Browse Source

some stuff change

Jared Dunbar 2 years ago
parent
commit
09af35a737
Signed by: Jared Dunbar <jrddunbr@gmail.com> GPG Key ID: CF202CC859BAC692
1 changed files with 33 additions and 46 deletions
  1. 33
    46
      nginx.conf

+ 33
- 46
nginx.conf View File

@@ -6,11 +6,9 @@ events {
6 6
 
7 7
 http {
8 8
   # Some SSL stuff
9
-  # when move to nginx 1.13, add TLSv1.3 below
10
-  ssl_protocols TLSv1.2;
11
-  ssl_prefer_server_ciphers on;
12
-  # specifically, not RC4.
13
-  ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
9
+  ssl_protocols TLSv1.2 TLSv1.3;
10
+	ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
11
+	ssl_prefer_server_ciphers on;
14 12
 
15 13
   # Some global configurations
16 14
   client_max_body_size 10M;
@@ -20,11 +18,20 @@ http {
20 18
   keepalive_timeout  65;
21 19
   gzip  on;
22 20
 
21
+  # header crap
22
+  add_header X-Frame-Options "SAMEORIGIN" always;
23
+	add_header X-XSS-Protection "1; mode=block" always;
24
+	add_header X-Content-Type-Options "nosniff" always;
25
+	add_header Referrer-Policy "no-referrer" always;
26
+	add_header Content-Security-Policy "self" always;
27
+
23 28
   # http://ja13.org and https://ja13.org
24 29
   server {
25 30
     server_name ja13.org;
26
-    listen 80;
27
-    listen 443 http2 ssl;
31
+  	listen 80;
32
+  	listen [::]:80;
33
+  	listen 443 ssl http2;
34
+  	listen [::]:443 ssl http2;
28 35
     root /srv/http/http;
29 36
 
30 37
     ssl_certificate /etc/letsencrypt/live/ja13.org-0001/fullchain.pem;
@@ -55,9 +62,14 @@ http {
55 62
   server {
56 63
     server_name john.ja13.org;
57 64
     listen 80;
58
-    listen 443 http2 ssl;
65
+  	listen [::]:80;
66
+  	listen 443 ssl http2;
67
+  	listen [::]:443 ssl http2;
59 68
     root /srv/http/john;
60 69
 
70
+    allow 10.0.0.0/24;
71
+    deny all;
72
+
61 73
     ssl_certificate /etc/letsencrypt/live/ja13.org/fullchain.pem;
62 74
     ssl_certificate_key /etc/letsencrypt/live/ja13.org/privkey.pem;
63 75
 
@@ -70,7 +82,9 @@ http {
70 82
   server {
71 83
     server_name ns1.ja13.org;
72 84
     listen 80;
73
-    listen 443 http2 ssl;
85
+  	listen [::]:80;
86
+  	listen 443 ssl http2;
87
+  	listen [::]:443 ssl http2;
74 88
     root /srv/http/ns1;
75 89
 
76 90
     ssl_certificate /etc/letsencrypt/live/ja13.org/fullchain.pem;
@@ -96,12 +110,14 @@ http {
96 110
   server {
97 111
     server_name wifi.ja13.org;
98 112
     listen 80;
99
-    listen 443 http2 ssl;
113
+  	listen [::]:80;
114
+  	listen 443 ssl http2;
115
+  	listen [::]:443 ssl http2;
100 116
     root /srv/http;
101 117
 
102 118
     allow 10.0.0.0/24;
103 119
     deny all;
104
-    
120
+
105 121
     ssl_certificate /etc/letsencrypt/live/ja13.org/fullchain.pem;
106 122
     ssl_certificate_key /etc/letsencrypt/live/ja13.org/privkey.pem;
107 123
 
@@ -109,39 +125,6 @@ http {
109 125
       proxy_set_header Referer "";
110 126
       proxy_ssl_verify off;
111 127
       proxy_pass https://127.0.0.1:8443;
112
-    } 
113
-  }
114
-
115
-  # http://source.ja13.org and https://source.ja13.org
116
-  server {
117
-    server_name source.ja13.org;
118
-    listen 80;
119
-    listen 443 http2 ssl;
120
-
121
-    ssl_certificate /etc/letsencrypt/live/ja13.org/fullchain.pem;
122
-    ssl_certificate_key /etc/letsencrypt/live/ja13.org/privkey.pem;
123
-
124
-    location / {
125
-      # this will probably be changed later
126
-      proxy_pass http://10.0.0.10:80;
127
-    }
128
-
129
-    location /robots.txt {
130
-      root /srv/http/common;
131
-      index robots.txt;
132
-    }
133
-
134
-    location /favicon.ico {
135
-      root /srv/http/common;
136
-      index favicon.ico;
137
-    }
138
-  }
139
-
140
-  server {
141
-    server_name nx.ja13.org;
142
-    listen 80;
143
-    location / {
144
-      return 301 https://docs.plm.automation.siemens.com/tdoc/nx/12.0.1/nx_help/;
145 128
     }
146 129
   }
147 130
 
@@ -149,7 +132,9 @@ http {
149 132
   server {
150 133
     server_name resume.ja13.org;
151 134
     listen 80;
152
-    listen 443 http2 ssl;
135
+  	listen [::]:80;
136
+  	listen 443 ssl http2;
137
+  	listen [::]:443 ssl http2;
153 138
     root /srv/http/resume;
154 139
 
155 140
     ssl_certificate /etc/letsencrypt/live/ja13.org/fullchain.pem;
@@ -175,7 +160,9 @@ http {
175 160
   server {
176 161
     server_name _;
177 162
     listen 80 default_server;
178
-    listen 443 http2 default_server ssl;
163
+  	listen [::]:80 default_server;
164
+  	listen 443 ssl http2 default_server;
165
+  	listen [::]:443 ssl http2 default_server;
179 166
     root /srv/http/lost;
180 167
     ssl_certificate /etc/letsencrypt/live/ja13.org/fullchain.pem;
181 168
     ssl_certificate_key /etc/letsencrypt/live/ja13.org/privkey.pem;

Loading…
Cancel
Save