89 lines
2.9 KiB
Plaintext
89 lines
2.9 KiB
Plaintext
upstream docservice {
|
|
server 10.0.0.34:4433;
|
|
}
|
|
|
|
map $http_host $this_host {
|
|
"" $host;
|
|
default $http_host;
|
|
}
|
|
|
|
map $http_x_forwarded_proto $the_scheme {
|
|
default $http_x_forwarded_proto;
|
|
"" $scheme;
|
|
}
|
|
|
|
map $http_x_forwarded_host $the_host {
|
|
default $http_x_forwarded_host;
|
|
"" $this_host;
|
|
}
|
|
|
|
map $http_upgrade $proxy_connection {
|
|
default upgrade;
|
|
"" close;
|
|
}
|
|
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection $proxy_connection;
|
|
proxy_set_header X-Forwarded-Host $the_host;
|
|
proxy_set_header X-Forwarded-Proto $the_scheme;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
## Normal HTTP host
|
|
server {
|
|
listen 0.0.0.0:80;
|
|
server_name onlyoffice.egonetix.de;
|
|
server_tokens off;
|
|
|
|
## Redirects all traffic to the HTTPS host
|
|
root /nowhere; ## root doesn't have to be a valid path since we are redirecting
|
|
rewrite ^ https://$host$request_uri? permanent;
|
|
}
|
|
|
|
server {
|
|
listen 0.0.0.0:443 ssl;
|
|
server_name onlyoffice.egonetix.de;
|
|
server_tokens off;
|
|
root /usr/share/nginx/html;
|
|
|
|
## Strong SSL Security
|
|
## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
|
|
ssl on;
|
|
ssl_certificate /etc/letsencrypt/live/egonetix.de/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/egonetix.de/privkey.pem;
|
|
|
|
ssl_verify_client off;
|
|
|
|
ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
|
|
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
ssl_session_cache builtin:1000 shared:SSL:10m;
|
|
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
add_header Strict-Transport-Security max-age=31536000;
|
|
# add_header X-Frame-Options SAMEORIGIN;
|
|
add_header X-Content-Type-Options nosniff;
|
|
|
|
## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL.
|
|
## Replace with your ssl_trusted_certificate. For more info see:
|
|
## - https://medium.com/devops-programming/4445f4862461
|
|
## - https://www.ruby-forum.com/topic/4419319
|
|
## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
|
|
# ssl_stapling on;
|
|
# ssl_stapling_verify on;
|
|
# ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
|
|
# resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired
|
|
# resolver_timeout 10s;
|
|
|
|
## [Optional] Generate a stronger DHE parameter:
|
|
## cd /etc/ssl/certs
|
|
## sudo openssl dhparam -out dhparam.pem 4096
|
|
##
|
|
ssl_dhparam /etc/ssl/certs/dhparam.pem;
|
|
|
|
location / {
|
|
proxy_pass https://docservice;
|
|
proxy_http_version 1.1;
|
|
}
|
|
}
|