From 233e2c655cc64627a021c6baabe25e0ab7a4e134 Mon Sep 17 00:00:00 2001 From: mia Date: Sat, 23 Nov 2024 18:52:51 -0800 Subject: terminate tls on asylum for secure local connections --- nginx/nginx.conf | 44 +++++++++++++++++++++++++++++++++----------- 1 file changed, 33 insertions(+), 11 deletions(-) (limited to 'nginx/nginx.conf') diff --git a/nginx/nginx.conf b/nginx/nginx.conf index 7ce4846..d04b581 100644 --- a/nginx/nginx.conf +++ b/nginx/nginx.conf @@ -13,6 +13,7 @@ http { tcp_nopush on; tcp_nodelay on; server_tokens off; + http2 on; access_log /var/log/nginx/access.log; include mime.types; @@ -25,6 +26,8 @@ http { gzip_comp_level 6; gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=pcache:32m max_size=20g; + map $http_upgrade $connection_upgrade { default upgrade; '' close; @@ -39,6 +42,20 @@ http { absolute_redirect off; + # mozilla ssl settings via https://ssl-config.mozilla.org/ + + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:10m; + ssl_session_tickets off; + + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; + + ssl_stapling on; + ssl_stapling_verify on; + resolver 127.0.0.53; + + # static sites server { listen 80 default_server; listen [::]:80 default_server; @@ -48,6 +65,19 @@ http { index index.html; } + # https dummy server + server { + listen 443 quic reuseport default_server; + listen [::]:443 quic reuseport default_server; + listen 443 ssl reuseport default_server; + listen [::]:443 ssl reuseport default_server; + server_name _; + ssl_certificate /etc/tls/mia.jetzt.crt; + ssl_certificate_key /etc/tls/mia.jetzt.key; + } + + %TERMINATE% + # dissociate server { listen 80; @@ -56,7 +86,7 @@ http { location / { proxy_pass http://localhost:8001; - proxy_http_version 1.1; + %PROXY% } } @@ -138,11 +168,7 @@ http { location / { proxy_pass http://localhost:6502; - proxy_http_version 1.1; - proxy_redirect off; - proxy_set_header Host $http_host; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; + %PROXY% } } @@ -180,11 +206,7 @@ http { location / { proxy_pass http://localhost:6503; - proxy_http_version 1.1; - proxy_redirect off; - proxy_set_header Host $http_host; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; + %PROXY% } } } -- cgit 1.4.1