+upstream dev.nutra.tk {
+ keepalive 100;
+ server 127.0.0.1:20000;
+ # server unix:/tmp/sanic.sock;
+}
+
server {
- listen 80;
- server_name localhost;
-
- #access_log /var/log/nginx/host.access.log main;
-
- location / {
- root /usr/share/nginx/html;
- index index.html index.htm;
- }
-
- #error_page 404 /404.html;
-
- # redirect server error pages to the static page /50x.html
- #
- error_page 500 502 503 504 /50x.html;
- location = /50x.html {
- root /usr/share/nginx/html;
- }
-
- # proxy the PHP scripts to Apache listening on 127.0.0.1:80
- #
- #location ~ \.php$ {
- # proxy_pass http://127.0.0.1;
- #}
-
- # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
- #
- #location ~ \.php$ {
- # root html;
- # fastcgi_pass 127.0.0.1:9000;
- # fastcgi_index index.php;
- # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
- # include fastcgi_params;
- #}
-
- # deny access to .htaccess files, if Apache's document root
- # concurs with nginx's one
- #
- #location ~ /\.ht {
- # deny all;
- #}
+ server_name dev.nutra.tk;
+ # listen 80 default_server;
+ # listen [::]:80 ipv6only=on;
+ listen 443 ssl http2 default_server;
+ listen [::]:443 ssl ipv6only=on; # managed by Certbot
+ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+ ssl_stapling on;
+ ssl_stapling_verify on;
+ ssl_trusted_certificate /etc/ssl/private/ca-certs.pem;
+ # ssl_protocols TLSv1 TLSv1.1; # support legacy browsers
+ # ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+
+ client_max_body_size 50m;
+
+ # React app (base URL)
+ location / {
+ root /var/www/app;
+ index index.html;
+ #try_files $uri $uri/ /index.html =404;
+ }
+
+
+ # Blog / Sphinx
+ location /blog {
+ alias /var/www/blog;
+ index index.html;
+ }
+
+
+ # Sanic
+ location /api/ {
+ proxy_pass http://$server_name;
+ # Allow fast streaming HTTP/1.1 pipes (keep-alive, unbuffered)
+ proxy_http_version 1.1;
+ proxy_request_buffering off;
+ proxy_buffering off;
+ # Proxy forwarding (password configured in app.config.FORWARDED_SECRET)
+ proxy_set_header forwarded "$proxy_forwarded;secret=\"REDACTED\"";
+ # Allow websockets and keep-alive (avoid connection: close)
+ proxy_set_header connection "upgrade";
+ proxy_set_header upgrade $http_upgrade;
+ }
+
+
+# # New chat (matrix / element)
+# location ~ /v2/chat/ {
+# proxy_pass http://127.0.0.1:8008;
+# proxy_set_header X-Forwarded-For $remote_addr;
+# }
+
+ # default favicon
+ location = /favicon.ico {
+ alias /var/www/favicon.gif;
+ }
+
+
+ # Other
+ location ~ /.well-known {
+ allow all;
+ }
+
+
+ # HTTPS / SSL
+ ssl_certificate /etc/letsencrypt/live/dev.nutra.tk/fullchain.pem; # managed by Certbot
+ ssl_certificate_key /etc/letsencrypt/live/dev.nutra.tk/privkey.pem; # managed by Certbot
+ include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+ ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+}
+
+
+# Open matrix chat on 8448
+#server {
+# listen 8448 ssl default_server;
+# listen [::]:8448 ssl default_server;
+# server_name dev.nutra.tk;
+#
+# location / {
+# proxy_pass http://127.0.0.1:8008;
+# proxy_set_header X-Forwarded-For $remote_addr;
+# }
+#
+# # HTTPS / SSL
+# ssl_certificate /etc/letsencrypt/live/dev.nutra.tk/fullchain.pem; # managed by Certbot
+# ssl_certificate_key /etc/letsencrypt/live/dev.nutra.tk/privkey.pem; # managed by Certbot
+# include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+#}
+
+
+# Redirect all HTTP to HTTPS with no-WWW
+server {
+ listen 80 default_server;
+ listen [::]:80 default_server;
+ server_name ~^(?:www\.)?(.*)$;
+ return 301 https://$1$request_uri;
}
+
+# Redirect WWW to no-WWW
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name ~^www\.(.*)$;
+ return 301 $scheme://$1$request_uri;
+}
+
+
+# TODO: if is evil
+# https://wordpress.org/support/article/nginx/
+# http://wiki.nginx.org/IfIsEvil
+#server {
+# if ($host = dev.nutra.tk) {
+# return 301 $scheme://$host$request_uri;
+# } # managed by Certbot
+#}
+
--- /dev/null
+# RFC 7239 Forwarded header for Nginx proxy_pass
+
+# Add within your server or location block:
+# proxy_set_header forwarded "$proxy_forwarded;secret=\"YOUR SECRET\"";
+
+# Configure your upstream web server to identify this proxy by that password
+# because otherwise anyone on the Internet could spoof these headers and fake
+# their real IP address and other information to your service.
+
+
+# Provide the full proxy chain in $proxy_forwarded
+map $proxy_add_forwarded $proxy_forwarded {
+ default "$proxy_add_forwarded;by=\"_$hostname\";proto=$scheme;host=\"$http_host\";path=\"$request_uri\"";
+}
+
+# The following mappings are based on
+# https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/
+
+map $remote_addr $proxy_forwarded_elem {
+ # IPv4 addresses can be sent as-is
+ ~^[0-9.]+$ "for=$remote_addr";
+
+ # IPv6 addresses need to be bracketed and quoted
+ ~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\"";
+
+ # Unix domain socket names cannot be represented in RFC 7239 syntax
+ default "for=unknown";
+}
+
+map $http_forwarded $proxy_add_forwarded {
+ # If the incoming Forwarded header is syntactically valid, append to it
+ "~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
+
+ # Otherwise, replace it
+ default "$proxy_forwarded_elem";
+}
+
projects / nutratech / vps-root.git / commitdiff