diff options
author | thekettu <samantha.chalker@nccgroup.trust> | 2018-04-22 16:15:55 -0700 |
---|---|---|
committer | thekettu <samantha.chalker@nccgroup.trust> | 2018-04-22 16:15:55 -0700 |
commit | cab33b7005e9857dfdfdc0670b96d2cd100582ae (patch) | |
tree | b5b6b6c57c8175b2f71475658249407c29038653 /deploy/conf | |
parent | 668868deee87a3852c814c4dcbf68a67f9dd584a (diff) |
Add IPv6 NAT and use Nginx in a container
Diffstat (limited to 'deploy/conf')
-rw-r--r-- | deploy/conf/nginx.conf | 42 |
1 files changed, 17 insertions, 25 deletions
diff --git a/deploy/conf/nginx.conf b/deploy/conf/nginx.conf index e005f86..7804345 100644 --- a/deploy/conf/nginx.conf +++ b/deploy/conf/nginx.conf @@ -3,8 +3,8 @@ map $http_upgrade $connection_upgrade { '' close; } -upstream netdata { - server 127.0.0.1:19999; +upstream dockernetdata { + server netdata:19999; keepalive 64; } @@ -12,8 +12,8 @@ server { listen 80; listen [::]:80; - server_name plural.cafe; - root /home/mastodon/public; + server_name $NGINX_HOST; + root /var/www/html; location /.well-known/acme-challenge/ { allow all; @@ -32,15 +32,14 @@ server { server_tokens off; ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE+CHACHA20:AES256+EECDH:AES256+EDH:!aNULL; - ssl_ecdh_curve X25519:secp521r1:secp384r1; + ssl_ciphers '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]:ECDHE+AES128:RSA+AES128:ECDHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES'; + ssl_ecdh_curve X25519:secp384r1; ssl_prefer_server_ciphers on; ssl_session_cache shared:TLS:2m; ssl_session_timeout 10m; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; - ssl_dhparam /etc/ssl/dhparam.pem; keepalive_timeout 70; sendfile on; @@ -66,19 +65,18 @@ server { listen 443 ssl http2; listen [::]:443 ssl http2; - server_name plural.cafe; + server_name $NGINX_HOST; server_tokens off; - ssl_protocols TLSv1.3 TLSv1.2; - ssl_ciphers ECDHE+CHACHA20:AES256+EECDH:AES256+EDH:!aNULL; - ssl_ecdh_curve X25519:secp521r1:secp384r1; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]:ECDHE+AES128:RSA+AES128:ECDHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES'; + ssl_ecdh_curve X25519:secp384r1; ssl_prefer_server_ciphers on; ssl_session_cache shared:TLS:2m; ssl_session_timeout 10m; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; - ssl_dhparam /etc/ssl/dhparam.pem; keepalive_timeout 70; sendfile on; @@ -90,14 +88,14 @@ server { add_header Referrer-Policy "same-origin"; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; - ssl_certificate /home/mastodon/.acme.sh/certs/fullchain.pem; - ssl_certificate_key /home/mastodon/.acme.sh/certs/privkey.pem; - ssl_trusted_certificate /home/mastodon/.acme.sh/certs/cert.pem; + ssl_certificate /etc/ssl/fullchain.pem; + ssl_certificate_key /etc/ssl/privkey.pem; + ssl_trusted_certificate /etc/ssl/cert.pem; resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; resolver_timeout 5s; - root /home/mastodon/public; + root /var/www/html; #add_header Content-Security-Policy "Content-Security-Policy: frame-ancestors 'none'; object-src 'none'; script-src 'self'; base-uri 'none';"; add_header Access-Control-Allow-Origin "https://$host"; @@ -107,12 +105,6 @@ server { try_files $uri @proxy; } -# location /_matrix { -# proxy_pass http://127.0.0.1:8008; -# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; -# proxy_pass_request_headers on; -# } - location /sw.js { add_header Cache-Control "public, max-age=0"; try_files $uri @proxy; @@ -133,7 +125,7 @@ server { proxy_pass_request_headers on; proxy_set_header Connection "keep-alive"; proxy_store off; - proxy_pass http://netdata/$ndpath$is_args$args; + proxy_pass http://dockernetdata/$ndpath$is_args$args; gzip on; gzip_proxied any; @@ -167,7 +159,7 @@ server { proxy_set_header Proxy ""; proxy_pass_header Server; - proxy_pass http://127.0.0.1:3000; + proxy_pass http://mstweb:3000; proxy_buffering on; proxy_redirect off; proxy_http_version 1.1; @@ -190,7 +182,7 @@ server { proxy_set_header X-Forwarded-Proto https; proxy_set_header Proxy ""; - proxy_pass http://127.0.0.1:4000; + proxy_pass http://mststreaming:4000; proxy_buffering off; proxy_redirect off; proxy_http_version 1.1; |