From 8f5160bf28a3c4e8e61425ab627ea05dfffd8943 Mon Sep 17 00:00:00 2001
From: "root@culturestrings" <root@culturestrings>
Date: Mon, 18 May 2020 08:38:41 +0000
Subject: web: added nginx's common configuration files.
---
public/fs/etc/nginx/certs.d/culturestrings.org | 1 +
public/fs/etc/nginx/conf.d/ssl_params | 17 ++++++++
public/fs/etc/nginx/nginx.conf | 59 ++++++++++++++++++++++++++
3 files changed, 77 insertions(+)
create mode 120000 public/fs/etc/nginx/certs.d/culturestrings.org
create mode 100644 public/fs/etc/nginx/conf.d/ssl_params
create mode 100644 public/fs/etc/nginx/nginx.conf
(limited to 'public/fs/etc/nginx')
diff --git a/public/fs/etc/nginx/certs.d/culturestrings.org b/public/fs/etc/nginx/certs.d/culturestrings.org
new file mode 120000
index 0000000..f5b4d30
--- /dev/null
+++ b/public/fs/etc/nginx/certs.d/culturestrings.org
@@ -0,0 +1 @@
+/home/webroot/midipix.org
\ No newline at end of file
diff --git a/public/fs/etc/nginx/conf.d/ssl_params b/public/fs/etc/nginx/conf.d/ssl_params
new file mode 100644
index 0000000..9af9de4
--- /dev/null
+++ b/public/fs/etc/nginx/conf.d/ssl_params
@@ -0,0 +1,17 @@
+ssl_trusted_certificate /home/webroot/letsencrypt/ssl/chain.pem;
+
+ssl_stapling on;
+ssl_stapling_verify on;
+ssl_prefer_server_ciphers on;
+
+ssl_ciphers TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305-OLD:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:!aNULL:!eNULL:!EXPORT:!EDH:!CAMELLIA:!3DES:!DES:!MD5:!PSK:!RC4:!RSA;
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ecdh_curve X25519:secp384r1;
+
+ssl_session_cache shared:SSL:1m;
+ssl_session_timeout 5m;
+
+add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+add_header X-Frame-Options DENY;
+add_header X-Content-Type-Options nosniff;
+add_header X-XSS-Protection "1; mode=block";
diff --git a/public/fs/etc/nginx/nginx.conf b/public/fs/etc/nginx/nginx.conf
new file mode 100644
index 0000000..9b92ab4
--- /dev/null
+++ b/public/fs/etc/nginx/nginx.conf
@@ -0,0 +1,59 @@
+worker_processes 1;
+
+load_module lib64/nginx/modules/ngx_http_fancyindex_module.so;
+
+events {
+ worker_connections 1024;
+ use epoll;
+}
+
+
+http {
+ include mime.types;
+ default_type application/octet-stream;
+
+ sendfile on;
+ tcp_nopush on;
+
+ keepalive_timeout 65;
+
+ include conf.d/*.conf;
+
+ server {
+ listen [::]:80 default_server ipv6only=off reuseport;
+ server_name localhost;
+
+ location / {
+ root /srv/www/htdocs/;
+ index index.html index.htm;
+ }
+
+ error_page 500 502 503 504 /50x.html;
+
+ location = /50x.html {
+ root /srv/www/htdocs/;
+ }
+ }
+
+ server {
+ listen [::]:443 default_server ssl http2 ipv6only=off reuseport;
+ server_name localhost;
+
+ ssl_certificate /etc/nginx/certs.d/culturestrings.org/ssl/fullchain.pem;
+ ssl_certificate_key /etc/nginx/certs.d/culturestrings.org/ssl/privkey.pem;
+
+ location / {
+ root /srv/www/htdocs/;
+ index index.html index.htm;
+ }
+
+ error_page 500 502 503 504 /50x.html;
+ location = /50x.html {
+ root /srv/www/htdocs/;
+ }
+
+ }
+
+ include conf.d/ssl_params;
+ include vhosts.d/*.conf;
+}
--
cgit v1.2.3