Krautspace/nginx-config
Archived
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: Krautspace:v1
Branches Tags
Krautspace:master
Krautspace:v3
Krautspace:v2
Krautspace:v1
..
compare: Krautspace:master
Branches Tags
Krautspace:master
Krautspace:v3
Krautspace:v2
Krautspace:v1

6 commits
v1 ... master

Author SHA1 Message Date
Martin Ness
041b2ece7a enable http2 2016-07-15 21:29:24 +02:00
Martin Ness
da943b71f1 fastcgi_param HTTPS not more requierd in this section 2016-05-26 23:08:13 +02:00
Martin Ness
a54dd4345a fastcgi_param SCRIPT_FILENAME moved 2016-05-26 23:05:38 +02:00
Martin Ness
6704842cb7 moved ssl configuration 2016-05-26 19:42:35 +02:00
Martin Ness
683d847405 log_format configuration moved 2016-05-26 19:42:35 +02:00
Martin Ness
a154e0c476 gzip for any proxied requests 2016-05-26 19:42:34 +02:00
15 changed files with 62 additions and 72 deletions
Show stats Expand all files Collapse all files

3
conf.d/gzip.conf
View file

@ -2,6 +2,5 @@
gzip_min_length 1100; gzip_min_length 1100;
gzip_comp_level 6; gzip_comp_level 6;
gzip_http_version 1.0; gzip_http_version 1.0;
gzip_proxied expired no-cache no-store private auth; gzip_proxied any;
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss application/xhtml+xml text/javascript image/svg+xml application/x-graphviz text/x-graphviz; gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss application/xhtml+xml text/javascript image/svg+xml application/x-graphviz text/x-graphviz;

23
conf.d/log.conf Normal file
View file

@ -0,0 +1,23 @@
# definiere mehrere Formate für logfiles
# Format main bindet gegenüber dem Default von nginx http_x_forwarded_for, gzip_ratio, request_time, upstream_response_time und pipe ein
log_format main '$remote_addr - $remote_user [$time_local] '
'"$request" $status $bytes_sent '
'"$http_referer" "$http_user_agent" "$http_x_forwarded_for" '
'"$gzip_ratio" "$request_time" "$upstream_response_time" "$pipe"';
# das selbe Format nochmal nur mit ausgetauschter IP-Adresse
log_format ano '0.0.0.0 - $remote_user [$time_local] '
'"$request" $status $bytes_sent '
'"$http_referer" "$http_user_agent" "$http_x_forwarded_for" '
'"$gzip_ratio" "$request_time" "$upstream_response_time" "$pipe"';
# dieses Format ist für revers-proxy gedacht um mehr informationen über den Cache Zustand bei der Anfrage zu erhalten
log_format cache '$time_local $upstream_cache_status '
'Cache-Control: $upstream_http_cache_control '
'Expires: $upstream_http_expires '
'"$request" ($status) "$gzip_ratio" '
'"$request_time" "$upstream_response_time" "$pipe"';
access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log warn;

12
conf.d/ssl.conf Normal file
View file

@ -0,0 +1,12 @@
ssl_prefer_server_ciphers on;
# not possible to do exclusive
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';
ssl_dhparam /etc/ssl/private/dhparams.pem;
# add HSTS Header
add_header Strict-Transport-Security max-age=15768000; # six months
# Use a SSL/TLS cache for SSL session resume.
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

4
fastcgi_params
View file

@ -23,7 +23,3 @@ fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect # PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200; fastcgi_param REDIRECT_STATUS 200;
# ----- Add by Martin89 -----
fastcgi_param SCRIPT_FILENAME $request_filename;

