local testing uses SSL (thanks to traefik.me)

2022-02-08 19:41:17 +01:00 · 2022-02-08 19:41:17 +01:00 · a637657847
commit a637657847
parent 225a4ff35b
7 changed files with 129 additions and 57 deletions
--- a/nginx/dhparam.pem
+++ b/nginx/dhparam.pem
@ -0,0 +1,13 @@
+-----BEGIN DH PARAMETERS-----
+MIICCAKCAgEArZ2eraHASEwWg51GuvviujRhawl6Vp1f9YTdPFcMoxidRycgvDE/
+aI5CATYqetkos2M0pBJ01YN4bbLtYG98DkUzsRUouL0+65L3BB+ClEFL9CqGZhmk
+AivS7WajarSfVpGaCCxVMPviWdX8qfAncGasC34XNZLJAkmMjKhhj1OcFBgoxrfW
+AKmyBuTYthd1C/refwHrXjC2vM1l3ts/UJ5sKhyCD0PBxpLMiiRUrqsENMl8lUsW
+/qbzzq/kc5Tgo4DRTdsLEUk22YyYGpk1jjK1Yr4elHNUZbaqOZwOESsd1pm0KW93
+/QzTIvS18SLA346DkL8hKwPlQOQRR7HSofXKkMGyDU/wkxqgAivT46Y322GW+Aw9
+WKTGZ8njp/IhureOo7N19PPADFcF0sGap4aUzbu4cpRVucpLUIzYkk2iSTJTRtrO
+5QvY7/KBhtBO1a72VSN94mIfI2V+j4d3X+ISqhBB4ABP92FfE1v1ktU3bwEq9PqG
+M/jj8whO7Sp2V5zsk/7aCFj88QaSc5/rhIG2Y8ntPBoknr635ZpQ+b2lCxx8bcOs
+PxdFX2bHhrxdwhq29n1LacJPKwUceaA0Xd/Xm2xmLjGoZ4qduYnmIhUtg15vY0KC
+9jiaxlfaxhNkMcTPhXDUQtLit++NbBHESVFBmSG7R8gcIHwWTiJxxCsCAQI=
+-----END DH PARAMETERS-----
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@ -0,0 +1,92 @@
+user nginx;
+worker_processes  1;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       mime.types;
+    default_type  application/octet-stream;
+
+    sendfile off;
+    send_timeout 20;
+    keepalive_timeout 60;
+
+    gzip on;
+    gzip_static on;
+    gzip_min_length 512;
+    gzip_buffers 16 8k;
+    gzip_http_version 1.1;
+    gzip_vary on;
+    gzip_comp_level 6;
+    gzip_proxied any;
+    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript text/x-js;
+    gzip_disable "MSIE [1-6]\.(?!.*SV1)";
+
+    server {
+        listen 80;
+        server_name blogduyax.traefik.me;
+
+        location / {
+            # enforce https
+            return 301 https://$server_name$request_uri;
+        }
+    }
+
+    server {
+        listen 443 ssl http2;
+        server_name blogduyax.traefik.me;
+
+        # =========================================
+        #  // SSL
+        # =========================================
+        
+        # session settings
+        ssl_session_timeout 1d;
+        ssl_session_cache shared:SSL:50m;
+        ssl_session_tickets off;
+        ssl_buffer_size 1400;
+
+        # Diffie-Hellman parameter for DHE cipher suites
+        ssl_dhparam /etc/nginx/dhparam.pem;
+
+        # ssl certs
+        ssl_certificate /etc/nginx/ssl/fullchain.pem;
+        ssl_certificate_key /etc/nginx/ssl/privkey.pem;
+
+        # protocols
+        ssl_protocols TLSv1.2;
+        ssl_prefer_server_ciphers on;
+        ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+
+        # HSTS, remove # from the line below to enable HSTS
+        #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+
+        # OCSP Stapling
+        ssl_stapling on;
+        ssl_stapling_verify on;
+
+        # =========================================
+        #                                   SSL //
+        # =========================================
+
+        root /usr/share/nginx/html;
+        index index.html;
+        add_header Cache-Control "no-cache";
+
+        location /newcomment {
+            proxy_set_header Host $host;
+            proxy_set_header X-Forwarded-For $remote_addr;
+            proxy_pass http://172.17.0.1:8100/newcomment;
+        }
+
+        location /web {
+            proxy_pass http://172.17.0.1:8100/web;
+            proxy_set_header Host $host;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;           
+        }
+    }
+}