ddns/rootfs/usr/local/share/template-files/config/nginx/nginx.ssl.conf

# Default nginx configuration
user                   root;
worker_processes       1;

error_log              /dev/stderr warn;
pid                    /tmp/nginx.pid;

events {
    worker_connections 1024;
}

http {
    include            /etc/nginx/mime.types;
    default_type       application/octet-stream;
    log_format         main  '$remote_addr - $remote_user [$time_local] "$request" '
                       '$status $body_bytes_sent "$http_referer" '
                       '"$http_user_agent" "$http_x_forwarded_for"';
    access_log         /var/log/nginx/access.log  main;
    sendfile           on;
    keepalive_timeout  65;
    gzip               on;
    map                $http_upgrade $connection_upgrade { default upgrade; '' close; }

    server 
        listen                               SERVER_PORT ssl http2 default_server;
        access_log                           /var/log/nginx/access.log;
        error_log                            /var/log/nginx/error.log info;
        keepalive_timeout                    75 75;
        root                                 /data/htdocs/www;
        index                                index.html index.php index.cgi index.pl index.aspx awstats.pl index.unknown.php index.default.php index.txt index.json;
        proxy_intercept_errors               off;
        add_header X-Frame-Options           "SAMEORIGIN" always;
        add_header X-XSS-Protection          "1; mode=block" always;
        add_header X-Content-Type-Options    "nosniff" always;
        add_header Referrer-Policy           "no-referrer-when-downgrade" always;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
        add_header Content-Security-Policy   "script-src 'self' 'unsafe-inline' 'unsafe-eval' *; frame-src 'self' *; object-src 'self'" always;
        ssl_protocols                        TLSv1.2 TLSv1.3;
        ssl_ciphers                          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
        ssl_prefer_server_ciphers            off;
        ssl_certificate                      /config/ssl/localhost.crt;
        ssl_certificate_key                  /config/ssl/localhost.key;
    
        location = /favicon.ico {
            log_not_found off;
            access_log off;
        }
    
        location = /robots.txt {
            allow all;
            log_not_found off;
            access_log off;
        }
    
        location /nginx_status {
            stub_status;
        }
    
        location /health {
            default_type text/html;
            allow all;
            access_log off;
            return 200 'OK';
        }
    
        location /health.json {
            default_type application/json;
            allow all;
            access_log off;
            return 200 '{"status":"OK"}';
        }
    }
}
🗃️ Committing everything that changed 🗃️ 2022-10-20 19:46:15 -04:00			`# Default nginx configuration`
			`user root;`
			`worker_processes 1;`

			`error_log /dev/stderr warn;`
			`pid /tmp/nginx.pid;`

			`events {`
			`worker_connections 1024;`
			`}`

			`http {`
			`include /etc/nginx/mime.types;`
			`default_type application/octet-stream;`
			`log_format main '$remote_addr - $remote_user [$time_local] "$request" '`
			`'$status $body_bytes_sent "$http_referer" '`
			`'"$http_user_agent" "$http_x_forwarded_for"';`
			`access_log /var/log/nginx/access.log main;`
			`sendfile on;`
			`keepalive_timeout 65;`
			`gzip on;`
			`map $http_upgrade $connection_upgrade { default upgrade; '' close; }`

			`server`
			`listen SERVER_PORT ssl http2 default_server;`
			`access_log /var/log/nginx/access.log;`
			`error_log /var/log/nginx/error.log info;`
			`keepalive_timeout 75 75;`
			`root /data/htdocs/www;`
			`index index.html index.php index.cgi index.pl index.aspx awstats.pl index.unknown.php index.default.php index.txt index.json;`
			`proxy_intercept_errors off;`
			`add_header X-Frame-Options "SAMEORIGIN" always;`
			`add_header X-XSS-Protection "1; mode=block" always;`
			`add_header X-Content-Type-Options "nosniff" always;`
			`add_header Referrer-Policy "no-referrer-when-downgrade" always;`
			`add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;`
			`add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' ; frame-src 'self' ; object-src 'self'" always;`
			`ssl_protocols TLSv1.2 TLSv1.3;`
			`ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;`
			`ssl_prefer_server_ciphers off;`
			`ssl_certificate /config/ssl/localhost.crt;`
			`ssl_certificate_key /config/ssl/localhost.key;`

			`location = /favicon.ico {`
			`log_not_found off;`
			`access_log off;`
			`}`

			`location = /robots.txt {`
			`allow all;`
			`log_not_found off;`
			`access_log off;`
			`}`

			`location /nginx_status {`
			`stub_status;`
			`}`

			`location /health {`
			`default_type text/html;`
			`allow all;`
			`access_log off;`
			`return 200 'OK';`
			`}`

			`location /health.json {`
			`default_type application/json;`
			`allow all;`
			`access_log off;`
			`return 200 '{"status":"OK"}';`
			`}`
			`}`
			`}`