summary refs log tree commit diff
path: root/nginx/conf/main.conf
blob: d5618545bd154868e9ebeb87b02629f8caf661c8 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
user  nginx;
worker_processes  1;
daemon off;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    sendfile        on;

    keepalive_timeout  65;
    gzip  on;

    # Modern SSL config
    ssl_protocols TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
    ssl_prefer_server_ciphers on;
    ssl_session_timeout 1d;
    ssl_session_cache shared:HTTPS:50m;
    ssl_session_tickets off;
    ssl_dhparam /etc/nginx/ssl/dhparam/tls.dhparam;

    # Logstash log format
    log_format logstash '$http_host '
    '$remote_addr [$time_local] '
    '"$request" $status $body_bytes_sent '
    '"$http_referer" "$http_user_agent" '
    '$request_time '
    '$upstream_response_time';

    access_log   /var/log/nginx/access.log  logstash;

    # Default tazj.in config (certs need to be overriden for other stuff, like oslo.pub)
    ssl_certificate /etc/nginx/ssl/tazj.in/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/tazj.in/key.pem;

    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    add_header Strict-Transport-Security max-age=15768000;

    include /etc/nginx/conf/http.conf;
}

stream {
    ssl_protocols TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
    ssl_dhparam /etc/nginx/ssl/dhparam/tls.dhparam;
    ssl_prefer_server_ciphers on;
    ssl_session_timeout 1d;
    ssl_session_cache shared:STREAM:50m;
    ssl_session_tickets off;

    # Default tazj.in certificate
    ssl_certificate /etc/nginx/ssl/tazj.in/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/tazj.in/key.pem;

    include /etc/nginx/conf/stream.conf;
}