nginx.conf.sample


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51

   server {
        listen [::]:80;
        listen [::]:443 ssl http2;
        listen 80;
        listen 443 ssl http2;
        server_name dokumente.foo.com;

        # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
        ssl_certificate /var/dehydrated/certs/dokumente.foo.com/fullchain.pem;
        ssl_certificate_key /var/dehydrated/certs/dokumente/privkey.pem;
        ssl_dhparam /usr/local/etc/nginx/dhparams-4096.pem;
        ssl_session_timeout 5m;
        ssl_session_cache shared:SSL:50m;

        # modern configuration. tweak to your needs.
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA25
6:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-S
HA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
        ssl_prefer_server_ciphers on;

        # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
        add_header Strict-Transport-Security max-age=15768000;

        client_max_body_size 300M;

        location ~ ^/(Public|static|dropzone) {
                proxy_pass http://127.0.1.9:8000;
        }

        location ~ ^/Dokumente/([^/]+)(/.*)? {
                auth_basic "Dokumente Admin Area";
                auth_basic_user_file /var/run/Filer/Daten/Mandanten/$1;
                proxy_pass http://127.0.1.9:8000;
        }

        location /admin {
                auth_basic "Administratorenbereich";
                auth_basic_user_file //var/run/Filer/Daten/admin.pw;
                proxy_pass http://127.0.1.9:8000;
                proxy_set_header Host            $host;
                proxy_set_header X-Forwarded-Proto https;
                proxy_set_header X-Scheme $scheme;
                proxy_set_header X-Forwarded-For $remote_addr;
        }

        location /.well-known/acme-challenge/ {
          alias /usr/local/www/dehydrated/;
        }
    }