kopia lustrzana https://0xacab.org/rysiek/fasada
52 wiersze
1.6 KiB
Plaintext
52 wiersze
1.6 KiB
Plaintext
# www.example.com website
|
|
server {
|
|
listen 80;
|
|
listen 443 ssl;
|
|
server_name admin.example.com;
|
|
|
|
# general vhost settings
|
|
access_log /srv/logs/nginx/admin.example.com.access.log combined;
|
|
error_log /srv/logs/nginx/admin.example.com.error.log error;
|
|
|
|
# ssl keycert
|
|
ssl_certificate /srv/data/secrets/letsencrypt/live/admin.example.com/fullchain.pem;
|
|
ssl_certificate_key /srv/data/secrets/letsencrypt/live/admin.example.com/privkey.pem;
|
|
|
|
# TLS settings
|
|
# can't set headers in an if that is *not* in a location,
|
|
# so we need to work around this
|
|
add_header Strict-Transport-Security "max-age=31536000";
|
|
|
|
# proxy params, mainly for properly tracking visitors
|
|
proxy_set_header Host $http_host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
# needed for keepalive to work
|
|
proxy_set_header Connection "";
|
|
proxy_http_version 1.1;
|
|
|
|
# tls letsencrypt stateless acme config
|
|
# no need for webroot and stuff
|
|
#
|
|
# this is described for acme.sh,
|
|
# but should work with any LE client
|
|
# https://github.com/Neilpang/acme.sh/wiki/Stateless-Mode
|
|
location ~ "^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)$" {
|
|
default_type text/plain;
|
|
return 200 "$1.<ACME_THUMBPRINT>";
|
|
}
|
|
|
|
# set proxy zone
|
|
proxy_cache off;
|
|
|
|
# reverse proxy to upstream
|
|
location / {
|
|
# debugging
|
|
add_header X-Proxy-Cache $upstream_cache_status;
|
|
#include snippets/security.conf;
|
|
proxy_pass http://127.0.0.1:10080;
|
|
}
|
|
|
|
}
|