diff --git a/example/gitea-nginx.conf b/example/gitea-nginx.conf new file mode 100644 index 0000000..fad9988 --- /dev/null +++ b/example/gitea-nginx.conf @@ -0,0 +1,83 @@ +# --- + +# --- +# see: https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html +# --- + +server { + listen 80; + listen [::]:80; + server_name ; + + # Enforce HTTPS + return 308 https://$server_name$request_uri; +} + +server { + + listen 443 ssl; + listen [::]:443 ssl; + http2 on; + + server_name ; + + # Include location directive for Let's Encrypt ACME Challenge + # + # Needed for (automated) updating certificate + # + include snippets/letsencrypt-acme-challenge.conf; + + # Use Mozilla's guidelines for SSL/TLS settings + # https://mozilla.github.io/server-side-tls/ssl-config-generator/ + ssl_certificate /var/lib/dehydrated/certs//fullchain.pem; + ssl_certificate_key /var/lib/dehydrated/certs//privkey.pem; + + # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits + # + # To generate a dhparam.pem file, run in a terminal + # openssl dhparam -dsaparam -out /etc/nginx/ssl/dhparam.pem 2048 + # + ssl_dhparam /etc/nginx/ssl/dhparam.pem; + + # Eable session resumption to improve https performance + ssl_session_cache shared:MozSSL:50m; + ssl_session_timeout 1d; + ssl_session_tickets off; + + #ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # omit SSLv3 because of POODLE + # omit SSLv3 because of POODLE + # omit TLSv1 TLSv1.1 + ssl_protocols TLSv1.2 TLSv1.3; + + + # ECDHE better than DHE (faster) ECDHE & DHE GCM better than CBC (attacks on AES) + # Everything better than SHA1 (deprecated) + # + # see also: + # https://ssl-config.mozilla.org/ + # + ssl_ecdh_curve X25519MLKEM768:X25519:prime256v1:secp384r1; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + add_header Strict-Transport-Security "max-age=63072000" always; + + add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; + + location / { + + # Make sure client_max_body_size is large enough, otherwise there would + # be "413 Request Entity Too Large" error when uploading large files. + client_max_body_size 512M; + + proxy_pass http://localhost:3000; + + proxy_set_header Connection $http_connection; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + +}