8bc007c7f3
The setup now uses my Kubernetes controller for Let's Encrypt. This changes the nginx certificate locations to match the new secrets.
64 lines
2.2 KiB
Text
64 lines
2.2 KiB
Text
user nginx;
|
|
worker_processes 1;
|
|
daemon off;
|
|
|
|
error_log /var/log/nginx/error.log warn;
|
|
pid /var/run/nginx.pid;
|
|
|
|
events {
|
|
worker_connections 1024;
|
|
}
|
|
|
|
http {
|
|
include /etc/nginx/mime.types;
|
|
default_type application/octet-stream;
|
|
|
|
sendfile on;
|
|
|
|
keepalive_timeout 65;
|
|
gzip on;
|
|
|
|
# Modern SSL config
|
|
ssl_protocols TLSv1.2;
|
|
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_session_timeout 1d;
|
|
ssl_session_cache shared:HTTPS:50m;
|
|
ssl_session_tickets off;
|
|
ssl_dhparam /etc/nginx/ssl/dhparam/tls.dhparam;
|
|
|
|
# Logstash log format
|
|
log_format logstash '$http_host '
|
|
'$remote_addr [$time_local] '
|
|
'"$request" $status $body_bytes_sent '
|
|
'"$http_referer" "$http_user_agent" '
|
|
'$request_time '
|
|
'$upstream_response_time';
|
|
|
|
access_log /var/log/nginx/access.log logstash;
|
|
|
|
# Default tazj.in config (certs need to be overriden for other stuff, like oslo.pub)
|
|
ssl_certificate /etc/nginx/ssl/www.tazj.in/fullchain.pem;
|
|
ssl_certificate_key /etc/nginx/ssl/www.tazj.in/key.pem;
|
|
|
|
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
|
|
add_header Strict-Transport-Security max-age=15768000;
|
|
|
|
include /etc/nginx/conf/http.conf;
|
|
}
|
|
|
|
stream {
|
|
ssl_protocols TLSv1.2;
|
|
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
|
|
ssl_dhparam /etc/nginx/ssl/dhparam/tls.dhparam;
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_session_timeout 1d;
|
|
ssl_session_cache shared:STREAM:50m;
|
|
ssl_session_tickets off;
|
|
|
|
# Default tazj.in certificate
|
|
ssl_certificate /etc/nginx/ssl/tazj.in/fullchain.pem;
|
|
ssl_certificate_key /etc/nginx/ssl/tazj.in/key.pem;
|
|
|
|
include /etc/nginx/conf/stream.conf;
|
|
}
|