|
@@ -6,11 +6,9 @@ events {
|
6
|
6
|
|
7
|
7
|
http {
|
8
|
8
|
# Some SSL stuff
|
9
|
|
- # when move to nginx 1.13, add TLSv1.3 below
|
10
|
|
- ssl_protocols TLSv1.2;
|
11
|
|
- ssl_prefer_server_ciphers on;
|
12
|
|
- # specifically, not RC4.
|
13
|
|
- ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
|
|
9
|
+ ssl_protocols TLSv1.2 TLSv1.3;
|
|
10
|
+ ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
|
|
11
|
+ ssl_prefer_server_ciphers on;
|
14
|
12
|
|
15
|
13
|
# Some global configurations
|
16
|
14
|
client_max_body_size 10M;
|
|
@@ -20,11 +18,20 @@ http {
|
20
|
18
|
keepalive_timeout 65;
|
21
|
19
|
gzip on;
|
22
|
20
|
|
|
21
|
+ # header crap
|
|
22
|
+ add_header X-Frame-Options "SAMEORIGIN" always;
|
|
23
|
+ add_header X-XSS-Protection "1; mode=block" always;
|
|
24
|
+ add_header X-Content-Type-Options "nosniff" always;
|
|
25
|
+ add_header Referrer-Policy "no-referrer" always;
|
|
26
|
+ add_header Content-Security-Policy "self" always;
|
|
27
|
+
|
23
|
28
|
# http://ja13.org and https://ja13.org
|
24
|
29
|
server {
|
25
|
30
|
server_name ja13.org;
|
26
|
|
- listen 80;
|
27
|
|
- listen 443 http2 ssl;
|
|
31
|
+ listen 80;
|
|
32
|
+ listen [::]:80;
|
|
33
|
+ listen 443 ssl http2;
|
|
34
|
+ listen [::]:443 ssl http2;
|
28
|
35
|
root /srv/http/http;
|
29
|
36
|
|
30
|
37
|
ssl_certificate /etc/letsencrypt/live/ja13.org-0001/fullchain.pem;
|
|
@@ -55,9 +62,14 @@ http {
|
55
|
62
|
server {
|
56
|
63
|
server_name john.ja13.org;
|
57
|
64
|
listen 80;
|
58
|
|
- listen 443 http2 ssl;
|
|
65
|
+ listen [::]:80;
|
|
66
|
+ listen 443 ssl http2;
|
|
67
|
+ listen [::]:443 ssl http2;
|
59
|
68
|
root /srv/http/john;
|
60
|
69
|
|
|
70
|
+ allow 10.0.0.0/24;
|
|
71
|
+ deny all;
|
|
72
|
+
|
61
|
73
|
ssl_certificate /etc/letsencrypt/live/ja13.org/fullchain.pem;
|
62
|
74
|
ssl_certificate_key /etc/letsencrypt/live/ja13.org/privkey.pem;
|
63
|
75
|
|
|
@@ -70,7 +82,9 @@ http {
|
70
|
82
|
server {
|
71
|
83
|
server_name ns1.ja13.org;
|
72
|
84
|
listen 80;
|
73
|
|
- listen 443 http2 ssl;
|
|
85
|
+ listen [::]:80;
|
|
86
|
+ listen 443 ssl http2;
|
|
87
|
+ listen [::]:443 ssl http2;
|
74
|
88
|
root /srv/http/ns1;
|
75
|
89
|
|
76
|
90
|
ssl_certificate /etc/letsencrypt/live/ja13.org/fullchain.pem;
|
|
@@ -96,12 +110,14 @@ http {
|
96
|
110
|
server {
|
97
|
111
|
server_name wifi.ja13.org;
|
98
|
112
|
listen 80;
|
99
|
|
- listen 443 http2 ssl;
|
|
113
|
+ listen [::]:80;
|
|
114
|
+ listen 443 ssl http2;
|
|
115
|
+ listen [::]:443 ssl http2;
|
100
|
116
|
root /srv/http;
|
101
|
117
|
|
102
|
118
|
allow 10.0.0.0/24;
|
103
|
119
|
deny all;
|
104
|
|
-
|
|
120
|
+
|
105
|
121
|
ssl_certificate /etc/letsencrypt/live/ja13.org/fullchain.pem;
|
106
|
122
|
ssl_certificate_key /etc/letsencrypt/live/ja13.org/privkey.pem;
|
107
|
123
|
|
|
@@ -109,39 +125,6 @@ http {
|
109
|
125
|
proxy_set_header Referer "";
|
110
|
126
|
proxy_ssl_verify off;
|
111
|
127
|
proxy_pass https://127.0.0.1:8443;
|
112
|
|
- }
|
113
|
|
- }
|
114
|
|
-
|
115
|
|
- # http://source.ja13.org and https://source.ja13.org
|
116
|
|
- server {
|
117
|
|
- server_name source.ja13.org;
|
118
|
|
- listen 80;
|
119
|
|
- listen 443 http2 ssl;
|
120
|
|
-
|
121
|
|
- ssl_certificate /etc/letsencrypt/live/ja13.org/fullchain.pem;
|
122
|
|
- ssl_certificate_key /etc/letsencrypt/live/ja13.org/privkey.pem;
|
123
|
|
-
|
124
|
|
- location / {
|
125
|
|
- # this will probably be changed later
|
126
|
|
- proxy_pass http://10.0.0.10:80;
|
127
|
|
- }
|
128
|
|
-
|
129
|
|
- location /robots.txt {
|
130
|
|
- root /srv/http/common;
|
131
|
|
- index robots.txt;
|
132
|
|
- }
|
133
|
|
-
|
134
|
|
- location /favicon.ico {
|
135
|
|
- root /srv/http/common;
|
136
|
|
- index favicon.ico;
|
137
|
|
- }
|
138
|
|
- }
|
139
|
|
-
|
140
|
|
- server {
|
141
|
|
- server_name nx.ja13.org;
|
142
|
|
- listen 80;
|
143
|
|
- location / {
|
144
|
|
- return 301 https://docs.plm.automation.siemens.com/tdoc/nx/12.0.1/nx_help/;
|
145
|
128
|
}
|
146
|
129
|
}
|
147
|
130
|
|
|
@@ -149,7 +132,9 @@ http {
|
149
|
132
|
server {
|
150
|
133
|
server_name resume.ja13.org;
|
151
|
134
|
listen 80;
|
152
|
|
- listen 443 http2 ssl;
|
|
135
|
+ listen [::]:80;
|
|
136
|
+ listen 443 ssl http2;
|
|
137
|
+ listen [::]:443 ssl http2;
|
153
|
138
|
root /srv/http/resume;
|
154
|
139
|
|
155
|
140
|
ssl_certificate /etc/letsencrypt/live/ja13.org/fullchain.pem;
|
|
@@ -175,7 +160,9 @@ http {
|
175
|
160
|
server {
|
176
|
161
|
server_name _;
|
177
|
162
|
listen 80 default_server;
|
178
|
|
- listen 443 http2 default_server ssl;
|
|
163
|
+ listen [::]:80 default_server;
|
|
164
|
+ listen 443 ssl http2 default_server;
|
|
165
|
+ listen [::]:443 ssl http2 default_server;
|
179
|
166
|
root /srv/http/lost;
|
180
|
167
|
ssl_certificate /etc/letsencrypt/live/ja13.org/fullchain.pem;
|
181
|
168
|
ssl_certificate_key /etc/letsencrypt/live/ja13.org/privkey.pem;
|