Permalink
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
185 lines (178 sloc) 8 KB
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 20m;
# Log format line - repeated here so that people can use it if they want
# log_format gzip '$host $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" [DNT:$http_DNT]';
server { # Main server block
listen 443 ssl spdy;
listen [::]:443 ssl spdy;
ssl_certificate /etc/ssl/private/perot.me/live/fullchain.pem;
ssl_certificate_key /etc/ssl/private/perot.me/live/privkey.key;
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:HIGH:!MD5:!aNULL:!EDH:!AESGCM;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/dhparam.pem;
keepalive_timeout 300;
server_name perot.me *.perot.me;
root /home/perot/www;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
# TODO: Hash the generated JS and put the hash here instead of unsafe-inline?
#add_header Content-Security-Policy "default-src https://perot.me; script-src https://perot.me 'unsafe-inline'; frame-ancestors 'none'";
#add_header X-Content-Security-Policy "default-src https://perot.me; script-src https://perot.me 'unsafe-inline'; frame-ancestors 'none'";
#add_header X-WebKit-CSP "default-src https://perot.me; script-src https://perot.me 'unsafe-inline'; frame-ancestors 'none'";
add_header Content-Type-Options nosniff;
add_header X-Content-Type-Options nosniff;
add_header Frame-Options DENY;
add_header X-Frame-Options DENY;
add_header XSS-Protection "1; mode=block";
add_header X-XSS-Protection "1; mode=block";
# HPKP disabled because this is super-high-maintenance, and breaks on cert renewal.
# To get the base64 sha256 for a certificate:
# openssl x509 -pubkey < /etc/ssl/private/perot.me/live/cert.pem | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64
# add_header Public-Key-Pins "pin-sha256=\"gUUZ2bRI8Gkplcu9I6MYSFUb1DTLrqmdkrSogukUkHM=\"; pin-sha256=\"u5U7vBBmn+XocTm4gBlTyTO82AjY5BxBhC1F931dg8Q=\"; pin-sha256=\"OZExL/qRYi36QnM3WcfVyGJ7ulTg4GB6Err//xocg8o=\"; max-age=10";
add_header Cache-Control public;
gzip_static on;
gzip_http_version 1.1;
gzip_proxied expired no-cache no-store private auth;
gzip_disable "MSIE [1-6]\.";
gzip_vary on;
types {
text/html htm html;
text/css css;
text/xml xml;
application/xhtml+xml xhtml;
image/gif gif;
image/jpeg jpeg jpg;
image/png png;
application/x-javascript js;
application/atom+xml atom;
application/rss+xml rss rss2;
application/pgp-keys asc pgp;
text/plain txt md;
image/x-icon ico;
image/svg+xml svg svgz;
image/webp webp;
application/pdf pdf;
}
include /etc/nginx/conf-templates/enable-php.conf;
location = / {
add_header X-XRDS-Location http://www.myopenid.com/xrds?username=EtiennePerot.myopenid.com;
}
location /img {
if ($arg_expires_max) {
expires max;
add_header Last-Modified "";
add_header ETag "";
}
add_header Cache-Control public;
}
location /posts {
if ($arg_expires_max) {
expires max;
add_header Last-Modified "";
add_header ETag "";
}
add_header Cache-Control public;
}
location /private {
auth_basic "Private files";
auth_basic_user_file /home/perot/private-auth.txt;
}
location ~ /(?:posts-)?img/.*-res- {
rewrite "/img/(.*)-res-.{8}(.*)" /img/$1$2?expires_max=1;
rewrite "/posts-img/(.*)-res-.{8}(.*)" /posts/$1$2?expires_max=1;
}
location /posts-img/ {
rewrite "/posts-img/(.*)" /posts/$1;
}
location /blog/comment/queue {
return 403;
}
location /blog/comment/nonces {
return 403;
}
location /reply: {
rewrite /reply:(.+) /posts/$1/$1_reply.php?nocache=1;
}
location /getnonce {
rewrite ^.*$ /blog/comments/getnonce.php?nocache=1;
}
location /comment {
rewrite ^.*$ /blog/comments/submit.php?nocache=1;
}
location /mozilla-sync {
rewrite ^/mozilla-sync(/?)(.*) /$2 break;
proxy_pass http://localhost:11114;
}
location ^~ /music {
auth_basic "Music streaming";
auth_basic_user_file /etc/nginx/auth/music;
proxy_connect_timeout 36000s;
proxy_read_timeout 36000s;
proxy_send_timeout 36000s;
send_timeout 36000s;
rewrite ^/music(/?)(.*) /$2 break;
proxy_pass http://localhost:4040;
}
location /radicale {
auth_basic "Radicale";
auth_basic_user_file /etc/radicale/users;
rewrite ^/radicale(/?)(.*) /$2 break;
proxy_pass http://localhost:5232;
}
location /galore {
auth_basic "Galore";
auth_basic_user_file /home/perot/galore-auth.txt;
proxy_pass http://localhost:7733;
}
location /tt-rss {
root /home/ttrss;
auth_basic "Tiny Tiny RSS";
auth_basic_user_file /home/ttrss/auth.txt;
location = /tt-rss/public.php {
auth_basic off;
allow all;
root /home/ttrss;
include /etc/nginx/conf-templates/enable-php-direct.conf;
}
location ~ ^/tt-rss/tags/.+$ {
auth_basic off;
allow all;
rewrite ^/tt-rss/tags/([^./]+)$ /tt-rss/tags/$1.php;
include /etc/nginx/conf-templates/enable-php-direct.conf;
}
include /etc/nginx/conf-templates/enable-php.conf;
}
location /piwik {
root /usr/share/webapps;
auth_basic "Piwik Analytics";
auth_basic_user_file /usr/share/webapps/piwik/auth.txt;
include /etc/nginx/conf-templates/enable-php.conf;
}
rewrite "^/cv\.md$" /cv.md break;
rewrite "^/([^/]+)\.md$" /posts/$1/$1.md;
try_files /posts$uri/$uri.html /posts$uri/$uri /posts$uri $uri.html $uri.md $uri/ $uri =404;
}
server { # Redirect to HTTPS version, and set STS header
listen 80;
listen [::]:80;
server_name perot.me *.perot.me;
expires max;
add_header Cache-Control public;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
rewrite ^ https://perot.me$request_uri? permanent;
}
server { # Domain aliases
listen 80;
listen [::]:80;
server_name etienneperot.com *.etienneperot.com etienneperot.name *.etienneperot.name;
expires max;
add_header Cache-Control public;
rewrite ^ https://perot.me$request_uri? permanent;
}
server { # Local-only piwik-serving server without HTTP auth, so that the log importer script can use it
listen 127.0.0.1:51814;
location /piwik {
root /usr/share/webapps;
include /etc/nginx/conf-templates/enable-php.conf;
}
}