diff --git a/nginx.conf b/nginx.conf new file mode 100644 index 0000000..750329b --- /dev/null +++ b/nginx.conf @@ -0,0 +1,62 @@ +user www-data; +worker_processes auto; +pid /run/nginx.pid; +include /etc/nginx/modules-enabled/*.conf; + +events { + worker_connections 768; + # multi_accept on; +} + +http { + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + gzip on; + gzip_comp_level 5; + gzip_min_length 256; + gzip_proxied any; + gzip_vary on; + + gzip_types application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; # text/html is always compressed by gzip module + + server { + listen 80; + listen [::]:80; + server_name explorer.bisq.network; + + if ($host = explorer.bisq.network) { + return 301 https://$host$request_uri; + } # managed by Certbot + + return 404; # managed by Certbot + } + + server { + listen [::]:443 ssl http2; # managed by Certbot + listen 443 ssl http2; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/explorer.bisq.network/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/explorer.bisq.network/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + + server_name explorer.bisq.network; # managed by Certbot + + index index.html; + root /home/bisqweb/bisq-explorer/www; + + location / { + expires 10s; + try_files $uri $uri/ =404; + } + } +} diff --git a/nginx.config b/nginx.config deleted file mode 100644 index 8802abc..0000000 --- a/nginx.config +++ /dev/null @@ -1,122 +0,0 @@ -## -# You should look at the following URL's in order to grasp a solid understanding -# of Nginx configuration files in order to fully unleash the power of Nginx. -# http://wiki.nginx.org/Pitfalls -# http://wiki.nginx.org/QuickStart -# http://wiki.nginx.org/Configuration -# -# Generally, you will want to move this file somewhere, and start with a clean -# file but keep this around for reference. Or just disable in sites-enabled. -# -# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. -## - -#don't send the nginx version number in error pages and Server header -server_tokens off; - -# config to don't allow the browser to render the page inside an frame or iframe -# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking -# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri -# https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options -#add_header X-Frame-Options SAMEORIGIN; - -# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header, -# to disable content-type sniffing on some browsers. -# https://www.owasp.org/index.php/List_of_useful_HTTP_headers -# currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx -# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx -# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020 -add_header X-Content-Type-Options nosniff; - -# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. -# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for -# this particular website if it was disabled by the user. -# https://www.owasp.org/index.php/List_of_useful_HTTP_headers -add_header X-XSS-Protection "1; mode=block"; - -# with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy), -# you can tell the browser that it can only download content from the domains you explicitly allow -# http://www.html5rocks.com/en/tutorials/security/content-security-policy/ -# https://www.owasp.org/index.php/Content_Security_Policy -# I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval' -# directives for css and js(if you have inline css or js, you will need to keep it too). -# more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful -#add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'"; - -# Default server configuration -# - -# http redirect -server { - if ($host = hostname) { - return 301 https://$host$request_uri; - } # managed by Certbot - - - listen 80; - server_name hostname; - rewrite ^ https://$server_name$request_uri? permanent; - - -} - -server { - listen 80; - server_name hostname; - rewrite ^ https://$server_name$request_uri? permanent; - - # Redirect non-https traffic to https - # if ($scheme != "https") { - # return 301 https://$host$request_uri; - # } # managed by Certbot - -} - - -server { - location = /testnet/ { - return 301 /; - } - # SSL configuration - listen 443 ssl default_server; - server_name hostname; - ssl_certificate /etc/letsencrypt/live/hostname/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/hostname/privkey.pem; # managed by Certbot - - - # enable session resumption to improve https performance - # http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html - ssl_session_cache shared:SSL:50m; - ssl_session_timeout 5m; - - # disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0 - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - - # ciphers chosen for forward secrecy and compatibility - # http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html - ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK'; - - ssl_prefer_server_ciphers on; - - # config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security - # to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping - add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; - - root /var/www/html; - - # Add index.php to the list if you are using PHP - index index.html index.htm index.nginx-debian.html; - error_page 404 /404.html; - - server_name _; - - location / { - # First attempt to serve request as file, then - # as directory, then fall back to displaying a 404. - try_files $uri $uri/ =404; - } - - location /insight/ { - proxy_pass http://127.0.0.1:3001/insight/; - } -}