107 lines
4.5 KiB
Plaintext
107 lines
4.5 KiB
Plaintext
|
server {
|
||
|
listen 80;
|
||
|
server_name staging.{{company-name}}.talent.careers;
|
||
|
root /srv/http/staging.{{company-name}}.talent.careers/web;
|
||
|
|
||
|
location / {
|
||
|
rewrite ^(.*)$ https://staging.{{company-name}}.talent.careers$1 permanent;
|
||
|
}
|
||
|
|
||
|
#return 301 https://$server_name$request_uri;
|
||
|
|
||
|
# ACME challenge
|
||
|
location ^~ /.well-known {
|
||
|
allow all;
|
||
|
#alias /var/lib/letsencrypt/.well-known/;
|
||
|
default_type "text/plain";
|
||
|
try_files $uri =404;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
server {
|
||
|
#listen 443;
|
||
|
listen [::]:443 ssl;
|
||
|
listen 443 ssl;
|
||
|
server_name staging.{{company-name}}.talent.careers;
|
||
|
|
||
|
if ($scheme != "https"){
|
||
|
return 301 https://$host$request_uri;
|
||
|
} # managed by Certbot
|
||
|
|
||
|
if ($host != $server_name) {
|
||
|
#return 404 "this is an invalid request";
|
||
|
return 444;
|
||
|
} # managed by Certbot
|
||
|
ssl_certificate /etc/letsencrypt/live/{{company-name}}/fullchain.pem;
|
||
|
ssl_certificate_key /etc/letsencrypt/live/{{company-name}}/privkey.pem;
|
||
|
ssl_trusted_certificate /etc/letsencrypt/live/{{company-name}}/chain.pem;
|
||
|
ssl_session_timeout 1d;
|
||
|
ssl_session_cache shared:le_nginx_SSL:1m;
|
||
|
ssl_session_tickets off;
|
||
|
ssl_prefer_server_ciphers on;
|
||
|
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
|
||
|
ssl_stapling on;
|
||
|
ssl_stapling_verify on;
|
||
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||
|
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
|
||
|
|
||
|
root /srv/http/staging.{{company-name}}.talent.careers/web/;
|
||
|
|
||
|
auth_basic "Restricted";
|
||
|
auth_basic_user_file /etc/nginx/htpasswd;
|
||
|
|
||
|
add_header Cache-Control "no-cache, no-store, must-revalidate, proxy-revalidate";
|
||
|
#add_header X-Frame-Options SAMEORIGIN; # allow from startberlin etc
|
||
|
add_header X-Content-Type-Options nosniff;
|
||
|
add_header X-XSS-Protection "1; mode=block";
|
||
|
add_header Referrer-Policy "same-origin";
|
||
|
add_header Expect-CT "max-age=0, report-uri=https://sompani.report-uri.com/r/d/ct/reportOnly";
|
||
|
# add_header Content-Security-Policy "default-src https:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https:; style-src 'self' 'unsafe-inline' https:; font-src 'self' https:; frame-src https:; object-src 'none'";
|
||
|
add_header X-Who-Is-Awesome "You are ❤";
|
||
|
|
||
|
location / {
|
||
|
# try to serve file directly, fallback to app.php
|
||
|
try_files $uri /app.php$is_args$args;
|
||
|
}
|
||
|
location ~ ^/app\.php(/|$) {
|
||
|
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
|
||
|
fastcgi_split_path_info ^(.+\.php)(/.*)$;
|
||
|
include fastcgi_params;
|
||
|
# When you are using symlinks to link the document root to the
|
||
|
# current version of your application, you should pass the real
|
||
|
# application path instead of the path to the symlink to PHP
|
||
|
# FPM.
|
||
|
# Otherwise, PHP's OPcache may not properly detect changes to
|
||
|
# your PHP files (see https://github.com/zendtech/ZendOptimizerPlus/issues/126
|
||
|
# for more information).
|
||
|
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
|
||
|
fastcgi_param DOCUMENT_ROOT $realpath_root;
|
||
|
# Prevents URIs that include the front controller. This will 404:
|
||
|
# http://domain.tld/app.php/some-path
|
||
|
# Remove the internal directive to allow URIs like this
|
||
|
internal;
|
||
|
expires -1;
|
||
|
}
|
||
|
|
||
|
# return 404 for all other php files not matching the front controller
|
||
|
# this prevents access to other php files you don't want to be accessible.
|
||
|
location ~ \.php$ {
|
||
|
return 404;
|
||
|
}
|
||
|
|
||
|
location ^~ /og-image {
|
||
|
root /srv/img/staging.sompani.com/;
|
||
|
}
|
||
|
# ACME challenge
|
||
|
#location ^~ /.well-known {
|
||
|
# allow all;
|
||
|
# alias /var/lib/letsencrypt/.well-known/;
|
||
|
# default_type "text/plain";
|
||
|
# try_files $uri =404;
|
||
|
#}
|
||
|
|
||
|
error_log /var/log/nginx/staging.{{company-name}}.talent.careers.error.log;
|
||
|
access_log /var/log/nginx/staging.{{company-name}}.talent.careers.access.log;
|
||
|
|
||
|
}
|