40
nginx.conf
View file

@ -15,52 +15,12 @@ http {
include /etc/nginx/mime.types; include /etc/nginx/mime.types;
default_type application/octet-stream; default_type application/octet-stream;
# definiere mehrere Formate für logfiles
# Format main bindet gegen über dem Default http_x_forwarded_for, gzip_ratio, zeiten und pipe usw.
log_format main '$remote_addr - $remote_user [$time_local] '
'"$request" $status $bytes_sent '
'"$http_referer" "$http_user_agent" "$http_x_forwarded_for" '
'"$gzip_ratio" "$request_time" "$upstream_response_time" "$pipe"';
# das selbe Format nochmal nur mit ausgtauschter Fake IP
log_format ano '0.0.0.0 - $remote_user [$time_local] '
'"$request" $status $bytes_sent '
'"$http_referer" "$http_user_agent" "$http_x_forwarded_for" '
'"$gzip_ratio" "$request_time" "$upstream_response_time" "$pipe"';
# dieses Format ist für revers-proxy gedacht um mehr informationen über den Cache Zustand bei der Anfrage zu erhalten
log_format cache '$time_local $upstream_cache_status '
'Cache-Control: $upstream_http_cache_control '
'Expires: $upstream_http_expires '
'"$request" ($status) "$gzip_ratio" '
'"$request_time" "$upstream_response_time" "$pipe"';
access_log /var/log/nginx/access.log main;
upstream ro01 { upstream ro01 {
server [2001:470:6c:655::2] weight=10; server [2001:470:6c:655::2] weight=10;
server local.krautspace.de weight=1; server local.krautspace.de weight=1;
} }
proxy_cache_path /var/lib/nginx/cache keys_zone=statusATro01:10m; proxy_cache_path /var/lib/nginx/cache keys_zone=statusATro01:10m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive
ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES2\
56:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-\
SHA:CAMELLIA128-SHA:AES128-SHA';
ssl_dhparam /etc/ssl/private/dhparams.pem;
add_header Strict-Transport-Security max-age=15768000; # six months
## Use a SSL/TLS cache for SSL session resume.
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# setzt die Variable php_https abhängig davon ob es sich um eine https Verbindung handelt, ist für die Weitergabe an php
map $scheme $php_https { default off; https on; }
sendfile on; sendfile on;
#tcp_nopush on; #tcp_nopush on;

4
sites-available/hackspace-jena.de
View file

@ -1,8 +1,8 @@
server { server {
listen 0.0.0.0:80; listen 0.0.0.0:80;
listen [2a01:4f8:151:51a3:176:9:184:3]:80; listen [2a01:4f8:151:51a3:176:9:184:3]:80;
listen 0.0.0.0:443 ssl; listen 0.0.0.0:443 ssl http2;
listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl; listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl http2;
ssl_certificate /etc/nginx/certs/www.krautspace.de.crt; ssl_certificate /etc/nginx/certs/www.krautspace.de.crt;
ssl_certificate_key /etc/nginx/certs/www.krautspace.de.key; ssl_certificate_key /etc/nginx/certs/www.krautspace.de.key;
server_name www.hackspace-jena.de hackspace-jena.de; server_name www.hackspace-jena.de hackspace-jena.de;

6
sites-available/kraut.space.conf
View file

@ -11,8 +11,8 @@ server {
} }
server { server {
listen 0.0.0.0:443 ssl default; listen 0.0.0.0:443 ssl http2 default;
listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl default; listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl http2 default;
ssl_certificate /etc/ssl/private/star.kraut.space.combined.crt; ssl_certificate /etc/ssl/private/star.kraut.space.combined.crt;
ssl_certificate_key /etc/ssl/private/star.kraut.space.key; ssl_certificate_key /etc/ssl/private/star.kraut.space.key;
server_name kraut.space www.kraut.space; server_name kraut.space www.kraut.space;
@ -65,7 +65,7 @@ server {
include fastcgi_params; include fastcgi_params;
fastcgi_buffers 16 16k; fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k; fastcgi_buffer_size 32k;
fastcgi_param HTTPS $php_https; # DW checks $_SERVER['HTTPS'] fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_intercept_errors on; fastcgi_intercept_errors on;
fastcgi_pass unix:/var/run/php5-fpm.sock; fastcgi_pass unix:/var/run/php5-fpm.sock;
# entferne Header "X-Powered-By: PHP/5.4.40-1~dotdeb+wheezy.1" # entferne Header "X-Powered-By: PHP/5.4.40-1~dotdeb+wheezy.1"

4
sites-available/krautspace.de
View file

@ -1,8 +1,8 @@
server { server {
listen 0.0.0.0:80; listen 0.0.0.0:80;
listen [2a01:4f8:151:51a3:176:9:184:3]:80; listen [2a01:4f8:151:51a3:176:9:184:3]:80;
listen 0.0.0.0:443 ssl; listen 0.0.0.0:443 ssl http2;
listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl; listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl http2;
ssl_certificate /etc/ssl/private/star.krautspace.de.combined.crt; ssl_certificate /etc/ssl/private/star.krautspace.de.combined.crt;
ssl_certificate_key /etc/ssl/private/star.krautspace.de.key; ssl_certificate_key /etc/ssl/private/star.krautspace.de.key;
server_name krautspace.de; server_name krautspace.de;

4
sites-available/lpd.kraut.space.conf
View file

@ -1,8 +1,8 @@
server { server {
listen 0.0.0.0:80; listen 0.0.0.0:80;
listen [2a01:4f8:151:51a3:176:9:184:3]:80; listen [2a01:4f8:151:51a3:176:9:184:3]:80;
listen 0.0.0.0:443 ssl; listen 0.0.0.0:443 ssl http2;
listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl; listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl http2;
ssl_certificate /etc/ssl/private/star.kraut.space.combined.crt; ssl_certificate /etc/ssl/private/star.kraut.space.combined.crt;
ssl_certificate_key /etc/ssl/private/star.kraut.space.key; ssl_certificate_key /etc/ssl/private/star.kraut.space.key;
server_name lpd.kraut.space; server_name lpd.kraut.space;

