master
1user nginx;
2worker_processes auto;
3error_log /var/log/nginx/error.log;
4pid /var/run/nginx.pid;
5
6events {
7 worker_connections 1024;
8}
9
10http {
11 log_format main '$remote_addr - $remote_user [$time_local] "$request" '
12 '$status $body_bytes_sent "$http_referer" '
13 '"$http_user_agent" "$http_x_forwarded_for"';
14
15 access_log /var/log/nginx/access.log main;
16
17 sendfile on;
18 tcp_nopush on;
19 tcp_nodelay on;
20 keepalive_timeout 65;
21 types_hash_max_size 2048;
22
23 include /etc/nginx/mime.types;
24 default_type application/octet-stream;
25
26 client_max_body_size 4G;
27 <% @blacklisted_ips.each do |ip| %>
28 deny <%= ip %>;
29 <% end %>
30
31 upstream backend {
32 server 127.0.0.1:9292 fail_timeout=0;
33 }
34
35 server {
36 listen 80 deferred;
37 add_header Strict-Transport-Security max-age=15768000;
38 server_name <%= @domain %>;
39 server_tokens off;
40 rewrite ^ https://$server_name$request_uri? permanent;
41 }
42
43 server {
44 listen 443 default_server ssl;
45 server_name <%= @domain %>;
46 server_tokens off;
47 root <%= node['stronglifters']['root_path'] %>/current/public;
48 ssl_certificate /etc/letsencrypt/live/<%= @domain %>/fullchain.pem;
49 ssl_certificate_key /etc/letsencrypt/live/<%= @domain %>/privkey.pem;
50
51
52 ssl_session_timeout 5m;
53 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
54 ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
55 ssl_dhparam /etc/ssl/certs/dhparam.pem;
56 ssl_prefer_server_ciphers on;
57 ssl_session_cache shared:SSL:10m;
58 #ssl_stapling on;
59 #ssl_stapling_verify on;
60 #resolver 8.8.8.8 8.8.4.4 valid=300s;
61 #resolver_timeout 5s;
62
63 error_log /var/log/nginx/<%= @domain %>.error.log;
64 access_log /var/log/nginx/<%= @domain %>.access.log;
65
66 # enable HTST
67 add_header Strict-Transport-Security "max-age=63072000; preload";
68
69 # disable loading in an iframe
70 add_header X-Frame-Options "DENY";
71
72 if ($host = '<%= @domain.gsub(/www/, '') %>' ) {
73 rewrite ^/(.*)$ https://<%= @domain %>/$1 permanent;
74 }
75
76 try_files $uri/index.html $uri @application;
77 location ^~ /assets/ {
78 gzip_static on;
79 expires max;
80 add_header Cache-Control public;
81 add_header Access-Control-Allow-Origin '*';
82 }
83
84 location @application {
85 proxy_set_header X_FORWARDED_PROTO https;
86 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
87 proxy_set_header HOST $http_host;
88 proxy_set_header X-Url-Scheme $scheme;
89 proxy_redirect off;
90 proxy_pass http://backend;
91 }
92
93 error_page 500 502 503 504 /500.html;
94 keepalive_timeout 10;
95 }
96}