1
0
ansible-openappsec/roles/openappsec/files/nginx/conf.d/example.com.conf
2024-02-06 08:24:36 +01:00

71 lines
1.5 KiB
Plaintext

server {
listen 80 default_server proxy_protocol;
server_name example.com;
# proxy protocol settings
set_real_ip_from 10.0.0.1/32;
real_ip_header proxy_protocol;
real_ip_recursive on;
# logging
access_log syslog:server=log.example.local vhost;
error_log syslog:server=log.example.local;
location ^~ /.well-known/acme-challenge {
alias /mnt/certs/challenge;
}
# health uri
location /health {
# return 'waf-ok' in plain text
add_header Content-Type text/plain;
return 200 'waf-ok';
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 default_server http2 proxy_protocol ssl;
server_name example.com;
# proxy protocol settings
set_real_ip_from 10.0.0.1/32;
real_ip_header proxy_protocol;
real_ip_recursive on;
# logging
access_log syslog:server=log.example.local vhost;
error_log syslog:server=log.example.local;
# certificates
ssl_certificate /mnt/certs/certs/example.com/fullchain.pem;
ssl_certificate_key /mnt/certs/certs/example.com/privkey.pem;
# tls settings
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_session_timeout 4h;
ssl_session_tickets off;
ssl_session_cache shared:SSL:20m;
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers off;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_stapling on;
ssl_stapling_verify on;
# health uri
location /health {
# return 'waf-ok' in plain text
add_header Content-Type text/plain;
return 200 'waf-ok';
}
location / {
return 301 https://example.com;
}
}