From d33ab13d7cda3a3f66b4060f71782606c30efff8 Mon Sep 17 00:00:00 2001 From: Kromonos Date: Wed, 14 Dec 2022 16:34:38 +0100 Subject: [PATCH] Add nginx example config --- webserver/nginx.conf | 181 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 181 insertions(+) create mode 100644 webserver/nginx.conf diff --git a/webserver/nginx.conf b/webserver/nginx.conf new file mode 100644 index 0000000..4e49f92 --- /dev/null +++ b/webserver/nginx.conf @@ -0,0 +1,181 @@ +limit_req_zone $binary_remote_addr zone=taka_proxy:20m rate=200r/s; +limit_req_zone $binary_remote_addr zone=taka_media:20m rate=50r/s; +limit_req_zone $binary_remote_addr zone=taka_ratelimit:20m rate=25r/s; + +proxy_cache_path /usr/share/nginx/takahe/cache levels=1:2 keys_zone=TAKAHE:20m inactive=14d max_size=1g; + +upstream takahe { + server "127.0.0.1:8000"; +} + +server { + listen 80; + listen [::]:80; + server_name _; + + # Let's Encrypt SSL challenge directory + location ^~ /.well-known/acme-challenge { + default_type text/plain; + alias /usr/share/nginx/tmp/.well-known/acme-challenge; + } + + return 301 https://$server_name/$request_uri; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name _; + + root /usr/share/nginx/tahake/static; + index index.html; + + access_log /usr/share/nginx/tahake/logs/access.log combined; + error_log /usr/share/nginx/tahake/logs/error.log; + + ssl_protocols TLSv1.2 TLSv1.3; + + # Using the recommended cipher suite from: https://wiki.mozilla.org/Security/Server_Side_TLS + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; + + ssl_session_timeout 10m; + ssl_session_cache shared:MozSSL:10m; + ssl_session_tickets off; + + # Specifies a curve for ECDHE ciphers. + ssl_ecdh_curve prime256v1; + # Server should determine the ciphers, not the client + ssl_prefer_server_ciphers on; + + ssl_stapling on; + ssl_stapling_verify on; + + # GZIP Section + gzip on; + gzip_disable "msie6"; + + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_buffers 16 8k; + gzip_http_version 1.1; + gzip_min_length 256; + gzip_types text/xml text/javascript font/ttf font/eot font/otf application/x-javascript application/atom+xml application/javascript application/json application/manifest+json application/rss+xml application/x-web-app-manifest+json application/xhtml+xml application/xml image/svg+xml image/x-icon text/css text/plain; + + ignore_invalid_headers off; + proxy_connect_timeout 1200; + + ssl_certificate /root/.acme.sh/tavern.drow.be/fullchain.cer; + ssl_certificate_key /root/.acme.sh/tavern.drow.be/tavern.drow.be.key; + ssl_trusted_certificate /root/.acme.sh/tavern.drow.be/ca.cer; + ssl_dhparam /etc/ssl/dhparams_4096.pem; + + proxy_headers_hash_max_size 1024; + proxy_headers_hash_bucket_size 128; + + client_max_body_size 512M; + client_body_buffer_size 128k; + charset utf-8; + + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 15m; + proxy_send_timeout 15m; + + proxy_buffer_size 4k; + proxy_buffers 4 32k; + proxy_busy_buffers_size 64k; + proxy_temp_file_write_size 64k; + add_header 'Content-Security-Policy' "default-src 'none'; connect-src 'self'; font-src 'self'; img-src *; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; upgrade-insecure-requests;"; + + # Let's Encrypt SSL challenge directory + location ^~ /.well-known/acme-challenge { + default_type text/plain; + alias /usr/share/nginx/tmp/.well-known/acme-challenge; + } + + # Local media and static files + location ~* ^/(media|static) { + http2_push_preload on; + limit_req zone=taka_media burst=5 nodelay; + proxy_cache TAKAHE; + proxy_buffering on; + proxy_request_buffering on; + proxy_cache_convert_head off; + + proxy_cache_key $host$uri; + proxy_ignore_headers X-Accel-Expires Expires Cache-Control; + proxy_hide_header Set-Cookie; + proxy_hide_header X-Robots-Tag; + + proxy_cache_revalidate on; + proxy_cache_lock on; + proxy_cache_valid 200 304 720h; + proxy_cache_valid 301 307 12h; + proxy_cache_valid 500 502 503 504 0s; + proxy_cache_valid any 72h; + proxy_cache_min_uses 1; + proxy_cache_use_stale error timeout updating http_500 http_502 + http_503 http_504; + proxy_cache_background_update on; + proxy_cache_methods GET HEAD; + + add_header X-Cache $upstream_cache_status; + + proxy_pass http://takahe; + } + + # Media proxy + location ~* ^/proxy { + http2_push_preload on; + limit_req zone=taka_proxy burst=50 delay=20; + proxy_cache TAKAHE; + proxy_buffering on; + proxy_request_buffering on; + proxy_cache_convert_head off; + + proxy_cache_key $host$uri; + proxy_ignore_headers X-Accel-Expires Expires Cache-Control; + proxy_hide_header Set-Cookie; + proxy_hide_header X-Robots-Tag; + + proxy_cache_revalidate on; + proxy_cache_lock on; + proxy_cache_valid 200 304 720h; + proxy_cache_valid 301 307 12h; + proxy_cache_valid 500 502 503 504 0s; + proxy_cache_valid any 72h; + proxy_cache_min_uses 1; + proxy_cache_use_stale error timeout updating http_500 http_502 + http_503 http_504; + proxy_cache_background_update on; + proxy_cache_methods GET HEAD; + + add_header X-Cache $upstream_cache_status; + + proxy_pass http://takahe; + } + + # Django Admin + location /djadmin/ { + proxy_redirect off; + proxy_buffering off; + proxy_pass http://takahe; + } + + # Default location + location / { + limit_req zone=taka_ratelimit burst=15 delay=5; + http2_push_preload on; + + proxy_redirect off; + proxy_buffering off; + proxy_pass http://takahe; + } +}