diff options
| author | mia <mia@mia.jetzt> | 2024-11-23 18:52:51 -0800 |
|---|---|---|
| committer | mia <mia@mia.jetzt> | 2024-11-23 18:52:51 -0800 |
| commit | 233e2c655cc64627a021c6baabe25e0ab7a4e134 (patch) | |
| tree | 69ac40d2b815f5f28a69598e4c88ea1c41cec0ab /nginx/nginx.conf | |
| parent | d1522b9a71c08977a00a9e0ed03048509e91e4bf (diff) | |
| download | asylum-233e2c655cc64627a021c6baabe25e0ab7a4e134.tar.gz asylum-233e2c655cc64627a021c6baabe25e0ab7a4e134.zip | |
terminate tls on asylum for secure local connections
Diffstat (limited to 'nginx/nginx.conf')
| -rw-r--r-- | nginx/nginx.conf | 44 |
1 files changed, 33 insertions, 11 deletions
diff --git a/nginx/nginx.conf b/nginx/nginx.conf index 7ce4846..d04b581 100644 --- a/nginx/nginx.conf +++ b/nginx/nginx.conf @@ -13,6 +13,7 @@ http { tcp_nopush on; tcp_nodelay on; server_tokens off; + http2 on; access_log /var/log/nginx/access.log; include mime.types; @@ -25,6 +26,8 @@ http { gzip_comp_level 6; gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=pcache:32m max_size=20g; + map $http_upgrade $connection_upgrade { default upgrade; '' close; @@ -39,6 +42,20 @@ http { absolute_redirect off; + # mozilla ssl settings via https://ssl-config.mozilla.org/ + + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:10m; + ssl_session_tickets off; + + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; + + ssl_stapling on; + ssl_stapling_verify on; + resolver 127.0.0.53; + + # static sites server { listen 80 default_server; listen [::]:80 default_server; @@ -48,6 +65,19 @@ http { index index.html; } + # https dummy server + server { + listen 443 quic reuseport default_server; + listen [::]:443 quic reuseport default_server; + listen 443 ssl reuseport default_server; + listen [::]:443 ssl reuseport default_server; + server_name _; + ssl_certificate /etc/tls/mia.jetzt.crt; + ssl_certificate_key /etc/tls/mia.jetzt.key; + } + + %TERMINATE% + # dissociate server { listen 80; @@ -56,7 +86,7 @@ http { location / { proxy_pass http://localhost:8001; - proxy_http_version 1.1; + %PROXY% } } @@ -138,11 +168,7 @@ http { location / { proxy_pass http://localhost:6502; - proxy_http_version 1.1; - proxy_redirect off; - proxy_set_header Host $http_host; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; + %PROXY% } } @@ -180,11 +206,7 @@ http { location / { proxy_pass http://localhost:6503; - proxy_http_version 1.1; - proxy_redirect off; - proxy_set_header Host $http_host; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; + %PROXY% } } } |