initial

2026-03-05 03:00:24 +00:00 · 2015-03-24 12:18:13 +02:00
commit 34553aa6f4
48 changed files with 1278 additions and 0 deletions
--- a/files/nginx/koodiklinikka.fi
+++ b/files/nginx/koodiklinikka.fi
@@ -0,0 +1,43 @@
+server { 
+    listen 80;
+    server_name www.koodiklinikka.fi koodiklinikka.fi;
+    return 301 https://koodiklinikka.fi$request_uri;
+}
+
+server { 
+    listen 443;
+    server_name www.koodiklinikka.fi;
+
+    include conf.d/ssl_profile.conf;
+    ssl on;
+    ssl_certificate /etc/ssl/certs/koodiklinikka.fi.pem;
+    ssl_certificate_key /etc/ssl/private/koodiklinikka.fi.key;
+
+    return 301 https://koodiklinikka.fi$request_uri;
+}
+
+server {
+    listen 443;
+    server_name koodiklinikka.fi;
+    
+    include conf.d/ssl_profile.conf;
+    ssl on;
+    ssl_certificate /etc/ssl/certs/koodiklinikka.fi.pem;
+    ssl_certificate_key /etc/ssl/private/koodiklinikka.fi.key;
+
+    root {{ koodiklinikka_app_path }}/public;
+
+    location / {
+        try_files $uri /index.html;
+    }
+
+    location /api {
+        rewrite /api/(.*) /$1 break;
+        proxy_pass  http://localhost:{{ koodiklinikka_api_port }};
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Server $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Real-IP  $remote_addr;
+    }
+}
--- a/files/nginx/nginx.conf
+++ b/files/nginx/nginx.conf
@@ -0,0 +1,37 @@
+user www-data;
+worker_processes 4;
+pid /var/run/nginx.pid;
+
+events {
+  worker_connections 768;
+}
+
+http {
+
+  server_names_hash_bucket_size 64;
+  sendfile on;
+  tcp_nopush on;
+  tcp_nodelay on;
+  keepalive_timeout 65;
+  types_hash_max_size 2048;
+
+  include /etc/nginx/mime.types;
+  default_type application/octet-stream;
+
+  access_log /var/log/nginx/access.log;
+  error_log /var/log/nginx/error.log;
+
+  charset utf-8;
+
+  gzip  on;
+  gzip_static on;
+  gzip_http_version   1.1;
+  gzip_disable "MSIE [1-6]\.(?!.*SV1)";
+  gzip_min_length 1000;
+  gzip_proxied expired no-cache no-store private auth;
+  gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml;
+
+  server_tokens off;
+
+  include /etc/nginx/sites-enabled/*;
+}
--- a/files/nginx/ssl_profile.conf
+++ b/files/nginx/ssl_profile.conf
@@ -0,0 +1,25 @@
+# POODLE, PFS etc
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_prefer_server_ciphers on;
+ssl_ciphers 'AES128+EECDH:AES128+EDH';
+
+# Diffie Hellman
+ssl_dhparam /etc/ssl/certs/dhparam.pem;
+
+# SSL stapling
+ssl_stapling on;
+ssl_stapling_verify on;
+ssl_trusted_certificate /etc/ssl/certs/combined_startssl.pem;
+
+resolver 8.8.4.4 8.8.8.8 valid=300s;
+resolver_timeout 3s;
+
+# Enable HSTS
+add_header Strict-Transport-Security max-age=63072000;
+
+# Do not permit Content-Type sniffing.
+add_header X-Content-Type-Options nosniff;
+
+# https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
+ssl_session_timeout 5m;
+ssl_session_cache shared:SSL:50m;