Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
63 lines (51 sloc) 2.67 KB
server {
# IPv6
listen [::]:443 ssl http2;
# IPv4
listen 443 ssl http2;
server_name {{ server_name_template }};
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
# Access and error logs stored by server name.
access_log /var/log/nginx/{{ server_name_template }}.access.log;
error_log /var/log/nginx/{{ server_name_template }}.error.log;
ssl on;
ssl_certificate /etc/letsencrypt/live/{{ server_name_template }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ server_name_template }}/privkey.pem;
# Oddly, SSL isn't listed for SSL protocols. Because it is outdated and
# insecure.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# From mozilla-server-team
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
# Session resumption
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:5m;
# Error pages go directly to a self-contained file.
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root {{ site_path }};
}
{# Note: This will give different output for the primary server, and all other servers. This is to ensure Let's Encrypt can always renew. #}
# Let's Encrypt root— this is for testing to ensure we have the right domain.
location /.well-known/ {
{% if (server_name_template is equalto "iamcarrico.com") and (primary_server is defined) and (ansible_fqdn is not equalto primary_server) %}
proxy_pass https://{{ primary_server }};
access_log /var/log/nginx/iamcarrico.letsencrypt.remote.access.log;
error_log /var/log/nginx/iamcarrico.letsencrypt.remote.error.log;
{% else %}
root /var/www/acme-challenge/;
access_log /var/log/nginx/iamcarrico.letsencrypt.access.log;
error_log /var/log/nginx/iamcarrico.letsencrypt.error.log;
{% endif %}
}
location / {
proxy_pass http://127.0.0.1:8888;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
}
}