111 lines
3.5 KiB
Nginx Configuration File
111 lines
3.5 KiB
Nginx Configuration File
server {
|
|
listen 80 default_server;
|
|
listen [::]:80;
|
|
|
|
server_name lokal.ccc.de local.ccc.de;
|
|
access_log /dev/null;
|
|
|
|
location /.well-known {
|
|
root /var/plainwww;
|
|
}
|
|
|
|
location / {
|
|
rewrite ^ https://cpu.ccc.de$request_uri? permanent;
|
|
}
|
|
}
|
|
|
|
server {
|
|
listen443 ssl http2;
|
|
listen [::]:443 ssl http2;
|
|
|
|
server_name cpu.ccc.de;
|
|
|
|
ssl on;
|
|
ssl_certificate /home/acme/.acme.sh/lokal.ccc.de/fullchain.cer;
|
|
ssl_certificate_key /home/acme/.acme.sh/lokal.ccc.de/lokal.ccc.de.key;
|
|
|
|
ssl_session_timeout 5m;
|
|
|
|
ssl_protocols TLSv1.2; # TLSv1.1 TLSv1.2 TLSv1 ;
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_session_cache builtin:1000 shared:SSL:10m;
|
|
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
|
|
|
|
ssl_stapling on;
|
|
ssl_stapling_verify on;
|
|
ssl_trusted_certificate /home/acme/.acme.sh/lokal.ccc.de/fullchain.cer;
|
|
resolver 141.1.1.1;
|
|
|
|
ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';
|
|
|
|
access_log /var/log/nginx/access.cpu.ccc.de.log noip;
|
|
|
|
gzip on;
|
|
gzip_disable "MSIE [1-6]\.(?!.*SV1)";
|
|
gzip_proxied any;
|
|
gzip_buffers 16 8k;
|
|
gzip_types text/plain text/html text/css text/xml application/x-javascript application/xml application/xml+rss text/javascript application/javascript text/javascript;
|
|
gzip_vary on;
|
|
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
|
|
add_header X-Frame-Options SAMEORIGIN;
|
|
add_header Cache-Control "max-age=3600, must-revalidate";
|
|
add_header X-Clacks-Overhead "GNU Terry Pratchett";
|
|
add_header Content-Security-Policy "default-src 'none'; script-src 'unsafe-eval' 'unsafe-inline' 'self' ; connect-src wss://cpu.ccc.de 'self' ; img-src 'self' data: blob: filesystem: ; style-src 'self' 'unsafe-inline' 'unsafe-eval' ; media-src 'self' ; font-src 'self' data: blob: filesystem; child-src 'self'";
|
|
add_header X-Content-Type-Options 'nosniff';
|
|
|
|
root /srv/www/cpu.ccc.de;
|
|
|
|
index index.html;
|
|
|
|
default_type text/plain;
|
|
|
|
location / {
|
|
try_files $uri $uri/ =404;
|
|
|
|
location /feed/ {
|
|
default_type application/rss+xml;
|
|
types {
|
|
text/xml application/rss+xml;
|
|
}
|
|
}
|
|
|
|
location /rss {
|
|
default_type application/rss+xml;
|
|
}
|
|
}
|
|
}
|
|
|
|
server {
|
|
|
|
listen 443 ssl http2;
|
|
listen [::]:443 ssl http2;
|
|
|
|
server_name lokal.ccc.de local.ccc.de;
|
|
|
|
root /srv/www/cpu.ccc.de;
|
|
access_log /dev/null;
|
|
|
|
ssl on;
|
|
ssl_certificate /home/acme/.acme.sh/lokal.ccc.de/fullchain.cer;
|
|
ssl_certificate_key /home/acme/.acme.sh/lokal.ccc.de/lokal.ccc.de.key;
|
|
|
|
ssl_session_timeout 5m;
|
|
|
|
ssl_protocols TLSv1.2; # TLSv1.1 TLSv1.2 TLSv1 ;
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_session_cache builtin:1000 shared:SSL:10m;
|
|
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
|
|
|
|
ssl_stapling on;
|
|
ssl_stapling_verify on;
|
|
ssl_trusted_certificate /home/acme/.acme.sh/lokal.ccc.de/fullchain.cer;
|
|
resolver 141.1.1.1;
|
|
|
|
ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';
|
|
|
|
location / {
|
|
rewrite ^ https://cpu.ccc.de$request_uri? permanent;
|
|
}
|
|
}
|
|
|