Compare commits
6 commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
041b2ece7a | ||
|
|
da943b71f1 | ||
|
|
a54dd4345a | ||
|
|
6704842cb7 | ||
|
|
683d847405 | ||
|
|
a154e0c476 |
15 changed files with 62 additions and 72 deletions
|
|
@ -1,7 +1,6 @@
|
|||
gzip on;
|
||||
gzip_min_length 1100;
|
||||
gzip_comp_level 6;
|
||||
gzip_http_version 1.0;
|
||||
gzip_proxied expired no-cache no-store private auth;
|
||||
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss application/xhtml+xml text/javascript image/svg+xml application/x-graphviz text/x-graphviz;
|
||||
|
||||
gzip on;
|
||||
gzip_min_length 1100;
|
||||
gzip_comp_level 6;
|
||||
gzip_http_version 1.0;
|
||||
gzip_proxied any;
|
||||
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss application/xhtml+xml text/javascript image/svg+xml application/x-graphviz text/x-graphviz;
|
||||
|
|
|
|||
23
conf.d/log.conf
Normal file
23
conf.d/log.conf
Normal file
|
|
@ -0,0 +1,23 @@
|
|||
# definiere mehrere Formate für logfiles
|
||||
# Format main bindet gegenüber dem Default von nginx http_x_forwarded_for, gzip_ratio, request_time, upstream_response_time und pipe ein
|
||||
log_format main '$remote_addr - $remote_user [$time_local] '
|
||||
'"$request" $status $bytes_sent '
|
||||
'"$http_referer" "$http_user_agent" "$http_x_forwarded_for" '
|
||||
'"$gzip_ratio" "$request_time" "$upstream_response_time" "$pipe"';
|
||||
|
||||
# das selbe Format nochmal nur mit ausgetauschter IP-Adresse
|
||||
log_format ano '0.0.0.0 - $remote_user [$time_local] '
|
||||
'"$request" $status $bytes_sent '
|
||||
'"$http_referer" "$http_user_agent" "$http_x_forwarded_for" '
|
||||
'"$gzip_ratio" "$request_time" "$upstream_response_time" "$pipe"';
|
||||
|
||||
# dieses Format ist für revers-proxy gedacht um mehr informationen über den Cache Zustand bei der Anfrage zu erhalten
|
||||
log_format cache '$time_local $upstream_cache_status '
|
||||
'Cache-Control: $upstream_http_cache_control '
|
||||
'Expires: $upstream_http_expires '
|
||||
'"$request" ($status) "$gzip_ratio" '
|
||||
'"$request_time" "$upstream_response_time" "$pipe"';
|
||||
|
||||
access_log /var/log/nginx/access.log main;
|
||||
error_log /var/log/nginx/error.log warn;
|
||||
|
||||
12
conf.d/ssl.conf
Normal file
12
conf.d/ssl.conf
Normal file
|
|
@ -0,0 +1,12 @@
|
|||
ssl_prefer_server_ciphers on;
|
||||
# not possible to do exclusive
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';
|
||||
|
||||
ssl_dhparam /etc/ssl/private/dhparams.pem;
|
||||
|
||||
# add HSTS Header
|
||||
add_header Strict-Transport-Security max-age=15768000; # six months
|
||||
# Use a SSL/TLS cache for SSL session resume.
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
ssl_session_timeout 10m;
|
||||
|
|
@ -23,7 +23,3 @@ fastcgi_param SERVER_NAME $server_name;
|
|||
|
||||
# PHP only, required if PHP was built with --enable-force-cgi-redirect
|
||||
fastcgi_param REDIRECT_STATUS 200;
|
||||
|
||||
# ----- Add by Martin89 -----
|
||||
fastcgi_param SCRIPT_FILENAME $request_filename;
