-
Notifications
You must be signed in to change notification settings - Fork 2
/
base.template
70 lines (51 loc) · 2.14 KB
/
base.template
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
map \$http_upgrade \$connection_upgrade {
default upgrade;
'' close;
}
server {
# Generated with nginx-le-setup
listen 80;
listen [::]:80;
listen 443 ssl http2;
${HTTP3:+listen 443 http3 reuseport;}
listen [::]:443 ssl http2;
${HTTP3:+listen [::]:443 http3 reuseport;}
server_name ${VDOMAINS};
${CONFIG}
location ~ /\.well-known/acme-challenge {
allow all;
default_type \"text/plain\";
root ${WEBROOT_PATH};
}
location ~ /\.git { deny all;}
location = /robots.txt { access_log off; log_not_found off; }
location = /favicon.ico { access_log off; log_not_found off; }
# this prevents hidden files (beginning with a period) from being served
location ~ /\. { access_log off; log_not_found off; deny all; }
server_tokens off;
ssl_certificate /etc/letsencrypt/live/${VNAME}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${VNAME}/privkey.pem;
# enable session resumption
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
if (\$scheme = http) {
return 301 https://\$server_name\$request_uri;
}
add_header X-protocol $server_protocol always;
${HTTP3:+ add_header alt-svc 'h3=\":443\"; ma=86400';}
${HTTP3:+ quic_retry on;}
# HSTS (ngx_http_headers_module is required) 6 months
add_header Strict-Transport-Security \"max-age=15768000; ${HSTS}\";
add_header Content-Security-Policy \"frame-ancestors 'none'\";
proxy_hide_header X-Frame-Options;
add_header X-Frame-Options \"SAMEORIGIN\";
proxy_hide_header X-Xss-protection;
add_header X-Xss-protection \"1; mode=block\";
proxy_hide_header X-Content-Type-Options;
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy same-origin;
}