| 1 | server { |
| 2 | listen 80; |
| 3 | listen [::]:80; |
| 4 | server_name example.com www.example.com; |
| 5 | return 301 https://www.example.com$request_uri; |
| 6 | } |
| 7 | server { |
| 8 | listen 443 ssl; |
| 9 | server_name example.com www.example.com; |
| 10 | |
| 11 | ssl on; |
| 12 | ssl_certificate /var/app/ssl/example.com-bundle.crt; |
| 13 | ssl_certificate_key /var/app/ssl/example.com.key; |
| 14 | |
| 15 | server_tokens off; |
| 16 | add_header X-Frame-Options SAMEORIGIN; |
| 17 | add_header X-Content-Type-Options nosniff; |
| 18 | add_header X-XSS-Protection "1; mode=block"; |
| 19 | |
| 20 | ssl_session_cache shared:SSL:50m; |
| 21 | ssl_session_timeout 5m; |
| 22 | ssl_dhparam /var/app/ssl/dhparam.pem; |
| 23 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; |
| 24 | ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; |
| 25 | ssl_prefer_server_ciphers on; |
| 26 | |
| 27 | resolver 8.8.8.8; |
| 28 | ssl_stapling on; |
| 29 | ssl_trusted_certificate /var/app/ssl/example.com.crt; |
| 30 | |
| 31 | add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; |
| 32 | |
| 33 | access_log /var/app/logs/example.com-access.log; |
| 34 | |
| 35 | location / { |
| 36 | proxy_pass http://127.0.0.1:5000; |
| 37 | proxy_set_header Host $host; |
| 38 | proxy_set_header X-Real-IP $remote_addr; |
| 39 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
| 40 | } |
| 41 | |
| 42 | location ^~ /static/ { |
| 43 | include /etc/nginx/mime.types; |
| 44 | alias /var/app/static/; |
| 45 | } |
| 46 | } |
To add a comment, please login or register first.
Register or Login