|
||||
|
||||
|
|
|
|||
40
nginx.conf
40
nginx.conf
|
|
@ -15,52 +15,12 @@ http {
|
|||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
|
||||
# definiere mehrere Formate für logfiles
|
||||
# Format main bindet gegen über dem Default http_x_forwarded_for, gzip_ratio, zeiten und pipe usw.
|
||||
log_format main '$remote_addr - $remote_user [$time_local] '
|
||||
'"$request" $status $bytes_sent '
|
||||
'"$http_referer" "$http_user_agent" "$http_x_forwarded_for" '
|
||||
'"$gzip_ratio" "$request_time" "$upstream_response_time" "$pipe"';
|
||||
|
||||
# das selbe Format nochmal nur mit ausgtauschter Fake IP
|
||||
log_format ano '0.0.0.0 - $remote_user [$time_local] '
|
||||
'"$request" $status $bytes_sent '
|
||||
'"$http_referer" "$http_user_agent" "$http_x_forwarded_for" '
|
||||
'"$gzip_ratio" "$request_time" "$upstream_response_time" "$pipe"';
|
||||
|
||||
# dieses Format ist für revers-proxy gedacht um mehr informationen über den Cache Zustand bei der Anfrage zu erhalten
|
||||
log_format cache '$time_local $upstream_cache_status '
|
||||
'Cache-Control: $upstream_http_cache_control '
|
||||
'Expires: $upstream_http_expires '
|
||||
'"$request" ($status) "$gzip_ratio" '
|
||||
'"$request_time" "$upstream_response_time" "$pipe"';
|
||||
|
||||
|
||||
access_log /var/log/nginx/access.log main;
|
||||
|
||||
upstream ro01 {
|
||||
server [2001:470:6c:655::2] weight=10;
|
||||
server local.krautspace.de weight=1;
|
||||
}
|
||||
proxy_cache_path /var/lib/nginx/cache keys_zone=statusATro01:10m;
|
||||
|
||||
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive
|
||||
ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES2\
|
||||
56:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-\
|
||||
SHA:CAMELLIA128-SHA:AES128-SHA';
|
||||
ssl_dhparam /etc/ssl/private/dhparams.pem;
|
||||
|
||||
add_header Strict-Transport-Security max-age=15768000; # six months
|
||||
## Use a SSL/TLS cache for SSL session resume.
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
ssl_session_timeout 10m;
|
||||
|
||||
# setzt die Variable php_https abhängig davon ob es sich um eine https Verbindung handelt, ist für die Weitergabe an php
|
||||
map $scheme $php_https { default off; https on; }
|
||||
|
||||
sendfile on;
|
||||
#tcp_nopush on;
|
||||
|
||||
|
|
|
|||
|
|
@ -1,8 +1,8 @@
|
|||
server {
|
||||
listen 0.0.0.0:80;
|
||||
listen [2a01:4f8:151:51a3:176:9:184:3]:80;
|
||||
listen 0.0.0.0:443 ssl;
|
||||
listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl;
|
||||
listen 0.0.0.0:443 ssl http2;
|
||||
listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl http2;
|
||||
ssl_certificate /etc/nginx/certs/www.krautspace.de.crt;
|
||||
ssl_certificate_key /etc/nginx/certs/www.krautspace.de.key;
|
||||
server_name www.hackspace-jena.de hackspace-jena.de;
|
||||
|
|
|
|||
|
|
@ -11,8 +11,8 @@ server {
|
|||
}
|
||||
|
||||
server {
|
||||
listen 0.0.0.0:443 ssl default;
|
||||
listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl default;
|
||||
listen 0.0.0.0:443 ssl http2 default;
|
||||
listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl http2 default;
|
||||
ssl_certificate /etc/ssl/private/star.kraut.space.combined.crt;
|
||||
ssl_certificate_key /etc/ssl/private/star.kraut.space.key;
|
||||
server_name kraut.space www.kraut.space;
|
||||
|
|
@ -65,7 +65,7 @@ server {
|
|||
include fastcgi_params;
|
||||
fastcgi_buffers 16 16k;
|
||||
fastcgi_buffer_size 32k;
|
||||
fastcgi_param HTTPS $php_https; # DW checks $_SERVER['HTTPS']
|
||||
fastcgi_param SCRIPT_FILENAME $request_filename;
|
||||
fastcgi_intercept_errors on;
|
||||
fastcgi_pass unix:/var/run/php5-fpm.sock;
|
||||
# entferne Header "X-Powered-By: PHP/5.4.40-1~dotdeb+wheezy.1"
|
||||
|
|
|
|||
|
|
@ -1,8 +1,8 @@
|
|||
server {
|
||||
listen 0.0.0.0:80;
|
||||
listen [2a01:4f8:151:51a3:176:9:184:3]:80;
|
||||
listen 0.0.0.0:443 ssl;
|
||||
listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl;
|
||||
listen 0.0.0.0:443 ssl http2;
|
||||
listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl http2;
|
||||
ssl_certificate /etc/ssl/private/star.krautspace.de.combined.crt;
|
||||
ssl_certificate_key /etc/ssl/private/star.krautspace.de.key;
|
||||
server_name krautspace.de;
|
||||
|
|
|
|||
|
|
@ -1,8 +1,8 @@
|
|||
server {
|
||||
listen 0.0.0.0:80;
|
||||
listen [2a01:4f8:151:51a3:176:9:184:3]:80;
|
||||
listen 0.0.0.0:443 ssl;
|
||||
listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl;
|
||||
listen 0.0.0.0:443 ssl http2;
|
||||
listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl http2;
|
||||
ssl_certificate /etc/ssl/private/star.kraut.space.combined.crt;
|
||||
ssl_certificate_key /etc/ssl/private/star.kraut.space.key;
|
||||
server_name lpd.kraut.space;
|
||||
|
|
|
|||
|
|
@ -1,8 +1,8 @@
|
|||
server {
|
||||
listen 0.0.0.0:80;
|
||||
listen [2a01:4f8:151:51a3:176:9:184:3]:80;
|
||||
listen 0.0.0.0:443 ssl;
|
||||
listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl;
|
||||
listen 0.0.0.0:443 ssl http2;
|
||||
listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl http2;
|
||||
ssl_certificate /etc/nginx/certs/www.krautspace.de.crt;
|
||||
ssl_certificate_key /etc/nginx/certs/www.krautspace.de.key;
|
||||
server_name media.hackspace-jena.de;
|
||||
|
|
|
|||
|
|
@ -8,8 +8,8 @@ server {
|
|||
}
|
||||
|
||||
server {
|
||||
listen 0.0.0.0:443 ssl;
|
||||
listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl;
|
||||
listen 0.0.0.0:443 ssl http2;
|
||||
listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl http2;
|
||||
ssl_certificate /etc/ssl/private/star.krautspace.de.combined.crt;
|
||||
ssl_certificate_key /etc/ssl/private/star.krautspace.de.key;
|
||||
server_name media.krautspace.de;
|
||||
|
|
|
|||
|
|
@ -1,8 +1,8 @@
|
|||
server {
|
||||
listen 0.0.0.0:80;
|
||||
listen 0.0.0.0:443 ssl;
|
||||
listen 0.0.0.0:443 ssl http2;
|
||||
listen [2a01:4f8:151:51a3:176:9:184:3]:80;
|
||||
listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl;
|
||||
listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl http2;
|
||||
ssl_certificate /etc/nginx/certs/www.krautspace.de.crt;
|
||||
ssl_certificate_key /etc/nginx/certs/www.krautspace.de.key;
|
||||
server_name status.hackspace-jena.de;
|
||||
|
|
|
|||
|
|
@ -1,8 +1,8 @@
|
|||
server {
|
||||
listen 0.0.0.0:80;
|
||||
listen 0.0.0.0:443 ssl;
|
||||
listen 0.0.0.0:443 ssl http2;
|
||||
listen [2a01:4f8:151:51a3:176:9:184:3]:80;
|
||||
listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl;
|
||||
listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl http2;
|
||||
ssl_certificate /etc/ssl/private/star.krautspace.de.combined.crt;
|
||||
ssl_certificate_key /etc/ssl/private/star.krautspace.de.key;
|
||||
server_name status.krautspace.de status.kraut.space;
|
||||
|
|
|
|||
|
|
@ -1,8 +1,8 @@
|
|||
server {
|
||||
listen 0.0.0.0:80;
|
||||
listen [2a01:4f8:151:51a3:176:9:184:3]:80;
|
||||
listen 0.0.0.0:443 ssl;
|
||||
listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl;
|
||||
listen 0.0.0.0:443 ssl http2;
|
||||
listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl http2;
|
||||
ssl_certificate /etc/nginx/certs/www.krautspace.de.crt;
|
||||
ssl_certificate_key /etc/nginx/certs/www.krautspace.de.key;
|
||||
server_name wiki.hackspace-jena.de;
|
||||
|
|
|
|||
|
|
@ -11,8 +11,8 @@ server {
|
|||
}
|
||||
|
||||
server {
|
||||
listen 0.0.0.0:443 ssl;
|
||||
listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl;
|
||||
listen 0.0.0.0:443 ssl http2;
|
||||
listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl http2;
|
||||
ssl_certificate /etc/ssl/private/star.krautspace.de.combined.crt;
|
||||
ssl_certificate_key /etc/ssl/private/star.krautspace.de.key;
|
||||
server_name www.krautspace.de;
|
||||
|
|
|
|||
Reference in a new issue