mirror of
https://github.com/louislam/uptime-kuma.git
synced 2025-02-23 12:05:56 +00:00
12d3aeb0cd
this playbook will install docker then install uptime kuma using docker and install and configure nginx with ssl
90 lines
3.4 KiB
Nginx Configuration File
90 lines
3.4 KiB
Nginx Configuration File
user nginx;
|
|
worker_processes auto;
|
|
|
|
pid /var/run/nginx.pid;
|
|
error_log /var/log/nginx/error.log;
|
|
|
|
events {
|
|
worker_connections 2048;
|
|
}
|
|
|
|
http {
|
|
sendfile on;
|
|
tcp_nopush on;
|
|
tcp_nodelay on;
|
|
keepalive_timeout 65;
|
|
types_hash_max_size 2048;
|
|
server_tokens off;
|
|
|
|
default_type application/octet-stream;
|
|
|
|
|
|
### SSL Settings for all servers (https://ssl-config.mozilla.org/#server=nginx&server-version=1.17.2&config=intermediate)
|
|
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
|
|
ssl_certificate /etc/nginx/ssl/status.yoursite.fullchain.pem;
|
|
ssl_certificate_key /etc/nginx/ssl/status.yoursite.privkey.pem;
|
|
ssl_session_timeout 1d;
|
|
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
|
ssl_session_tickets off;
|
|
|
|
# intermediate configuration
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
|
ssl_prefer_server_ciphers off;
|
|
|
|
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /etc/nginx/ssl/dhparam.pem (TODO: check if it's secure to use others DH parameters!)
|
|
# openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096
|
|
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
|
|
|
|
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
|
|
add_header Strict-Transport-Security "max-age=63072000" always;
|
|
|
|
# OCSP stapling
|
|
ssl_stapling on;
|
|
ssl_stapling_verify on;
|
|
|
|
log_format main '$remote_addr - $remote_user [$time_local] "$request_method $scheme://$host$request_uri $server_protocol" $status $body_bytes_sent '
|
|
'"$http_referer" "$http_user_agent" $request_time $upstream_response_time UPA:$upstream_addr BYS:$bytes_sent BYR:$request_length';
|
|
access_log /var/log/nginx/access.log main;
|
|
|
|
### Set additional headers to be send to upstream
|
|
proxy_set_header Host $http_host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
|
# Remove Headers that gonna be sent to client
|
|
proxy_hide_header X-Powered-By;
|
|
proxy_hide_header Server;
|
|
|
|
# Redirect HTTP request to HTTPS
|
|
server {
|
|
listen 80 default_server;
|
|
server_name status.yoursite;
|
|
return 302 https://$host$request_uri;
|
|
}
|
|
|
|
server {
|
|
server_name status.yoursite;
|
|
listen 443 ssl http2 default_server;
|
|
|
|
access_log /var/log/nginx/yoursite.access.log main;
|
|
error_log /var/log/nginx/yoursite.error.log;
|
|
|
|
location / {
|
|
# rewrite ^/(.*)/$ /$1 permanent;
|
|
### redirect urls with trailing slash to non-trailing slash
|
|
# https://serverfault.dev/questions/597302/removing-the-trailing-slash-from-a-url-with-nginx
|
|
# location ~ (?<no_slash>.+)/$ {
|
|
# return 302 https://$host$no_slash;
|
|
# }
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_pass http://localhost:3001/;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
}
|
|
}
|
|
}
|