragt.ag@angelo@ragt.agangelo@ragt.ag@tyosxbghzcf5

nginx_site.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85

$def with (domain, project_dir, ssl_ciphers)
server {
    listen       80;
    server_name  $domain;

    location /.well-known/acme-challenge/ {
        alias      $project_dir/certs/challenges/;
        try_files  $$uri  =404;
    }
    location / {
        return  301  https://$domain$$request_uri;
    }
}

$# server {
$#     listen       443  ssl  http2;
$#     listen       [::]:443  ssl  http2;
$#     server_name  $domain;
$# 
$#     ssl_certificate            /home/admin/domains/$domain/domain.crt;
$#     ssl_certificate_key        /home/admin/domains/$domain/domain.key;
$#     ssl_protocols              TLSv1.3;
$#     ssl_prefer_server_ciphers  off;
$#     ssl_ciphers                $ssl_ciphers;
$#     ssl_session_cache          shared:SSL:10m;
$#     ssl_session_timeout        1d;
$#     ssl_dhparam                /root/dhparam.pem;
$#     ssl_ecdh_curve             secp384r1;
$#     ssl_session_tickets        off;
$#     ssl_stapling               on;
$#     ssl_stapling_verify        on;
$#     resolver                   8.8.8.8  8.8.4.4  valid=300s;  # TODO !google
$#     resolver_timeout           5s;
$# 
$#     charset     utf-8;
$#     add_header  X-Powered-By  "canopy";
$#     add_header  X-Frame-Options  "SAMEORIGIN";
$#     add_header  X-Content-Type-Options  "nosniff";
$# 
$#     # TODO security headers
$#     # add_header  Strict-Transport-Security  "max-age=15768000"  always;
$#     # add_header  Strict-Transport-Security
$#     #             "max-age=63072000; includeSubDomains; preload";
$#     # add_header  X-Frame-Options  DENY;
$#     # add_header  X-XSS-Protection  "1; mode=block";
$#     # add_header  Content-Security-Policy  "require-sri-for script style;"
$# 
$#     client_max_body_size  100M;
$#     error_page            403 404          /error/40x.html;
$#     error_page            500 502 503 504  /error/50x.html;
$#     access_log            /home/admin/apps/$app/access.log  adminfmt;
$#     error_log             /home/admin/apps/$app/error.log   info;
$# 
$#     # TODO: error and static Nginx locations
$#     # location  /error/  {
$#     #     internal;
$#     #     alias  ../canopy/;
$#     # }
$#     # location  /static/  {
$#     #     add_header  Access-Control-Allow-Origin  *;
$#     #     root  ../canopy/__web__;
$#     # }
$# 
$#     location /X/ {
$#         internal;
$#         alias  /home/admin/apps/$app/;
$#     }
$# 
$#     location  /  {
$#         proxy_set_header  X-Forwarded-Proto  $$scheme;
$#         proxy_set_header  Host  $$http_host;
$#         proxy_set_header  X-Forwarded-For  $$proxy_add_x_forwarded_for;
$#         proxy_redirect  off;
$#         proxy_pass  http://unix:/home/admin/apps/$app/app.sock;
$# 
$#         # XXX uwsgi_param  Host  $$http_host;
$#         # XXX uwsgi_param  X-Real-IP  $$remote_addr;
$#         # XXX uwsgi_param  X-Forwarded-For  $$proxy_add_x_forwarded_for;
$#         # XXX uwsgi_max_temp_file_size  0;
$#         # XXX uwsgi_pass  unix:/home/admin/apps/$app/app.sock;
$#         # XXX include  /root/nginx/conf/uwsgi_params;
$#     }
$# }

# leave this here for cat'ing over SSH...