# http://nginx.org/en/docs/http/websocket.html # http://nginx.org/en/docs/http/websocket.html map $http_upgrade $connection_upgrade { default upgrade; '' close; } # http server server { listen 80; listen [::]:80; server_name gitlab.c2a-systeme.fr; location / { proxy_pass http://127.0.0.1:8001; # redirect everything to HTTPS # return 301 https://$host$request_uri; } } # https server server { server_name gitlab.c2a-systeme.fr; listen 443 http2; listen [::]:443 http2; # ssl on; # paths are relative to prefix and not to this file # ssl_certificate /home/c2a/conf/nginx/certs/gitlab.c2a-systeme.fr.cert; # ssl_certificate_key /home/c2a/conf/nginx/certs/gitlab.c2a-systeme.fr.key; # ssl_session_timeout 5m; # ssl_session_cache shared:SSL:50m; # https://bettercrypto.org/static/applied-crypto-hardening.pdf # https://mozilla.github.io/server-side-tls/ssl-config-generator/ # https://cipherli.st/ # https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html ssl_prefer_server_ciphers on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE # ciphers according to https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.0.2g&hsts=yes&profile=modern ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; # ssl_dhparam /home/yellowtent/boxdata/dhparams.pem; # add_header Strict-Transport-Security "max-age=15768000"; # https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options add_header X-Frame-Options "SAMEORIGIN"; proxy_hide_header X-Frame-Options; # https://github.com/twitter/secureheaders # https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Compatibility_Matrix # https://wiki.mozilla.org/Security/Guidelines/Web_Security add_header X-XSS-Protection "1; mode=block"; proxy_hide_header X-XSS-Protection; add_header X-Download-Options "noopen"; proxy_hide_header X-Download-Options; add_header X-Content-Type-Options "nosniff"; proxy_hide_header X-Content-Type-Options; add_header X-Permitted-Cross-Domain-Policies "none"; proxy_hide_header X-Permitted-Cross-Domain-Policies; add_header Referrer-Policy "no-referrer-when-downgrade"; proxy_hide_header Referrer-Policy; proxy_http_version 1.1; proxy_intercept_errors on; proxy_read_timeout 3500; proxy_connect_timeout 3250; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-Ssl on; # upgrade is a hop-by-hop header (http://nginx.org/en/docs/http/websocket.html) proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; location / { return 301 http://$host$request_uri; # increase the proxy buffer sizes to not run into buffer issues (http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffers) proxy_buffer_size 128k; proxy_buffers 4 256k; proxy_busy_buffers_size 256k; # No buffering to temp files, it fails for large downloads proxy_max_temp_file_size 0; # Disable check to allow unlimited body sizes. this allows apps to accept whatever size they want client_max_body_size 0; # Custom robots.txt # location = /robots.txt { # return 200 ""; # } proxy_pass http://127.0.0.1:8001; } }