diff options
| author | Matt Arnold <matt@thegnuguru.org> | 2023-01-01 19:32:58 -0500 |
|---|---|---|
| committer | Matt Arnold <matt@thegnuguru.org> | 2023-01-01 19:32:58 -0500 |
| commit | b5f47b42eac4ff5fd961abba453fa744d8826954 (patch) | |
| tree | d2faa9bcde87203961dd6257302399a684b1619d | |
| parent | ebb26b655ac4f8223b2f8be1b7bc9be8d2f2acbc (diff) | |
Add Nginx config fix Makefile
| -rw-r--r-- | Makefile | 2 | ||||
| -rw-r--r-- | nginx-config | 54 |
2 files changed, 55 insertions, 1 deletions
diff --git a/Makefile b/Makefile index d0a3ec9..206ca07 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -build: +build: sign docker build --no-cache . -t deepblue sign: ./sign.sh diff --git a/nginx-config b/nginx-config new file mode 100644 index 0000000..26aa92f --- /dev/null +++ b/nginx-config @@ -0,0 +1,54 @@ +server { + listen 80; + server_name blue.piusbird.space; + return 302 https://$server_name$request_uri; +} + +server { + access_log /var/log/nginx/blueproxy.access.log; + error_log /var/log/nginx/blueproxy.error.log; + listen 443 ssl; + ssl_certificate /etc/letsencrypt/live/blue.piusbird.space/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/blue.piusbird.space/privkey.pem; + + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + ssl_dhparam /etc/dhparms.global; + + # intermediate configuration + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + add_header Strict-Transport-Security "max-age=63072000" always; + + # OCSP stapling + ssl_stapling on; + ssl_stapling_verify on; + + # client side verification options + ssl_client_certificate /etc/nginx/client-full.crt; + # make verification optional, so we can display a 403 message to those + # who fail authentication + ssl_verify_client optional; + + server_name blue.piusbird.space; + + location / { + if ($ssl_client_verify != SUCCESS) { + return 403; + } + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_pass http://172.42.0.2:3000; + } + + + +} + + |