105 lines
5.4 KiB
Plaintext
105 lines
5.4 KiB
Plaintext
server {
|
|
server_name www.talent.{{company-name}}.{{company-suffix}} talent.{{company-name}}.{{company-suffix}} {{company-name}}.talent.careers;
|
|
return 301 https://talent.{{company-name}}.{{company-suffix}}$request_uri;
|
|
}
|
|
|
|
server {
|
|
listen [::]:443 ssl;
|
|
listen 443 ssl;
|
|
server_name www.talent.{{company-name}}.{{company-suffix}};
|
|
|
|
ssl_certificate /etc/letsencrypt/live/{{company-name}}/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/{{company-name}}/privkey.pem;
|
|
ssl_trusted_certificate /etc/letsencrypt/live/{{company-name}}/chain.pem;
|
|
ssl_session_timeout 1d;
|
|
ssl_session_cache shared:le_nginx_SSL:1m;
|
|
ssl_session_tickets off;
|
|
ssl_prefer_server_ciphers on;
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
|
|
ssl_stapling on;
|
|
ssl_stapling_verify on;
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
|
|
return 301 https://talent.{{company-name}}.{{company-suffix}}$request_uri;
|
|
}
|
|
|
|
server {
|
|
listen [::]:443 ssl;
|
|
listen 443 ssl;
|
|
server_name talent.{{company-name}}.{{company-suffix}} {{company-name}}.talent.careers;
|
|
|
|
ssl_certificate /etc/letsencrypt/live/{{company-name}}/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/{{company-name}}/privkey.pem;
|
|
ssl_trusted_certificate /etc/letsencrypt/live/{{company-name}}/chain.pem;
|
|
ssl_session_timeout 1d;
|
|
ssl_session_cache shared:le_nginx_SSL:1m;
|
|
ssl_session_tickets off;
|
|
ssl_prefer_server_ciphers on;
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
|
|
ssl_stapling on;
|
|
ssl_stapling_verify on;
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
|
|
|
|
# Bad Bot Blocker
|
|
include /etc/nginx/bots.d/ddos.conf;
|
|
include /etc/nginx/bots.d/blockbots.conf;
|
|
|
|
root /srv/http/{{company-name}}.talent.careers/web/;
|
|
|
|
add_header Cache-Control "no-cache, no-store, must-revalidate, proxy-revalidate";
|
|
#add_header X-Frame-Options SAMEORIGIN; # allow from startberlin, jsfiddle, ...
|
|
add_header X-Content-Type-Options nosniff;
|
|
add_header X-XSS-Protection "1; mode=block";
|
|
add_header Referrer-Policy "same-origin";
|
|
add_header Expect-CT "max-age=0, report-uri=https://sompani.report-uri.com/r/d/ct/reportOnly";
|
|
#add_header Content-Security-Policy "default-src https:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https:; style-src 'self' 'unsafe-inline' https:; font-src 'self' https:; frame-src https:; object-src 'none'";
|
|
add_header X-Who-Is-Awesome "You are ❤";
|
|
|
|
|
|
location / {
|
|
# try to serve file directly, fallback to app.php
|
|
try_files $uri /app.php$is_args$args;
|
|
}
|
|
location ~ ^/app\.php(/|$) {
|
|
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
|
|
fastcgi_split_path_info ^(.+\.php)(/.*)$;
|
|
include fastcgi_params;
|
|
# When you are using symlinks to link the document root to the
|
|
# current version of your application, you should pass the real
|
|
# application path instead of the path to the symlink to PHP
|
|
# FPM.
|
|
# Otherwise, PHP's OPcache may not properly detect changes to
|
|
# your PHP files (see https://github.com/zendtech/ZendOptimizerPlus/issues/126
|
|
# for more information).
|
|
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
|
|
fastcgi_param DOCUMENT_ROOT $realpath_root;
|
|
# Prevents URIs that include the front controller. This will 404:
|
|
# http://domain.tld/app.php/some-path
|
|
# Remove the internal directive to allow URIs like this
|
|
internal;
|
|
expires -1;
|
|
}
|
|
|
|
# return 404 for all other php files not matching the front controller
|
|
# this prevents access to other php files you don't want to be accessible.
|
|
location ~ \.php$ {
|
|
return 404;
|
|
}
|
|
|
|
location ^~ /og-image {
|
|
root /srv/img/www.sompani.com/;
|
|
}
|
|
# ACME challenge
|
|
#location ^~ /.well-known {
|
|
# allow all;
|
|
# alias /var/lib/letsencrypt/.well-known/;
|
|
# default_type "text/plain";
|
|
# try_files $uri =404;
|
|
#}
|
|
|
|
error_log /var/log/nginx/{{company-name}}.talent.careers.error.log;
|
|
access_log /var/log/nginx/{{company-name}}.talent.careers.access.log;
|
|
|
|
}
|