2018-09-28 21:33:28 +00:00
|
|
|
events {}
|
|
|
|
|
|
|
|
http {
|
|
|
|
# Log warnings
|
2018-09-28 21:35:16 +00:00
|
|
|
# TODO: Better path
|
|
|
|
error_log /var/log/nginx.log warn;
|
2018-09-28 21:33:28 +00:00
|
|
|
|
|
|
|
# No idea, but nginx refuses to start without it
|
|
|
|
server_names_hash_bucket_size 64;
|
|
|
|
|
2018-09-30 18:15:27 +00:00
|
|
|
# The redirection server
|
|
|
|
server {
|
|
|
|
listen 80 default_server;
|
|
|
|
add_header Strict-Transport-Security "max-age=31536000" always;
|
|
|
|
return 301 https://$host$request_uri;
|
|
|
|
}
|
|
|
|
|
2018-09-28 21:33:28 +00:00
|
|
|
# The actual webserver duties
|
|
|
|
server {
|
|
|
|
# server_name lateinicus;
|
2018-09-30 18:15:27 +00:00
|
|
|
listen 443 ssl http2;
|
|
|
|
add_header Strict-Transport-Security "max-age=31536000" always;
|
|
|
|
|
2018-10-07 11:49:52 +00:00
|
|
|
# Global CSP
|
|
|
|
add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://unpkg.com; img-src 'self' https:; font-src https://fonts.googleapis.com https://fonts.gstatic.com; style-src 'self' https://fonts.googleapis.com 'unsafe-inline';" always;
|
|
|
|
|
2018-09-30 18:15:27 +00:00
|
|
|
# SSL configuration
|
|
|
|
ssl_certificate /etc/ssl/lateinicus.pem;
|
|
|
|
ssl_certificate_key /etc/ssl/lateinicus.key;
|
|
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
|
|
ssl_ciphers HIGH:!aNULL:!MD5;
|
2018-10-07 11:49:52 +00:00
|
|
|
ssl_session_cache shared:SSL:30m;
|
|
|
|
ssl_session_timeout 20m;
|
2018-09-30 18:15:27 +00:00
|
|
|
keepalive_timeout 70;
|
2018-09-28 21:33:28 +00:00
|
|
|
|
2018-09-29 20:00:15 +00:00
|
|
|
# Enable gzip compression
|
|
|
|
gzip on;
|
|
|
|
gzip_min_length 256K;
|
|
|
|
|
2018-10-03 18:24:06 +00:00
|
|
|
|
|
|
|
error_page 404 /lost.html;
|
|
|
|
error_page 500 502 503 504 /error.html;
|
|
|
|
|
|
|
|
# Status page for 404
|
|
|
|
location = /error.html {
|
|
|
|
root /srv/www;
|
|
|
|
}
|
|
|
|
|
|
|
|
# Status page for 50X
|
|
|
|
location = /lost.html {
|
|
|
|
root /srv/www;
|
2018-10-22 16:40:28 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
location = /privacy.pdf {
|
|
|
|
root /srv/www;
|
2018-10-03 18:24:06 +00:00
|
|
|
}
|
|
|
|
|
2018-09-28 21:33:28 +00:00
|
|
|
# Reverse Proxy
|
|
|
|
location /api/ {
|
|
|
|
# Seems weird, but it is (Prevent /api/api/)
|
|
|
|
rewrite /api/(.*) /api/$1 break;
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
proxy_pass http://128.1.0.3:8080;
|
|
|
|
}
|
|
|
|
|
2018-10-02 13:14:45 +00:00
|
|
|
# There probably is a better solution using wildcards
|
2018-10-12 15:36:17 +00:00
|
|
|
location = /app {
|
|
|
|
return 301 https://$host/app/;
|
|
|
|
}
|
|
|
|
|
|
|
|
location = / {
|
2018-10-02 13:14:45 +00:00
|
|
|
return 301 https://$host/app/;
|
|
|
|
}
|
|
|
|
|
2018-09-28 21:33:28 +00:00
|
|
|
# The web app
|
|
|
|
location /app/ {
|
|
|
|
# CSS might not get the correct Content-Type header
|
|
|
|
include /etc/nginx/mime.types;
|
|
|
|
|
|
|
|
root /srv/www;
|
|
|
|
# For react-router
|
|
|
|
try_files $uri /app/index.html;
|
|
|
|
index index.html;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|