Commit ec7457ea authored by Mattia Rizzolo's avatar Mattia Rizzolo

nginx: add a bunch of confs for better proxying and security

Signed-off-by: Mattia Rizzolo's avatarMattia Rizzolo <mattia@debian.org>
parent 6730740d
...@@ -17,6 +17,7 @@ ...@@ -17,6 +17,7 @@
mode: 0644 mode: 0644
with_items: with_items:
- misc.conf
- optimize.conf - optimize.conf
notify: notify:
......
# proxy settings
include proxy_params; # directly coming from the nginx package, they are sane
proxy_set_header X-Forwarded-Server $hostname;
# security/privacy settings
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Xss-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
add_header Referrer-Policy "strict-origin-when-cross-origin";
# shared ssl settings
ssl_session_cache shared:SSL:5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXP:!LOW:!MD5;
ssl_prefer_server_ciphers on;
#ssl_dhparam dhparams.pem;
...@@ -18,11 +18,12 @@ server { ...@@ -18,11 +18,12 @@ server {
listen 443 ssl http2; listen 443 ssl http2;
server_name {{ item.key }}; server_name {{ item.key }};
ssl_certificate /etc/ssl/localcerts/{{ item.key }}/fullchain.pem; ssl_certificate {{ ssl_home }}/localcerts/{{ item.key }}/fullchain.pem;
ssl_certificate_key /etc/ssl/localcerts/{{ item.key }}/privkey.pem; ssl_certificate_key {{ ssl_home }}/localcerts/{{ item.key }}/privkey.pem;
location / { location / {
proxy_set_header Host {{ item.key }};
proxy_pass http://{{ item.value }}/; proxy_pass http://{{ item.value }}/;
} }
include /etc/nginx/snippets/dehydrated.conf;
} }
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment