nginx

diff --git a/etc/nginx/nginx.conf b/etc/nginx/nginx.conf
new file mode 100644 (file)
index 0000000..cd5cf36
--- /dev/null
+++ b/etc/nginx/nginx.conf
@@ -0,0 +1,21 @@
+user http;
+worker_processes 1;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    include mime.types;
+    default_type application/octet-stream;
+
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    keepalive_timeout 65;
+
+    access_log syslog:server=unix:/dev/log,tag=nginx,nohostname,severity=info combined;
+    error_log  syslog:server=unix:/dev/log,tag=nginx,nohostname,severity=error;
+
+    include sites-enabled/*;
+}

diff --git a/etc/nginx/sites-available/default b/etc/nginx/sites-available/default
new file mode 100644 (file)
index 0000000..e79ef07
--- /dev/null
+++ b/etc/nginx/sites-available/default
@@ -0,0 +1,6 @@
+server {
+    include snippets/listen-http.conf;
+    include snippets/listen-tls.conf;
+
+    return 404;
+}

diff --git a/etc/nginx/sites-available/example.com b/etc/nginx/sites-available/example.com
new file mode 100644 (file)
index 0000000..f40514b
--- /dev/null
+++ b/etc/nginx/sites-available/example.com
@@ -0,0 +1,15 @@
+server {
+    include snippets/listen-tls.conf;
+    server_name example.com;
+
+    root /srv/http/example.com;
+
+    include snippets/standard-server.conf;
+}
+
+server {
+    include snippets/listen-http.conf;
+    server_name example.com;
+
+    return 301 https://example.com$request_uri;
+}

diff --git a/etc/nginx/sites-enabled/0000_default b/etc/nginx/sites-enabled/0000_default
new file mode 120000 (symlink)
index 0000000..6d9ba33
--- /dev/null
+++ b/etc/nginx/sites-enabled/0000_default
@@ -0,0 +1 @@
+../sites-available/default
\ No newline at end of file

diff --git a/etc/nginx/snippets/listen-http.conf b/etc/nginx/snippets/listen-http.conf
new file mode 100644 (file)
index 0000000..76cb18d
--- /dev/null
+++ b/etc/nginx/snippets/listen-http.conf
@@ -0,0 +1,2 @@
+listen 80;
+listen [::]:80;

diff --git a/etc/nginx/snippets/listen-tls.conf b/etc/nginx/snippets/listen-tls.conf
new file mode 100644 (file)
index 0000000..26eb327
--- /dev/null
+++ b/etc/nginx/snippets/listen-tls.conf
@@ -0,0 +1,14 @@
+listen 443 ssl;
+listen [::]:443 ssl;
+
+ssl_certificate /home/letsencrypt/output/latest.pem;
+ssl_certificate_key /home/letsencrypt/domain-key.pem;
+
+# https://wiki.mozilla.org/Security/Server_Side_TLS
+ssl_protocols TLSv1.2;
+ssl_prefer_server_ciphers on;
+ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+
+add_header "Strict-Transport-Security" "max-age=7776000; includeSubdomains" always;
+add_header X-Frame-Options "DENY" always;
+add_header Content-Security-Policy "upgrade-insecure-requests" always;

diff --git a/etc/nginx/snippets/standard-server.conf b/etc/nginx/snippets/standard-server.conf
new file mode 100644 (file)
index 0000000..46fa4c2
--- /dev/null
+++ b/etc/nginx/snippets/standard-server.conf
@@ -0,0 +1,28 @@
+location ~ /\.git/ {
+    return 403;
+}
+
+
+location = /favicon.ico {
+    log_not_found off;
+    access_log off;
+}
+
+location ~ /apple-touch-icon[^/]*.png {
+    log_not_found off;
+    access_log off;
+}
+
+location = /robots.txt {
+    log_not_found off;
+    access_log off;
+}
+
+location /.well-known/acme-challenge {
+    alias /home/letsencrypt/web-acme-challenge;
+    auth_basic off;
+}
+
+location /healthcheck {
+    return 200;
+}