some stuff change

nginx.conf

@@ -6,11 +6,9 @@ events {
 
 http {
   # Some SSL stuff
-  # when move to nginx 1.13, add TLSv1.3 below
-  ssl_protocols TLSv1.2;
-  ssl_prefer_server_ciphers on;
-  # specifically, not RC4.
-  ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
+  ssl_protocols TLSv1.2 TLSv1.3;
+	ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
+	ssl_prefer_server_ciphers on;
 
   # Some global configurations
   client_max_body_size 10M;
@@ -20,11 +18,20 @@ http {
   keepalive_timeout  65;
   gzip  on;
 
+  # header crap
+  add_header X-Frame-Options "SAMEORIGIN" always;
+	add_header X-XSS-Protection "1; mode=block" always;
+	add_header X-Content-Type-Options "nosniff" always;
+	add_header Referrer-Policy "no-referrer" always;
+	add_header Content-Security-Policy "self" always;
+
   # http://ja13.org and https://ja13.org
   server {
     server_name ja13.org;
-    listen 80;
-    listen 443 http2 ssl;
+  	listen 80;
+  	listen [::]:80;
+  	listen 443 ssl http2;
+  	listen [::]:443 ssl http2;
     root /srv/http/http;
 
     ssl_certificate /etc/letsencrypt/live/ja13.org-0001/fullchain.pem;
@@ -55,9 +62,14 @@ http {
   server {
     server_name john.ja13.org;
     listen 80;
-    listen 443 http2 ssl;
+  	listen [::]:80;
+  	listen 443 ssl http2;
+  	listen [::]:443 ssl http2;
     root /srv/http/john;
 
+    allow 10.0.0.0/24;
+    deny all;
+
     ssl_certificate /etc/letsencrypt/live/ja13.org/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/ja13.org/privkey.pem;
 
@@ -70,7 +82,9 @@ http {
   server {
     server_name ns1.ja13.org;
     listen 80;
-    listen 443 http2 ssl;
+  	listen [::]:80;
+  	listen 443 ssl http2;
+  	listen [::]:443 ssl http2;
     root /srv/http/ns1;
 
     ssl_certificate /etc/letsencrypt/live/ja13.org/fullchain.pem;
@@ -96,12 +110,14 @@ http {
   server {
     server_name wifi.ja13.org;
     listen 80;
-    listen 443 http2 ssl;
+  	listen [::]:80;
+  	listen 443 ssl http2;
+  	listen [::]:443 ssl http2;
     root /srv/http;
 
     allow 10.0.0.0/24;
     deny all;
-    
+
     ssl_certificate /etc/letsencrypt/live/ja13.org/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/ja13.org/privkey.pem;
 
@@ -109,39 +125,6 @@ http {
       proxy_set_header Referer "";
       proxy_ssl_verify off;
       proxy_pass https://127.0.0.1:8443;
-    } 
-  }
-
-  # http://source.ja13.org and https://source.ja13.org
-  server {
-    server_name source.ja13.org;
-    listen 80;
-    listen 443 http2 ssl;
-
-    ssl_certificate /etc/letsencrypt/live/ja13.org/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/ja13.org/privkey.pem;
-
-    location / {
-      # this will probably be changed later
-      proxy_pass http://10.0.0.10:80;
-    }
-
-    location /robots.txt {
-      root /srv/http/common;
-      index robots.txt;
-    }
-
-    location /favicon.ico {
-      root /srv/http/common;
-      index favicon.ico;
-    }
-  }
-
-  server {
-    server_name nx.ja13.org;
-    listen 80;
-    location / {
-      return 301 https://docs.plm.automation.siemens.com/tdoc/nx/12.0.1/nx_help/;
     }
   }
 
@@ -149,7 +132,9 @@ http {
   server {
     server_name resume.ja13.org;
     listen 80;
-    listen 443 http2 ssl;
+  	listen [::]:80;
+  	listen 443 ssl http2;
+  	listen [::]:443 ssl http2;
     root /srv/http/resume;
 
     ssl_certificate /etc/letsencrypt/live/ja13.org/fullchain.pem;
@@ -175,7 +160,9 @@ http {
   server {
     server_name _;
     listen 80 default_server;
-    listen 443 http2 default_server ssl;
+  	listen [::]:80 default_server;
+  	listen 443 ssl http2 default_server;
+  	listen [::]:443 ssl http2 default_server;
     root /srv/http/lost;
     ssl_certificate /etc/letsencrypt/live/ja13.org/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/ja13.org/privkey.pem;