Commit d24d972d authored by nono's avatar nono 💻
Browse files

Updated Nginx config

parent 17cc88a7
......@@ -3,7 +3,7 @@ map $http_upgrade $connection_upgrade {
'' close;
}
server {
server_name {{hedgedoc-domain}};
server_name {{ service_hedgedocs_domain }};
location / {
proxy_pass http://127.0.0.1:3000;
......@@ -25,8 +25,35 @@ server {
listen [::]:443 ssl http2;
listen 443 ssl http2;
ssl_certificate {{hedgedocs-ssl-fullchain}};
ssl_certificate_key {{hedgedocs-ssl-privkey}};
ssl_certificate /etc/letsencrypt/live/{{ service_hedgedocs_domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ service_hedgedocs_domain }}/fullchain.pem;
include options-ssl-nginx.conf;
ssl_dhparam {{ hedgedocs-ssl-dhparams}};
# Improve HTTPS performance with session resumption
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# Enable server-side protection against BEAST attacks
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";
# RFC-7919 recommended: https://wiki.mozilla.org/Security/Server_Side_TLS#ffdhe4096
ssl_dhparam /etc/ssl/ffdhe4096.pem;
ssl_ecdh_curve secp521r1:secp384r1;
# Aditional Security Headers
# ref: https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
add_header X-Frame-Options DENY always;
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
add_header X-Content-Type-Options nosniff always;
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
add_header X-Xss-Protection "1; mode=block" always;
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment