zilti
/
sompani-toolbox
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
sompani-toolbox/resources/nginx/staging.skel.talent.careers

107 lines
4.5 KiB
Plaintext
Raw Permalink Blame History

server {
listen 80;
server_name staging.{{company-name}}.talent.careers;
root /srv/http/staging.{{company-name}}.talent.careers/web;
location / {
rewrite ^(.*)$ https://staging.{{company-name}}.talent.careers$1 permanent;
}
#return 301 https://$server_name$request_uri;
# ACME challenge
location ^~ /.well-known {
allow all;
#alias /var/lib/letsencrypt/.well-known/;
default_type "text/plain";
try_files $uri =404;
}
}
server {
#listen 443;
listen [::]:443 ssl;
listen 443 ssl;
server_name staging.{{company-name}}.talent.careers;
if ($scheme != "https"){
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host != $server_name) {
#return 404 "this is an invalid request";
return 444;
} # managed by Certbot
ssl_certificate /etc/letsencrypt/live/{{company-name}}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{company-name}}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{company-name}}/chain.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_tickets off;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
ssl_stapling on;
ssl_stapling_verify on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
root /srv/http/staging.{{company-name}}.talent.careers/web/;
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/htpasswd;
add_header Cache-Control "no-cache, no-store, must-revalidate, proxy-revalidate";
#add_header X-Frame-Options SAMEORIGIN; # allow from startberlin etc
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "same-origin";
add_header Expect-CT "max-age=0, report-uri=https://sompani.report-uri.com/r/d/ct/reportOnly";
# add_header Content-Security-Policy "default-src https:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https:; style-src 'self' 'unsafe-inline' https:; font-src 'self' https:; frame-src https:; object-src 'none'";
add_header X-Who-Is-Awesome "You are ❤";
location / {
# try to serve file directly, fallback to app.php
try_files $uri /app.php$is_args$args;
}
location ~ ^/app\.php(/|$) {
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
# When you are using symlinks to link the document root to the
# current version of your application, you should pass the real
# application path instead of the path to the symlink to PHP
# FPM.
# Otherwise, PHP's OPcache may not properly detect changes to
# your PHP files (see https://github.com/zendtech/ZendOptimizerPlus/issues/126
# for more information).
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
# Prevents URIs that include the front controller. This will 404:
# http://domain.tld/app.php/some-path
# Remove the internal directive to allow URIs like this
internal;
expires -1;
}
# return 404 for all other php files not matching the front controller
# this prevents access to other php files you don't want to be accessible.
location ~ \.php$ {
return 404;
}
location ^~ /og-image {
root /srv/img/staging.sompani.com/;
}
# ACME challenge
#location ^~ /.well-known {
# allow all;
# alias /var/lib/letsencrypt/.well-known/;
# default_type "text/plain";
# try_files $uri =404;
#}
error_log /var/log/nginx/staging.{{company-name}}.talent.careers.error.log;
access_log /var/log/nginx/staging.{{company-name}}.talent.careers.access.log;
}
Reference in New Issue View Git Blame Copy Permalink