119 lines
4.3 KiB
Plaintext
119 lines
4.3 KiB
Plaintext
# http://nginx.org/en/docs/http/websocket.html
|
|
map $http_upgrade $connection_upgrade {
|
|
default upgrade;
|
|
'' close;
|
|
}
|
|
|
|
# http server
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
|
|
server_name api.dev.c2a-systeme.fr;
|
|
|
|
location / {
|
|
# redirect everything to HTTPS
|
|
return 301 https://$host$request_uri;
|
|
}
|
|
}
|
|
|
|
# https server
|
|
server {
|
|
server_name api.dev.c2a-systeme.fr;
|
|
listen 443 http2;
|
|
listen [::]:443 http2;
|
|
|
|
ssl on;
|
|
ssl_certificate /etc/letsencrypt/live/api.dev.c2a-systeme.fr/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/api.dev.c2a-systeme.fr/privkey.pem;
|
|
ssl_session_timeout 10m;
|
|
ssl_session_cache shared:SSL:50m;
|
|
|
|
# Enable server-side protection against BEAST attacks
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";
|
|
|
|
# RFC-7919 recommended: https://wiki.mozilla.org/Security/Server_Side_TLS#ffdhe4096
|
|
ssl_dhparam /etc/ssl/ffdhe4096.pem;
|
|
ssl_ecdh_curve secp521r1:secp384r1;
|
|
|
|
# Aditional Security Headers
|
|
# ref: https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
|
|
|
|
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
|
|
add_header X-Frame-Options DENY always;
|
|
|
|
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
|
|
add_header X-Content-Type-Options nosniff always;
|
|
|
|
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
|
|
add_header X-Xss-Protection "1; mode=block" always;
|
|
|
|
# Enable OCSP stapling
|
|
# ref. http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox
|
|
ssl_stapling on;
|
|
ssl_stapling_verify on;
|
|
ssl_trusted_certificate /etc/letsencrypt/live/api.dev.c2a-systeme.fr/fullchain.pem;
|
|
resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; # Cloudflare
|
|
resolver_timeout 5s;
|
|
|
|
# https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
|
|
add_header X-Frame-Options "SAMEORIGIN";
|
|
proxy_hide_header X-Frame-Options;
|
|
|
|
# https://github.com/twitter/secureheaders
|
|
# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Compatibility_Matrix
|
|
# https://wiki.mozilla.org/Security/Guidelines/Web_Security
|
|
add_header X-XSS-Protection "1; mode=block";
|
|
proxy_hide_header X-XSS-Protection;
|
|
add_header X-Download-Options "noopen";
|
|
proxy_hide_header X-Download-Options;
|
|
add_header X-Content-Type-Options "nosniff";
|
|
proxy_hide_header X-Content-Type-Options;
|
|
add_header X-Permitted-Cross-Domain-Policies "none";
|
|
proxy_hide_header X-Permitted-Cross-Domain-Policies;
|
|
add_header Referrer-Policy "no-referrer-when-downgrade";
|
|
proxy_hide_header Referrer-Policy;
|
|
|
|
|
|
proxy_http_version 1.1;
|
|
proxy_intercept_errors on;
|
|
proxy_read_timeout 3500;
|
|
proxy_connect_timeout 3250;
|
|
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
proxy_set_header X-Forwarded-Host $host;
|
|
proxy_set_header X-Forwarded-Port $server_port;
|
|
proxy_set_header X-Forwarded-Proto https;
|
|
proxy_set_header X-Forwarded-Ssl on;
|
|
|
|
# upgrade is a hop-by-hop header (http://nginx.org/en/docs/http/websocket.html)
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection $connection_upgrade;
|
|
|
|
# Required for LE certificate enrollment using certbot
|
|
location '/.well-known/acme-challenge' {
|
|
default_type "text/plain";
|
|
root /var/www/html;
|
|
}
|
|
|
|
location / {
|
|
# No buffering to temp files, it fails for large downloads
|
|
proxy_max_temp_file_size 0;
|
|
|
|
# Disable check to allow unlimited body sizes. this allows apps to accept whatever size they want
|
|
client_max_body_size 0;
|
|
|
|
# Bloc accès of the search robots
|
|
location = /robots.txt {
|
|
return 200 "User-agent: *\nDisallow: /";
|
|
}
|
|
|
|
proxy_pass http://127.0.0.1:8005;
|
|
|
|
}
|
|
}
|