hedgedocs-nginx.conf.j2 2.32 KB
Newer Older
nono's avatar
nono committed
1
2
3
4
5
map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
}
server {
6
        server_name {{ service_hedgedocs_domain.split("https://")[0] | lower  }};
nono's avatar
nono committed
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

        location / {
                proxy_pass http://127.0.0.1:3000;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
        }

        location /socket.io/ {
                proxy_pass http://127.0.0.1:3000;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection $connection_upgrade;
        }

    listen [::]:443 ssl http2;
    listen 443 ssl http2;
nono's avatar
nono committed
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56

    ssl_certificate /etc/letsencrypt/live/{{ service_hedgedocs_domain }}/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/{{ service_hedgedocs_domain }}/fullchain.pem;

  	# Improve HTTPS performance with session resumption
  	ssl_session_cache shared:SSL:10m;
  	ssl_session_timeout 10m;

	# Enable server-side protection against BEAST attacks
  	ssl_protocols TLSv1.2;
	ssl_prefer_server_ciphers on;
	ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";

    # RFC-7919 recommended: https://wiki.mozilla.org/Security/Server_Side_TLS#ffdhe4096
    ssl_dhparam /etc/ssl/ffdhe4096.pem;
    ssl_ecdh_curve secp521r1:secp384r1;

	# Aditional Security Headers
	# ref: https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

	# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
	add_header X-Frame-Options DENY always;

	# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
	add_header X-Content-Type-Options nosniff always;

	# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
	add_header X-Xss-Protection "1; mode=block" always;
nono's avatar
nono committed
57
}