forked from shaba/openuds
80 lines
2.1 KiB
Plaintext
80 lines
2.1 KiB
Plaintext
upstream uds_server {
|
|
server unix:/run/openuds/socket fail_timeout=10s;
|
|
}
|
|
|
|
map $http_x_forwarded_proto $thescheme {
|
|
default $scheme;
|
|
https https;
|
|
}
|
|
|
|
server {
|
|
listen 80 default_server;
|
|
listen [::]:80 default_server;
|
|
|
|
# SSL configuration
|
|
#
|
|
listen 443 ssl http2 default_server;
|
|
listen [::]:443 ssl http2 default_server;
|
|
|
|
ssl_protocols TLSv1.2;
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_session_timeout 10m;
|
|
ssl_session_cache shared:SSL:10m;
|
|
ssl_session_tickets off;
|
|
#resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
|
|
resolver_timeout 5s;
|
|
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
|
|
add_header X-Frame-Options DENY;
|
|
add_header X-Content-Type-Options nosniff;
|
|
add_header X-XSS-Protection "1; mode=block";
|
|
|
|
ssl_certificate /var/lib/ssl/certs/nginx-openuds.cert;
|
|
ssl_certificate_key /var/lib/ssl/private/nginx-openuds.key;
|
|
|
|
root /usr/share/openuds/;
|
|
|
|
# Add index.php to the list if you are using PHP
|
|
index index.html;
|
|
|
|
server_name _;
|
|
|
|
# Activate GZIP
|
|
# In our app, saves around 80% or the traffic.
|
|
#
|
|
gzip on;
|
|
gzip_proxied any;
|
|
# text/html is always included
|
|
gzip_types
|
|
text/css
|
|
text/javascript
|
|
text/xml
|
|
text/plain
|
|
application/javascript
|
|
application/x-javascript
|
|
application/json;
|
|
|
|
location /favicon.ico {
|
|
alias /usr/share/openuds/uds/static/modern/img/favicon.ico;
|
|
}
|
|
|
|
location /uds/res/ {
|
|
autoindex off;
|
|
alias /usr/share/openuds/uds/static/;
|
|
}
|
|
location / {
|
|
# First attempt to server /maintenance (to allow easy backend maintenance) if exists
|
|
# if not, fallback to UDS
|
|
try_files /maintenance.html @proxy_to_uds;
|
|
}
|
|
|
|
location @proxy_to_uds {
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $thescheme;
|
|
proxy_set_header Host $http_host;
|
|
# we don't want nginx trying to do something clever with
|
|
# redirects, we set the Host: header above already.
|
|
proxy_redirect off;
|
|
proxy_pass http://uds_server;
|
|
}
|
|
}
|