Add nginx example config

2022-12-14 16:34:38 +01:00 · 2022-12-14 16:34:38 +01:00 · d33ab13d7c
commit d33ab13d7c
--- a/webserver/nginx.conf
+++ b/webserver/nginx.conf
@ -0,0 +1,181 @@
+limit_req_zone $binary_remote_addr zone=taka_proxy:20m rate=200r/s;
+limit_req_zone $binary_remote_addr zone=taka_media:20m rate=50r/s;
+limit_req_zone $binary_remote_addr zone=taka_ratelimit:20m rate=25r/s;
+
+proxy_cache_path /usr/share/nginx/takahe/cache levels=1:2 keys_zone=TAKAHE:20m inactive=14d max_size=1g;
+
+upstream takahe {
+    server "127.0.0.1:8000";
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name _;
+
+    # Let's Encrypt SSL challenge directory
+    location ^~ /.well-known/acme-challenge {
+        default_type text/plain;
+        alias /usr/share/nginx/tmp/.well-known/acme-challenge;
+    }
+
+    return 301 https://$server_name/$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name _;
+
+    root /usr/share/nginx/tahake/static;
+    index index.html;
+
+    access_log /usr/share/nginx/tahake/logs/access.log combined;
+    error_log  /usr/share/nginx/tahake/logs/error.log;
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+
+    # Using the recommended cipher suite from: https://wiki.mozilla.org/Security/Server_Side_TLS
+    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
+
+    ssl_session_timeout 10m;
+    ssl_session_cache shared:MozSSL:10m;
+    ssl_session_tickets off;
+
+    # Specifies a curve for ECDHE ciphers.
+    ssl_ecdh_curve prime256v1;
+    # Server should determine the ciphers, not the client
+    ssl_prefer_server_ciphers on;
+
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    # GZIP Section
+    gzip on;
+    gzip_disable "msie6";
+
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_comp_level 6;
+    gzip_buffers 16 8k;
+    gzip_http_version 1.1;
+    gzip_min_length 256;
+    gzip_types text/xml text/javascript font/ttf font/eot font/otf application/x-javascript application/atom+xml application/javascript application/json application/manifest+json application/rss+xml application/x-web-app-manifest+json application/xhtml+xml application/xml image/svg+xml image/x-icon text/css text/plain;
+
+    ignore_invalid_headers off;
+    proxy_connect_timeout 1200;
+
+    ssl_certificate /root/.acme.sh/tavern.drow.be/fullchain.cer;
+    ssl_certificate_key /root/.acme.sh/tavern.drow.be/tavern.drow.be.key;
+    ssl_trusted_certificate /root/.acme.sh/tavern.drow.be/ca.cer;
+    ssl_dhparam /etc/ssl/dhparams_4096.pem;
+
+    proxy_headers_hash_max_size 1024;
+    proxy_headers_hash_bucket_size 128;
+
+    client_max_body_size 512M;
+    client_body_buffer_size 128k;
+    charset utf-8;
+
+    proxy_set_header Host                   $http_host;
+    proxy_set_header X-Real-IP              $remote_addr;
+    proxy_set_header X-Forwarded-For        $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto      $scheme;
+    proxy_set_header X-Forwarded-Host       $http_host;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+    proxy_read_timeout 15m;
+    proxy_send_timeout 15m;
+
+    proxy_buffer_size          4k;
+    proxy_buffers              4 32k;
+    proxy_busy_buffers_size    64k;
+    proxy_temp_file_write_size 64k;
+    add_header 'Content-Security-Policy' "default-src 'none'; connect-src 'self'; font-src 'self'; img-src *; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; upgrade-insecure-requests;";
+
+    # Let's Encrypt SSL challenge directory
+    location ^~ /.well-known/acme-challenge {
+        default_type text/plain;
+        alias /usr/share/nginx/tmp/.well-known/acme-challenge;
+    }
+
+    # Local media and static files
+    location ~* ^/(media|static) {
+        http2_push_preload on;
+        limit_req zone=taka_media burst=5 nodelay;
+        proxy_cache TAKAHE;
+        proxy_buffering on;
+        proxy_request_buffering on;
+        proxy_cache_convert_head off;
+
+        proxy_cache_key $host$uri;
+        proxy_ignore_headers X-Accel-Expires Expires Cache-Control;
+        proxy_hide_header Set-Cookie;
+        proxy_hide_header X-Robots-Tag;
+
+        proxy_cache_revalidate on;
+        proxy_cache_lock on;
+        proxy_cache_valid  200 304 720h;
+        proxy_cache_valid  301 307 12h;
+        proxy_cache_valid  500 502 503 504 0s;
+        proxy_cache_valid  any 72h;
+        proxy_cache_min_uses 1;
+        proxy_cache_use_stale error timeout updating http_500 http_502
+                              http_503 http_504;
+        proxy_cache_background_update on;
+        proxy_cache_methods GET HEAD;
+
+        add_header X-Cache $upstream_cache_status;
+
+        proxy_pass       http://takahe;
+    }
+
+    # Media proxy
+    location ~* ^/proxy {
+        http2_push_preload on;
+        limit_req zone=taka_proxy burst=50 delay=20;
+        proxy_cache TAKAHE;
+        proxy_buffering on;
+        proxy_request_buffering on;
+        proxy_cache_convert_head off;
+
+        proxy_cache_key $host$uri;
+        proxy_ignore_headers X-Accel-Expires Expires Cache-Control;
+        proxy_hide_header Set-Cookie;
+        proxy_hide_header X-Robots-Tag;
+
+        proxy_cache_revalidate on;
+        proxy_cache_lock on;
+        proxy_cache_valid  200 304 720h;
+        proxy_cache_valid  301 307 12h;
+        proxy_cache_valid  500 502 503 504 0s;
+        proxy_cache_valid  any 72h;
+        proxy_cache_min_uses 1;
+        proxy_cache_use_stale error timeout updating http_500 http_502
+                              http_503 http_504;
+        proxy_cache_background_update on;
+        proxy_cache_methods GET HEAD;
+
+        add_header X-Cache $upstream_cache_status;
+
+        proxy_pass       http://takahe;
+    }
+
+    # Django Admin
+    location /djadmin/ {
+        proxy_redirect   off;
+        proxy_buffering  off;
+        proxy_pass       http://takahe;
+    }
+
+    # Default location
+    location / {
+        limit_req zone=taka_ratelimit burst=15 delay=5;
+        http2_push_preload on;
+
+        proxy_redirect   off;
+        proxy_buffering  off;
+        proxy_pass       http://takahe;
+    }
+}