nginx templates

files/nginx/snippets/general.conf

@@ -0,0 +1,18 @@
+# favicon.ico
+location = /favicon.ico {
+    log_not_found off;
+    access_log    off;
+}
+
+# robots.txt
+location = /robots.txt {
+    log_not_found off;
+    access_log    off;
+}
+
+# gzip
+gzip            on;
+gzip_vary       on;
+gzip_proxied    any;
+gzip_comp_level 6;
+gzip_types      text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;

files/nginx/snippets/letsencrypt.conf

@@ -0,0 +1,4 @@
+# ACME-challenge
+location ^~ /.well-known/acme-challenge/ {
+    root /var/www/_letsencrypt;
+}

files/nginx/snippets/proxy.conf

@@ -0,0 +1,18 @@
+proxy_http_version                 1.1;
+proxy_cache_bypass                 $http_upgrade;
+
+# Proxy headers
+proxy_set_header Upgrade           $http_upgrade;
+proxy_set_header Connection        $connection_upgrade;
+proxy_set_header Host              $host;
+proxy_set_header X-Real-IP         $remote_addr;
+proxy_set_header Forwarded         $proxy_add_forwarded;
+proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $scheme;
+proxy_set_header X-Forwarded-Host  $host;
+proxy_set_header X-Forwarded-Port  $server_port;
+
+# Proxy timeouts
+proxy_connect_timeout              60s;
+proxy_send_timeout                 60s;
+proxy_read_timeout                 60s;

files/nginx/snippets/security.conf

@@ -0,0 +1,12 @@
+# security headers
+add_header X-XSS-Protection          "1; mode=block" always;
+add_header X-Content-Type-Options    "nosniff" always;
+add_header Referrer-Policy           "no-referrer-when-downgrade" always;
+add_header Content-Security-Policy   "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always;
+add_header Permissions-Policy        "interest-cohort=()" always;
+add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+# . files
+location ~ /\.(?!well-known) {
+    deny all;
+}