Anton Shestakov <av6@dwimlabs.net>, Thu, 28 Jun 2018 22:44:14 +0800
provision: consider BOSH secure (and don't set certificate for prosody)
text/coffeescript coffee;
server_name {{ domain }};
access_log /var/log/nginx/{{ domain }}.access.log;
error_log /var/log/nginx/{{ domain }}.error.log;
return 301 https://$host$request_uri;
server_name {{ domain }};
listen [::]:443 ssl http2;
ssl_certificate {{ ssl_cert }};
ssl_certificate_key {{ ssl_key }};
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:1m;
resolver {{ nginx_resolver }};
resolver_timeout {{ nginx_resolver_timeout }};
# HSTS: 31536000 = 365 days (set to 0 to expire and allow plain HTTP)
add_header Strict-Transport-Security 'max-age=31536000' always;
add_header Cache-Control private;
# Various security headers not related to HTTPS
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
add_header X-Frame-Options DENY always;
add_header X-Content-Type-Options nosniff always;
add_header X-XSS-Protection '1; mode=block' always;
access_log /var/log/nginx/{{ domain }}.access.log;
error_log /var/log/nginx/{{ domain }}.error.log;
gzip_types text/css application/javascript application/x-javascript text/javascript;
proxy_pass http://127.0.0.1:5280/http-bind;
proxy_set_header Host $host;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-Ip $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;