default nginx conf and gitea nginx conf
This commit is contained in:
parent
bad22be2c4
commit
7078a122a2
BIN
gitea/Mozilla_Observatory.png
Normal file
BIN
gitea/Mozilla_Observatory.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 35 KiB |
@ -0,0 +1,6 @@
|
||||
# Additional Score Commentary:
|
||||
|
||||
## Mozilla Observatory
|
||||
Current CSP requires the use of unsafe-eval and unsafe-inline for script-src.
|
||||
Current CSP requires the use of unsafe-inline for style-src.
|
||||
The relevant issue can be found at: https://github.com/go-gitea/gitea/issues/305
|
||||
Binary file not shown.
BIN
gitea/SSL_Labs.png
Normal file
BIN
gitea/SSL_Labs.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 65 KiB |
60
gitea/git.theschricks.com.conf
Normal file
60
gitea/git.theschricks.com.conf
Normal file
@ -0,0 +1,60 @@
|
||||
server {
|
||||
server_name git.theschricks.com;
|
||||
|
||||
location / {
|
||||
|
||||
# Workaround while waiting for cookie flags to be implemented. See Issue #5583
|
||||
proxy_cookie_path / "/; Secure; HttpOnly; SameSite=lax";
|
||||
|
||||
proxy_pass http://pi1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
proxy_set_header Host $host;
|
||||
}
|
||||
|
||||
if ($scheme != "https") {
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
||||
client_max_body_size 512m;
|
||||
|
||||
listen [::]:443 ssl; # managed by Certbot
|
||||
listen 443 ssl; # managed by Certbot
|
||||
ssl_certificate /etc/letsencrypt/live/git.theschricks.com/fullchain.pem; # managed by Certbot
|
||||
ssl_certificate_key /etc/letsencrypt/live/git.theschricks.com/privkey.pem; # managed by Certbot
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
|
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
|
||||
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
|
||||
add_header X-Robots-Tag none;
|
||||
add_header X-Frame-Options "SAMEORIGIN";
|
||||
add_header Referrer-Policy "strict-origin";
|
||||
add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()";
|
||||
|
||||
#Ideally needs to be changed, but needs to be set to this for Gitea for now: https://github.com/go-gitea/gitea/issues/305.
|
||||
add_header Content-Security-Policy "default-src 'self'; connect-src 'self'; frame-ancestors 'self'; font-src 'self' data:; form-action 'self'; img-src 'self' https: data:; manifest-src 'self' data:; object-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; worker-src 'self';";
|
||||
|
||||
# OCSP stapling
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
|
||||
}
|
||||
|
||||
#HTTP
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name git.theschricks.com www.git.theschricks.com;
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
||||
#Redirect www
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
server_name www.git.theschricks.com;
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
||||
100
nginx.conf
Normal file
100
nginx.conf
Normal file
@ -0,0 +1,100 @@
|
||||
user www-data;
|
||||
worker_processes auto;
|
||||
pid /run/nginx.pid;
|
||||
|
||||
events {
|
||||
worker_connections 768;
|
||||
# multi_accept on;
|
||||
}
|
||||
|
||||
http {
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
|
||||
proxy_connect_timeout 600;
|
||||
proxy_send_timeout 600;
|
||||
proxy_read_timeout 600;
|
||||
fastcgi_send_timeout 600;
|
||||
fastcgi_read_timeout 600;
|
||||
client_header_timeout 600;
|
||||
client_body_timeout 600;
|
||||
client_max_body_size 512M;
|
||||
|
||||
##
|
||||
# Basic Settings
|
||||
##
|
||||
|
||||
sendfile on;
|
||||
tcp_nopush on;
|
||||
tcp_nodelay on;
|
||||
keepalive_timeout 650;
|
||||
types_hash_max_size 2048;
|
||||
server_tokens off;
|
||||
|
||||
# server_names_hash_bucket_size 128;
|
||||
# server_name_in_redirect off;
|
||||
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
##
|
||||
# SSL Settings
|
||||
##
|
||||
#ALSO MUST CHANGE THE OPTIONS IN /etc/letsencrypt
|
||||
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
#ssl_prefer_server_ciphers on;
|
||||
ssl_prefer_server_ciphers off;
|
||||
|
||||
##
|
||||
# Logging Settings
|
||||
##
|
||||
|
||||
access_log /var/log/nginx/access.log;
|
||||
error_log /var/log/nginx/error.log;
|
||||
|
||||
#add_header Set-Cookie "Path=/; HttpOnly; Secure";
|
||||
|
||||
##
|
||||
# Buffer Policy
|
||||
##
|
||||
client_body_buffer_size 1K;
|
||||
client_header_buffer_size 1k;
|
||||
large_client_header_buffers 2 1k;
|
||||
|
||||
##
|
||||
# Gzip Settings
|
||||
##
|
||||
|
||||
gzip on;
|
||||
|
||||
# gzip_vary on;
|
||||
# gzip_proxied any;
|
||||
# gzip_comp_level 6;
|
||||
# gzip_buffers 16 8k;
|
||||
# gzip_http_version 1.1;
|
||||
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
|
||||
|
||||
##
|
||||
# Virtual Host Configs
|
||||
##
|
||||
|
||||
upstream pi3 {
|
||||
server 192.168.1.13;
|
||||
}
|
||||
|
||||
upstream pi2 {
|
||||
server 192.168.1.12:8107;
|
||||
|
||||
}
|
||||
|
||||
upstream pi1 {
|
||||
server 192.168.1.11:3000;
|
||||
}
|
||||
|
||||
map $http_upgrade $connection_upgrade {
|
||||
default upgrade;
|
||||
'' close;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user