1
0
ansible-openappsec/roles/openappsec/files/nginx/conf.d/subdomain.example.com.conf

68 lines
1.6 KiB
Plaintext
Raw Permalink Normal View History

2024-02-06 07:49:42 +01:00
upstream application01 {
server 10.0.0.10:443;
}
server {
listen 80 proxy_protocol;
server_name subdomain.example.com;
# proxy protocol settings
set_real_ip_from 10.0.0.1/32;
real_ip_header proxy_protocol;
real_ip_recursive on;
# logging
access_log syslog:server=log.example.local vhost;
error_log syslog:server=log.example.local;
location ^~ /.well-known/acme-challenge {
alias /mnt/certs/challenge;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 proxy_protocol ssl http2;
server_name subdomain.example.com;
# proxy protocol settings
set_real_ip_from 10.0.0.1/32;
real_ip_header proxy_protocol;
real_ip_recursive on;
# logging
access_log syslog:server=log.example.local vhost;
error_log syslog:server=log.example.local;
# certificates
ssl_certificate /mnt/certs/certs/subdomain.example.com/fullchain.pem;
ssl_certificate_key /mnt/certs/certs/subdomain.example.com/privkey.pem;
# tls settings
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_session_timeout 4h;
ssl_session_tickets off;
ssl_session_cache shared:SSL:20m;
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers off;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_stapling on;
ssl_stapling_verify on;
location / {
# set headers
proxy_set_header Host $host;
proxy_set_header X-Real-IP $proxy_protocol_addr;
proxy_set_header X-Forwarded-For $proxy_protocol_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
# pass upstream
proxy_pass https://application01;
}
}