Snippets

gudvinr Jabber bot nginx configuration

Created by Maxim S
View revision

File bot.conf Added

  • Ignore whitespace
  • Hide word diff 
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name domain.tld;
+    keepalive_timeout 5;
+
+
+    # OCSP Stapling ---
+    # fetch OCSP records from URL in ssl_certificate and cache them
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    ## verify chain of trust of OCSP response using Root CA and Intermediate certs
+    ssl_trusted_certificate /etc/letsencrypt/live/domain.tld/chain.pem;
+
+    include /etc/nginx/conf.d/ssl.conf.template;
+
+    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
+    ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;
+
+    error_log  /path/to/www/logs/bots_error.log;
+    access_log /path/to/www/logs/bots_access.log;
+
+    gzip on;
+
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_comp_level 6;
+    gzip_buffers 16 8k;
+    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript text/x-js application/font-ttf application/font-opentype application/vnd.ms-fontobject image/svg+xml;
+
+    root /path/to/www/public;
+
+    location /path {
+        proxy_set_header   X-Real-IP $remote_addr;
+        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header   X-Forwarded-Host $server_name;
+        proxy_set_header   X-Forwarded-Proto $scheme;
+        proxy_set_header   Host $http_host;
+        proxy_redirect off;
+
+        location /path/123456 {
+            error_log  /path/to/www/logs/bot_error.log;
+            access_log /path/to/www/logs/bot_access.log;
+
+            alias /path/to/www/bot/public;
+
+            proxy_pass http://unix:/path/to/www/bot/bot.sock:/;
+        }
+    }
+}
+
+server {
+  listen              80;
+  listen              [::]:80;
+  server_name         domain.tld;
+
+  location / {
+    return 301 https://$server_name$request_uri;
+  }
+}

File nginx.conf Added

  • Ignore whitespace
  • Hide word diff 
+user  nginx;
+worker_processes  1;
+
+error_log  /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile        on;
+
+    keepalive_timeout  65;
+
+    include /etc/nginx/conf.d/*.conf;
+    include /path/to/www/nginx.conf/*.conf;
+}

File ssl.conf.template Added

  • Ignore whitespace
  • Hide word diff 
+# ciphers chosen for forward secrecy and compatibility
+ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+
+ssl_prefer_server_ciphers on;
+
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+
+ssl_session_cache shared:SSL:50m;
+ssl_session_timeout 1d;
+
+# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits: openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
+ssl_dhparam /etc/nginx/ssl/dhparam.pem;
+
+add_header Strict-Transport-Security max-age=15768000;
+add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report";
+
+add_header X-Frame-Options DENY;
+add_header X-Content-Type-Options nosniff;
+ssl_session_tickets off;
+
+resolver 8.8.8.8 8.8.4.4 [2001:4860:4860::8888] [2001:4860:4860::8844] valid=300s;
+resolver_timeout 300s;
HTTPS SSH

You can clone a snippet to your computer for local editing. Learn more.