71 lines
1.5 KiB
Plaintext
71 lines
1.5 KiB
Plaintext
server {
|
|
listen 80 default_server proxy_protocol;
|
|
server_name example.com;
|
|
|
|
# proxy protocol settings
|
|
set_real_ip_from 10.0.0.1/32;
|
|
real_ip_header proxy_protocol;
|
|
real_ip_recursive on;
|
|
|
|
# logging
|
|
access_log syslog:server=log.example.local vhost;
|
|
error_log syslog:server=log.example.local;
|
|
|
|
location ^~ /.well-known/acme-challenge {
|
|
alias /mnt/certs/challenge;
|
|
}
|
|
|
|
# health uri
|
|
location /health {
|
|
|
|
# return 'rp-ok' in plain text
|
|
add_header Content-Type text/plain;
|
|
return 200 'waf-ok';
|
|
}
|
|
|
|
location / {
|
|
return 301 https://$host$request_uri;
|
|
}
|
|
}
|
|
|
|
server {
|
|
listen 443 default_server http2 proxy_protocol ssl;
|
|
server_name example.com;
|
|
|
|
# proxy protocol settings
|
|
set_real_ip_from 10.0.0.1/32;
|
|
real_ip_header proxy_protocol;
|
|
real_ip_recursive on;
|
|
|
|
# logging
|
|
access_log syslog:server=log.example.local vhost;
|
|
error_log syslog:server=log.example.local;
|
|
|
|
# certificates
|
|
ssl_certificate /mnt/certs/certs/example.com/fullchain.pem;
|
|
ssl_certificate_key /mnt/certs/certs/example.com/privkey.pem;
|
|
|
|
# tls settings
|
|
ssl_dhparam /etc/nginx/dhparam.pem;
|
|
ssl_session_timeout 4h;
|
|
ssl_session_tickets off;
|
|
ssl_session_cache shared:SSL:20m;
|
|
ssl_ecdh_curve secp384r1;
|
|
ssl_prefer_server_ciphers off;
|
|
ssl_protocols TLSv1.3 TLSv1.2;
|
|
ssl_stapling on;
|
|
ssl_stapling_verify on;
|
|
|
|
# health uri
|
|
location /health {
|
|
|
|
# return 'rp-ok' in plain text
|
|
add_header Content-Type text/plain;
|
|
return 200 'rp-ok';
|
|
}
|
|
|
|
location / {
|
|
return 301 https://example.com;
|
|
}
|
|
}
|