101 lines
3.2 KiB
Text
101 lines
3.2 KiB
Text
# xyzzy.fi
|
|
# www.xyzzy.fi
|
|
|
|
server {
|
|
server_name xyzzy.fi;
|
|
root /var/xyzzy/html/plugh;
|
|
index index.html;
|
|
|
|
location / {
|
|
try_files $uri $uri/ =404;
|
|
}
|
|
|
|
listen [::]:443 ssl; # managed by Certbot
|
|
listen 443 ssl; # managed by Certbot
|
|
ssl_certificate /etc/letsencrypt/live/xyzzy.fi/fullchain.pem; # managed by Certbot
|
|
ssl_certificate_key /etc/letsencrypt/live/xyzzy.fi/privkey.pem; # managed by Certbot
|
|
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
|
|
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
|
|
|
|
# https://ssl-config.mozilla.org/
|
|
add_header Strict-Transport-Security "max-age=15724800" always;
|
|
|
|
# OCSP stapling
|
|
ssl_stapling on;
|
|
ssl_stapling_verify on;
|
|
ssl_trusted_certificate /etc/letsencrypt/live/xyzzy.fi/chain.pem;
|
|
resolver 9.9.9.9 8.8.8.8 1.1.1.1;
|
|
resolver_timeout 5s;
|
|
|
|
# https://observatory.mozilla.org
|
|
add_header X-Frame-Options "SAMEORIGIN";
|
|
add_header X-Content-Type-Options "nosniff";
|
|
add_header X-XSS-Protection "1; mode=block";
|
|
add_header Referrer-Policy "strict-origin-when-cross-origin";
|
|
add_header Content-Security-Policy "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self'; frame-ancestors 'self';";
|
|
}
|
|
|
|
server {
|
|
server_name www.xyzzy.fi;
|
|
root /var/xyzzy/html/plugh;
|
|
index index.html;
|
|
|
|
location ~ /\.well-known {
|
|
allow all;
|
|
}
|
|
|
|
location ~ / {
|
|
return 301 $scheme://xyzzy.fi$request_uri;
|
|
}
|
|
|
|
listen [::]:443 ssl; # managed by Certbot
|
|
listen 443 ssl; # managed by Certbot
|
|
ssl_certificate /etc/letsencrypt/live/xyzzy.fi/fullchain.pem; # managed by Certbot
|
|
ssl_certificate_key /etc/letsencrypt/live/xyzzy.fi/privkey.pem; # managed by Certbot
|
|
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
|
|
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
|
|
|
|
# https://ssl-config.mozilla.org/
|
|
add_header Strict-Transport-Security "max-age=15724800" always;
|
|
|
|
# OCSP stapling
|
|
ssl_stapling on;
|
|
ssl_stapling_verify on;
|
|
ssl_trusted_certificate /etc/letsencrypt/live/xyzzy.fi/chain.pem;
|
|
resolver 9.9.9.9 8.8.8.8 1.1.1.1;
|
|
resolver_timeout 5s;
|
|
|
|
# https://observatory.mozilla.org
|
|
add_header X-Frame-Options "SAMEORIGIN";
|
|
add_header X-Content-Type-Options "nosniff";
|
|
add_header X-XSS-Protection "1; mode=block";
|
|
add_header Referrer-Policy "strict-origin-when-cross-origin";
|
|
add_header Content-Security-Policy "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self'; frame-ancestors 'self';";
|
|
}
|
|
|
|
server {
|
|
if ($host = xyzzy.fi) {
|
|
return 301 https://$host$request_uri;
|
|
} # managed by Certbot
|
|
|
|
listen 80;
|
|
listen [::]:80;
|
|
server_name xyzzy.fi;
|
|
root /var/xyzzy/html/plugh;
|
|
index index.html;
|
|
return 404; # managed by Certbot
|
|
}
|
|
|
|
server {
|
|
if ($host = www.xyzzy.fi) {
|
|
return 301 https://$host$request_uri;
|
|
} # managed by Certbot
|
|
|
|
listen 80;
|
|
listen [::]:80;
|
|
server_name www.xyzzy.fi;
|
|
root /var/xyzzy/html/plugh;
|
|
index index.html;
|
|
return 404; # managed by Certbot
|
|
}
|
|
|