/
nginx.conf
114 lines (104 loc) · 3.87 KB
/
nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
# This assumes that `https://github.com/inetknght/systemd.software` was cloned
# to /srv/systemd.software.
# Nginx root will be /srv/systemd.software/www
#
# You might need to `chcon -R -t httpd_sys_content_t /srv/systemd.software/www`
# to tell SELinux to let nginx access it.
#
# A python script runs the regex captures and redirects. It can be installed
# via a systemd service unit file. Nginx should proxy requests to it.
#
# This file should be installed to /etc/nginx/default.d/
# then you can tell nginx to load the configuration via
# `nginx -t && nginx -s reload`
upstream redirector {
#
# Remember to `semanage port -a -t http_port_t -p tcp 63001`
# https://serverfault.com/a/563893/245340
#
# Then also `setsebool -P httpd_can_network_relay 1`
# https://security.stackexchange.com/a/152387/47800
server 127.0.0.1:63001;
#
# A unix socket is better than a TCP socket on localhost because
# they're faster (don't need the overhead of TCP) and more information
# available (like uid/pid of the connection)
#
# You'll need to `setsebool -P httpd_execmem 1`
#
# Then make sure nginx and your user are in the same group.
# server unix:/srv/systemd.software/reverse-proxy.socket;
}
server {
listen 80;
listen [::]:80;
server_name systemd.software
www.systemd.software;
include conf.d/error-pages.conf;
include conf.d/gzip.conf;
include conf.d/url-filter*.conf;
root /srv/systemd.software/www;
location /.well-known/ {
# Static content for certbot.
}
location / {
return 301 https://systemd.software$uri$is_args$args;
}
}
server {
# The certificate must be issued before nginx will process this. To issue the initial certificate:
# `certbot certonly --webroot -w /srv/_default -d "systemd.software"
# LetsEncrypt will request a file from `http://systemd.software/.well-known/acme-challenge/`.
# LetsEncrypt will follow a redirect to https and will not perform validation of the presented (likely self-signed or otherwise invalid) certificate.
# Since the configuration isn't set up yet, this should map to `/srv/_default/.well-known/acme-challenge` from a properly configured `/etc/nginx/default.d/_default.conf`.
# `certbot` writes logs to /var/log/letsencrypt
# `certbot` writes site configuration data to /etc/letsencrypt/renewal
# `certbot` writes private key and public certificates to /etc/letsencrypt/archive
# `certbot` symlinks private key and certificate at /etc/letsencrypt/live
#
# Then to renew the certificate:
# `certbot renew --non-interactive`
# The certbot log gets rotated.
# The site configuration data is updated.
# The private key and certificate are rotated.
# The symlink is updated.
#
# Certbot does not automatically restart nginx. WE do that in a post hook.
#
ssl_certificate /etc/letsencrypt/live/systemd.software/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/systemd.software/privkey.pem;
ssl_session_tickets off;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name systemd.software
www.systemd.software;
include conf.d/error-pages.conf;
include conf.d/url-filter*.conf;
root /srv/systemd.software/www;
location ~/\.git {
return 404;
}
location = /index.html {
}
location /.well-known/ {
# Static content for certbot.
}
location /examples {
# Static content. No proxy needed.
}
location / {
try_files $uri @redirector;
}
location @redirector {
proxy_headers_hash_bucket_size 128;
proxy_http_version 1.1; # Tornado does not support HTTP/2
proxy_pass_request_headers on;
proxy_pass_request_body off;
proxy_read_timeout 5s;
proxy_send_timeout 5s;
proxy_cache_valid any 1m; # 1 minute
proxy_cache_use_stale error timeout updating;
proxy_intercept_errors on;
proxy_pass http://redirector;
}
}