upstream uds_server { server unix:/run/openuds/socket fail_timeout=10s; } map $http_x_forwarded_proto $thescheme { default $scheme; https https; } server { listen 80 default_server; listen [::]:80 default_server; # SSL configuration # listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; ssl_session_timeout 10m; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; #resolver $DNS-IP-1 $DNS-IP-2 valid=300s; resolver_timeout 5s; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; ssl_certificate /var/lib/ssl/certs/nginx-openuds.cert; ssl_certificate_key /var/lib/ssl/private/nginx-openuds.key; root /usr/share/openuds/; # Add index.php to the list if you are using PHP index index.html; server_name _; # Activate GZIP # In our app, saves around 80% or the traffic. # gzip on; gzip_proxied any; # text/html is always included gzip_types text/css text/javascript text/xml text/plain application/javascript application/x-javascript application/json; location /favicon.ico { alias /usr/share/openuds/uds/static/modern/img/favicon.ico; } location /uds/res/ { autoindex off; alias /usr/share/openuds/uds/static/; } location / { # First attempt to server /maintenance (to allow easy backend maintenance) if exists # if not, fallback to UDS try_files /maintenance.html @proxy_to_uds; } location @proxy_to_uds { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $thescheme; proxy_set_header Host $http_host; # we don't want nginx trying to do something clever with # redirects, we set the Host: header above already. proxy_redirect off; proxy_pass http://uds_server; } }