diff --git a/conf.d/gzip.conf b/conf.d/gzip.conf index 1af43b1..2b647cb 100644 --- a/conf.d/gzip.conf +++ b/conf.d/gzip.conf @@ -1,7 +1,6 @@ - gzip on; - gzip_min_length 1100; - gzip_comp_level 6; - gzip_http_version 1.0; - gzip_proxied expired no-cache no-store private auth; - gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss application/xhtml+xml text/javascript image/svg+xml application/x-graphviz text/x-graphviz; - +gzip on; +gzip_min_length 1100; +gzip_comp_level 6; +gzip_http_version 1.0; +gzip_proxied any; +gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss application/xhtml+xml text/javascript image/svg+xml application/x-graphviz text/x-graphviz; diff --git a/conf.d/log.conf b/conf.d/log.conf new file mode 100644 index 0000000..18a4322 --- /dev/null +++ b/conf.d/log.conf @@ -0,0 +1,23 @@ +# definiere mehrere Formate für logfiles +# Format main bindet gegenüber dem Default von nginx http_x_forwarded_for, gzip_ratio, request_time, upstream_response_time und pipe ein +log_format main '$remote_addr - $remote_user [$time_local] ' + '"$request" $status $bytes_sent ' + '"$http_referer" "$http_user_agent" "$http_x_forwarded_for" ' + '"$gzip_ratio" "$request_time" "$upstream_response_time" "$pipe"'; + +# das selbe Format nochmal nur mit ausgetauschter IP-Adresse +log_format ano '0.0.0.0 - $remote_user [$time_local] ' + '"$request" $status $bytes_sent ' + '"$http_referer" "$http_user_agent" "$http_x_forwarded_for" ' + '"$gzip_ratio" "$request_time" "$upstream_response_time" "$pipe"'; + +# dieses Format ist für revers-proxy gedacht um mehr informationen über den Cache Zustand bei der Anfrage zu erhalten +log_format cache '$time_local $upstream_cache_status ' + 'Cache-Control: $upstream_http_cache_control ' + 'Expires: $upstream_http_expires ' + '"$request" ($status) "$gzip_ratio" ' + '"$request_time" "$upstream_response_time" "$pipe"'; + +access_log /var/log/nginx/access.log main; +error_log /var/log/nginx/error.log warn; + diff --git a/conf.d/ssl.conf b/conf.d/ssl.conf new file mode 100644 index 0000000..4de6d82 --- /dev/null +++ b/conf.d/ssl.conf @@ -0,0 +1,12 @@ +ssl_prefer_server_ciphers on; +# not possible to do exclusive +ssl_protocols TLSv1 TLSv1.1 TLSv1.2; +ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'; + +ssl_dhparam /etc/ssl/private/dhparams.pem; + +# add HSTS Header +add_header Strict-Transport-Security max-age=15768000; # six months +# Use a SSL/TLS cache for SSL session resume. +ssl_session_cache shared:SSL:10m; +ssl_session_timeout 10m; diff --git a/fastcgi_params b/fastcgi_params index 8c6e8bb..28decb9 100644 --- a/fastcgi_params +++ b/fastcgi_params @@ -23,7 +23,3 @@ fastcgi_param SERVER_NAME $server_name; # PHP only, required if PHP was built with --enable-force-cgi-redirect fastcgi_param REDIRECT_STATUS 200; - -# ----- Add by Martin89 ----- -fastcgi_param SCRIPT_FILENAME $request_filename; - diff --git a/nginx.conf b/nginx.conf index e80e34f..c018b93 100644 --- a/nginx.conf +++ b/nginx.conf @@ -15,52 +15,12 @@ http { include /etc/nginx/mime.types; default_type application/octet-stream; - - # definiere mehrere Formate für logfiles - # Format main bindet gegen über dem Default http_x_forwarded_for, gzip_ratio, zeiten und pipe usw. - log_format main '$remote_addr - $remote_user [$time_local] ' - '"$request" $status $bytes_sent ' - '"$http_referer" "$http_user_agent" "$http_x_forwarded_for" ' - '"$gzip_ratio" "$request_time" "$upstream_response_time" "$pipe"'; - - # das selbe Format nochmal nur mit ausgtauschter Fake IP - log_format ano '0.0.0.0 - $remote_user [$time_local] ' - '"$request" $status $bytes_sent ' - '"$http_referer" "$http_user_agent" "$http_x_forwarded_for" ' - '"$gzip_ratio" "$request_time" "$upstream_response_time" "$pipe"'; - - # dieses Format ist für revers-proxy gedacht um mehr informationen über den Cache Zustand bei der Anfrage zu erhalten - log_format cache '$time_local $upstream_cache_status ' - 'Cache-Control: $upstream_http_cache_control ' - 'Expires: $upstream_http_expires ' - '"$request" ($status) "$gzip_ratio" ' - '"$request_time" "$upstream_response_time" "$pipe"'; - - - access_log /var/log/nginx/access.log main; - upstream ro01 { server [2001:470:6c:655::2] weight=10; server local.krautspace.de weight=1; } proxy_cache_path /var/lib/nginx/cache keys_zone=statusATro01:10m; - - ssl_prefer_server_ciphers on; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive - ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES2\ -56:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-\ -SHA:CAMELLIA128-SHA:AES128-SHA'; - ssl_dhparam /etc/ssl/private/dhparams.pem; - - add_header Strict-Transport-Security max-age=15768000; # six months - ## Use a SSL/TLS cache for SSL session resume. - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 10m; - - # setzt die Variable php_https abhängig davon ob es sich um eine https Verbindung handelt, ist für die Weitergabe an php - map $scheme $php_https { default off; https on; } - sendfile on; #tcp_nopush on; diff --git a/sites-available/hackspace-jena.de b/sites-available/hackspace-jena.de index 214e089..8299321 100644 --- a/sites-available/hackspace-jena.de +++ b/sites-available/hackspace-jena.de @@ -1,8 +1,8 @@ server { listen 0.0.0.0:80; listen [2a01:4f8:151:51a3:176:9:184:3]:80; - listen 0.0.0.0:443 ssl; - listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl; + listen 0.0.0.0:443 ssl http2; + listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl http2; ssl_certificate /etc/nginx/certs/www.krautspace.de.crt; ssl_certificate_key /etc/nginx/certs/www.krautspace.de.key; server_name www.hackspace-jena.de hackspace-jena.de; diff --git a/sites-available/kraut.space.conf b/sites-available/kraut.space.conf index 4c07bd1..ba0fac4 100644 --- a/sites-available/kraut.space.conf +++ b/sites-available/kraut.space.conf @@ -11,8 +11,8 @@ server { } server { - listen 0.0.0.0:443 ssl default; - listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl default; + listen 0.0.0.0:443 ssl http2 default; + listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl http2 default; ssl_certificate /etc/ssl/private/star.kraut.space.combined.crt; ssl_certificate_key /etc/ssl/private/star.kraut.space.key; server_name kraut.space www.kraut.space; @@ -65,7 +65,7 @@ server { include fastcgi_params; fastcgi_buffers 16 16k; fastcgi_buffer_size 32k; - fastcgi_param HTTPS $php_https; # DW checks $_SERVER['HTTPS'] + fastcgi_param SCRIPT_FILENAME $request_filename; fastcgi_intercept_errors on; fastcgi_pass unix:/var/run/php5-fpm.sock; # entferne Header "X-Powered-By: PHP/5.4.40-1~dotdeb+wheezy.1" diff --git a/sites-available/krautspace.de b/sites-available/krautspace.de index cebb3e9..edec093 100644 --- a/sites-available/krautspace.de +++ b/sites-available/krautspace.de @@ -1,8 +1,8 @@ server { listen 0.0.0.0:80; listen [2a01:4f8:151:51a3:176:9:184:3]:80; - listen 0.0.0.0:443 ssl; - listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl; + listen 0.0.0.0:443 ssl http2; + listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl http2; ssl_certificate /etc/ssl/private/star.krautspace.de.combined.crt; ssl_certificate_key /etc/ssl/private/star.krautspace.de.key; server_name krautspace.de; diff --git a/sites-available/lpd.kraut.space.conf b/sites-available/lpd.kraut.space.conf index c26ba98..f614bb0 100644 --- a/sites-available/lpd.kraut.space.conf +++ b/sites-available/lpd.kraut.space.conf @@ -1,8 +1,8 @@ server { listen 0.0.0.0:80; listen [2a01:4f8:151:51a3:176:9:184:3]:80; - listen 0.0.0.0:443 ssl; - listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl; + listen 0.0.0.0:443 ssl http2; + listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl http2; ssl_certificate /etc/ssl/private/star.kraut.space.combined.crt; ssl_certificate_key /etc/ssl/private/star.kraut.space.key; server_name lpd.kraut.space; diff --git a/sites-available/media.hackspace-jena.de b/sites-available/media.hackspace-jena.de index f140b03..215e637 100644 --- a/sites-available/media.hackspace-jena.de +++ b/sites-available/media.hackspace-jena.de @@ -1,8 +1,8 @@ server { listen 0.0.0.0:80; listen [2a01:4f8:151:51a3:176:9:184:3]:80; - listen 0.0.0.0:443 ssl; - listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl; + listen 0.0.0.0:443 ssl http2; + listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl http2; ssl_certificate /etc/nginx/certs/www.krautspace.de.crt; ssl_certificate_key /etc/nginx/certs/www.krautspace.de.key; server_name media.hackspace-jena.de; diff --git a/sites-available/media.krautspace.de b/sites-available/media.krautspace.de index 728bbd1..2202dc9 100644 --- a/sites-available/media.krautspace.de +++ b/sites-available/media.krautspace.de @@ -8,8 +8,8 @@ server { } server { - listen 0.0.0.0:443 ssl; - listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl; + listen 0.0.0.0:443 ssl http2; + listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl http2; ssl_certificate /etc/ssl/private/star.krautspace.de.combined.crt; ssl_certificate_key /etc/ssl/private/star.krautspace.de.key; server_name media.krautspace.de; diff --git a/sites-available/status.hackspace-jena.de b/sites-available/status.hackspace-jena.de index 575dd93..40d84f3 100644 --- a/sites-available/status.hackspace-jena.de +++ b/sites-available/status.hackspace-jena.de @@ -1,8 +1,8 @@ server { listen 0.0.0.0:80; - listen 0.0.0.0:443 ssl; + listen 0.0.0.0:443 ssl http2; listen [2a01:4f8:151:51a3:176:9:184:3]:80; - listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl; + listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl http2; ssl_certificate /etc/nginx/certs/www.krautspace.de.crt; ssl_certificate_key /etc/nginx/certs/www.krautspace.de.key; server_name status.hackspace-jena.de; diff --git a/sites-available/status.krautspace.de b/sites-available/status.krautspace.de index c323ddb..5357830 100644 --- a/sites-available/status.krautspace.de +++ b/sites-available/status.krautspace.de @@ -1,8 +1,8 @@ server { listen 0.0.0.0:80; - listen 0.0.0.0:443 ssl; + listen 0.0.0.0:443 ssl http2; listen [2a01:4f8:151:51a3:176:9:184:3]:80; - listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl; + listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl http2; ssl_certificate /etc/ssl/private/star.krautspace.de.combined.crt; ssl_certificate_key /etc/ssl/private/star.krautspace.de.key; server_name status.krautspace.de status.kraut.space; diff --git a/sites-available/wiki.hackspace-jena.de b/sites-available/wiki.hackspace-jena.de index e50b8c3..06b5f4c 100644 --- a/sites-available/wiki.hackspace-jena.de +++ b/sites-available/wiki.hackspace-jena.de @@ -1,8 +1,8 @@ server { listen 0.0.0.0:80; listen [2a01:4f8:151:51a3:176:9:184:3]:80; - listen 0.0.0.0:443 ssl; - listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl; + listen 0.0.0.0:443 ssl http2; + listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl http2; ssl_certificate /etc/nginx/certs/www.krautspace.de.crt; ssl_certificate_key /etc/nginx/certs/www.krautspace.de.key; server_name wiki.hackspace-jena.de; diff --git a/sites-available/www.krautspace.de b/sites-available/www.krautspace.de index d459cf2..d887186 100644 --- a/sites-available/www.krautspace.de +++ b/sites-available/www.krautspace.de @@ -11,8 +11,8 @@ server { } server { - listen 0.0.0.0:443 ssl; - listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl; + listen 0.0.0.0:443 ssl http2; + listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl http2; ssl_certificate /etc/ssl/private/star.krautspace.de.combined.crt; ssl_certificate_key /etc/ssl/private/star.krautspace.de.key; server_name www.krautspace.de;