tengine/example.com.conf at master · Axizdkr/tengine · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
upstream back.example.com  {

    # list of backend servers
    server backend1.local;
    server backend2.local;
    server backend3.local;

    # sticky session on
    session_sticky;

    #chek interval in ms
    check interval=3000 rise=1 fall=3 timeout=3000 type=http default_down=true;
    check_keepalive_requests 1;
    check_http_send "HEAD / HTTP/1.1\r\nhost: example.com\r\nConnection: close\r\n\r\n";
    check_http_expect_alive http_2xx;

}


server {
    listen 80;
    server_name     example.com www.example.com;
    location / {
	# redirect to https
	return 301 https://$host$request_uri;
    }
    location ~ ^/(.well-known/acme-challenge/.*)$ {
	# redirect to acme storage
	proxy_pass		http://acme.local/$1;
	proxy_set_header	X-Real-IP $remote_addr;
	proxy_set_header	Host $http_host;
	proxy_set_header	X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

server {
	#ssl settings
	### server port and name ###
	listen			443 ssl;
	server_name		example.com www.example.com;

	access_log		off;
	error_log		/var/log/nginx/example.com-error.log;

	### SSL cert files ###
	ssl_certificate		/cert/example.cer;
	ssl_certificate_key	/cert/example.key;

	#ssl proto only
	ssl_protocols		TLSv1.1 TLSv1.2 TLSv1.3;
	# stapling on
	ssl_stapling		on;
	ssl_stapling_verify	on;
	# cipher methods restrict
	ssl_ciphers		HIGH:!aNULL:!MD5:!CAMELLIA;
	ssl_prefer_server_ciphers on;
	keepalive_timeout       60;
	ssl_session_cache       shared:SSL:10m;
	ssl_session_timeout     10m;
	ssl_dhparam             /cert/dhparam.pem;
	# HSTS
	add_header Strict-Transport-Security "max-age=31536000; preload" always;


	location / {
		proxy_pass  http://back.example.com/;

		proxy_next_upstream	error timeout invalid_header http_500 http_502 http_503 http_504;
		proxy_set_header        Accept-Encoding   "";
		proxy_set_header        Host            $host;
		proxy_set_header        X-Real-IP       $remote_addr;
		proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header        X-Forwarded-Proto $scheme;
		add_header              Front-End-Https   on;
		proxy_redirect		off;
	}

}