4
sites-available/media.hackspace-jena.de
View file

@ -1,8 +1,8 @@
server { server {
listen 0.0.0.0:80; listen 0.0.0.0:80;
listen [2a01:4f8:151:51a3:176:9:184:3]:80; listen [2a01:4f8:151:51a3:176:9:184:3]:80;
listen 0.0.0.0:443 ssl; listen 0.0.0.0:443 ssl http2;
listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl; listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl http2;
ssl_certificate /etc/nginx/certs/www.krautspace.de.crt; ssl_certificate /etc/nginx/certs/www.krautspace.de.crt;
ssl_certificate_key /etc/nginx/certs/www.krautspace.de.key; ssl_certificate_key /etc/nginx/certs/www.krautspace.de.key;
server_name media.hackspace-jena.de; server_name media.hackspace-jena.de;

4
sites-available/media.krautspace.de
View file

@ -8,8 +8,8 @@ server {
} }
server { server {
listen 0.0.0.0:443 ssl; listen 0.0.0.0:443 ssl http2;
listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl; listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl http2;
ssl_certificate /etc/ssl/private/star.krautspace.de.combined.crt; ssl_certificate /etc/ssl/private/star.krautspace.de.combined.crt;
ssl_certificate_key /etc/ssl/private/star.krautspace.de.key; ssl_certificate_key /etc/ssl/private/star.krautspace.de.key;
server_name media.krautspace.de; server_name media.krautspace.de;

4
sites-available/status.hackspace-jena.de
View file

@ -1,8 +1,8 @@
server { server {
listen 0.0.0.0:80; listen 0.0.0.0:80;
listen 0.0.0.0:443 ssl; listen 0.0.0.0:443 ssl http2;
listen [2a01:4f8:151:51a3:176:9:184:3]:80; listen [2a01:4f8:151:51a3:176:9:184:3]:80;
listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl; listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl http2;
ssl_certificate /etc/nginx/certs/www.krautspace.de.crt; ssl_certificate /etc/nginx/certs/www.krautspace.de.crt;
ssl_certificate_key /etc/nginx/certs/www.krautspace.de.key; ssl_certificate_key /etc/nginx/certs/www.krautspace.de.key;
server_name status.hackspace-jena.de; server_name status.hackspace-jena.de;

4
sites-available/status.krautspace.de
View file

@ -1,8 +1,8 @@
server { server {
listen 0.0.0.0:80; listen 0.0.0.0:80;
listen 0.0.0.0:443 ssl; listen 0.0.0.0:443 ssl http2;
listen [2a01:4f8:151:51a3:176:9:184:3]:80; listen [2a01:4f8:151:51a3:176:9:184:3]:80;
listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl; listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl http2;
ssl_certificate /etc/ssl/private/star.krautspace.de.combined.crt; ssl_certificate /etc/ssl/private/star.krautspace.de.combined.crt;
ssl_certificate_key /etc/ssl/private/star.krautspace.de.key; ssl_certificate_key /etc/ssl/private/star.krautspace.de.key;
server_name status.krautspace.de status.kraut.space; server_name status.krautspace.de status.kraut.space;

4
sites-available/wiki.hackspace-jena.de
View file

@ -1,8 +1,8 @@
server { server {
listen 0.0.0.0:80; listen 0.0.0.0:80;
listen [2a01:4f8:151:51a3:176:9:184:3]:80; listen [2a01:4f8:151:51a3:176:9:184:3]:80;
listen 0.0.0.0:443 ssl; listen 0.0.0.0:443 ssl http2;
listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl; listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl http2;
ssl_certificate /etc/nginx/certs/www.krautspace.de.crt; ssl_certificate /etc/nginx/certs/www.krautspace.de.crt;
ssl_certificate_key /etc/nginx/certs/www.krautspace.de.key; ssl_certificate_key /etc/nginx/certs/www.krautspace.de.key;
server_name wiki.hackspace-jena.de; server_name wiki.hackspace-jena.de;

4
sites-available/www.krautspace.de
View file

@ -11,8 +11,8 @@ server {
} }
server { server {
listen 0.0.0.0:443 ssl; listen 0.0.0.0:443 ssl http2;
listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl; listen [2a01:4f8:151:51a3:176:9:184:3]:443 ssl http2;
ssl_certificate /etc/ssl/private/star.krautspace.de.combined.crt; ssl_certificate /etc/ssl/private/star.krautspace.de.combined.crt;
ssl_certificate_key /etc/ssl/private/star.krautspace.de.key; ssl_certificate_key /etc/ssl/private/star.krautspace.de.key;
server_name www.krautspace.de; server_name www.krautspace.de;