|
| 1 | +server { |
| 2 | + listen 80; |
| 3 | + listen [::]:80 ipv6only=on; |
| 4 | + server_name localhost; |
| 5 | + |
| 6 | + access_log off; |
| 7 | + |
| 8 | + rewrite ^ https://$host$request_uri? permanent; |
| 9 | +} |
| 10 | + |
| 11 | +# HTTPS configuration |
| 12 | + |
| 13 | +server { |
| 14 | + listen 443; |
| 15 | + listen [::]:443 ipv6only=on; |
| 16 | + server_name localhost; |
| 17 | + |
| 18 | + access_log off; |
| 19 | + |
| 20 | + ssl on; |
| 21 | + |
| 22 | + # support only known-secure cryptographic protocols |
| 23 | + # SSLv3 is broken by POODLE as of October 2014 |
| 24 | + ssl_protocols TLSv1.2 TLSv1.3; |
| 25 | + |
| 26 | + # make the server choose the best cipher instead of the browser |
| 27 | + # Perfect Forward Secrecy(PFS) is frequently compromised without this |
| 28 | + ssl_prefer_server_ciphers on; |
| 29 | + |
| 30 | + # support only believed secure ciphersuites using the following priority: |
| 31 | + # 1.) prefer PFS enabled ciphers |
| 32 | + # 2.) prefer AES128 over AES256 for speed (AES128 has completely adequate security for now) |
| 33 | + # 3.) Support DES3 for IE8 support |
| 34 | + # |
| 35 | + # disable the following ciphersuites completely |
| 36 | + # 1.) null ciphers |
| 37 | + # 2.) ciphers with low security |
| 38 | + # 3.) fixed ECDH cipher (does not allow for PFS) |
| 39 | + # 4.) known vulnerable cypers (MD5, RC4, etc) |
| 40 | + # 5.) little-used ciphers (Camellia, Seed) |
| 41 | + ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 +SHA !DES-CBC3-SHA !aNULL !eNULL !LOW !kECDH !DSS !3DES !MD5 !EXP !PSK !SRP !CAMELLIA !SEED'; |
| 42 | + |
| 43 | + # Cache SSL Sessions for up to 10 minutes |
| 44 | + # This improves performance by avoiding the costly session negotiation process where possible |
| 45 | + ssl_session_cache shared:SSL:50m; |
| 46 | + ssl_session_timeout 1d; |
| 47 | + ssl_session_tickets off; |
| 48 | + |
| 49 | + # allow Nginx to send OCSP results during the connection process |
| 50 | + ssl_stapling on; |
| 51 | + |
| 52 | + # Use 2048 bit Diffie-Hellman RSA key parameters |
| 53 | + # (otherwise Nginx defaults to 1024 bit, lowering the strength of encryption # when using PFS) |
| 54 | + # Generated by OpenSSL with the following command: |
| 55 | + # openssl dhparam -outform pem -out /etc/nginx/ssl/dhparam2048.pem 2048 |
| 56 | + ssl_dhparam /path/to/dhparams.pem; |
| 57 | + |
| 58 | + # Provide path to certificates and keys |
| 59 | + ssl_certificate /path/to/certificate-bundle.crt; |
| 60 | + ssl_certificate_key /path/to/certificate-key.key; |
| 61 | + ssl_trusted_certificate /path/to/chain.pem; |
| 62 | + |
| 63 | + location = /i { |
| 64 | + if ($http_content_type = "text/ping") { |
| 65 | + return 404; |
| 66 | + } |
| 67 | + # countly server is running with ssl, so use https here |
| 68 | + proxy_pass https://localhost:3001; |
| 69 | + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
| 70 | + proxy_set_header X-Real-IP $remote_addr; |
| 71 | + # if countly server is using self-signed certificate, this will disable certificate verification |
| 72 | + proxy_ssl_verify off; |
| 73 | + } |
| 74 | + |
| 75 | + location ^~ /i/ { |
| 76 | + if ($http_content_type = "text/ping") { |
| 77 | + return 404; |
| 78 | + } |
| 79 | + # countly server is running with ssl, so use https here |
| 80 | + proxy_pass https://localhost:3001; |
| 81 | + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
| 82 | + proxy_set_header X-Real-IP $remote_addr; |
| 83 | + # if countly server is using self-signed certificate, this will disable certificate verification |
| 84 | + proxy_ssl_verify off; |
| 85 | + } |
| 86 | + |
| 87 | + location = /o { |
| 88 | + if ($http_content_type = "text/ping") { |
| 89 | + return 404; |
| 90 | + } |
| 91 | + # countly server is running with ssl, so use https here |
| 92 | + proxy_pass https://localhost:3001; |
| 93 | + # if countly server is using self-signed certificate, this will disable certificate verification |
| 94 | + proxy_ssl_verify off; |
| 95 | + } |
| 96 | + |
| 97 | + location ^~ /o/ { |
| 98 | + if ($http_content_type = "text/ping") { |
| 99 | + return 404; |
| 100 | + } |
| 101 | + # countly server is running with ssl, so use https here |
| 102 | + proxy_pass https://localhost:3001; |
| 103 | + # if countly server is using self-signed certificate, this will disable certificate verification |
| 104 | + proxy_ssl_verify off; |
| 105 | + } |
| 106 | + |
| 107 | + location / { |
| 108 | + if ($http_content_type = "text/ping") { |
| 109 | + return 404; |
| 110 | + } |
| 111 | + # countly server is running with ssl, so use https here |
| 112 | + proxy_pass https://localhost:6001; |
| 113 | + proxy_set_header Host $http_host; |
| 114 | + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
| 115 | + proxy_set_header X-Real-IP $remote_addr; |
| 116 | + # if countly server is using self-signed certificate, this will disable certificate verification |
| 117 | + proxy_ssl_verify off; |
| 118 | + } |
| 119 | +} |
| 120 | + |
0 commit comments