2018-05-30 01:02:32 +03:00
|
|
|
server {
|
|
|
|
listen 443 ssl http2;
|
|
|
|
listen [::]:443 ssl http2;
|
|
|
|
server_name {FQDN};
|
|
|
|
|
|
|
|
index index.html index.htm;
|
|
|
|
|
|
|
|
server_tokens off;
|
|
|
|
|
2018-06-27 21:17:10 +03:00
|
|
|
ssl_certificate /etc/letsencrypt/live/{FQDN}/fullchain.pem;
|
|
|
|
ssl_certificate_key /etc/letsencrypt/live/{FQDN}/privkey.pem;
|
2018-05-30 01:02:32 +03:00
|
|
|
|
|
|
|
ssl_buffer_size 8k;
|
|
|
|
|
|
|
|
ssl_dhparam /etc/ssl/certs/dhparam-2048.pem;
|
|
|
|
|
|
|
|
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
|
|
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
|
|
|
|
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
|
|
|
|
|
|
|
|
ssl_ecdh_curve secp384r1;
|
|
|
|
ssl_session_tickets off;
|
|
|
|
|
|
|
|
# OCSP stapling
|
|
|
|
ssl_stapling on;
|
|
|
|
ssl_stapling_verify on;
|
|
|
|
resolver {RESOLVER};
|
|
|
|
|
|
|
|
location ^~ /.well-known/acme-challenge {
|
|
|
|
root /usr/share/nginx/html;
|
|
|
|
default_type text/plain;
|
|
|
|
allow all;
|
|
|
|
}
|
|
|
|
|
|
|
|
location / {
|
|
|
|
proxy_pass http://grafana:3000/;
|
|
|
|
# Security Headers
|
|
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
|
|
|
|
add_header X-XSS-Protection "1; mode=block" always;
|
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
|
|
add_header X-Frame-Options "DENY" always;
|
|
|
|
# CSP
|
|
|
|
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
server {
|
|
|
|
listen {PROMETHEUS_PORT} ssl http2;
|
|
|
|
listen [::]:{PROMETHEUS_PORT} ssl http2;
|
|
|
|
server_name {FQDN};
|
|
|
|
|
|
|
|
index index.html index.htm;
|
|
|
|
|
|
|
|
server_tokens off;
|
|
|
|
|
2018-06-27 21:17:10 +03:00
|
|
|
ssl_certificate /etc/letsencrypt/live/{FQDN}/fullchain.pem;
|
|
|
|
ssl_certificate_key /etc/letsencrypt/live/{FQDN}/privkey.pem;
|
2018-05-30 01:02:32 +03:00
|
|
|
|
|
|
|
ssl_buffer_size 8k;
|
|
|
|
|
|
|
|
ssl_dhparam /etc/ssl/certs/dhparam-2048.pem;
|
|
|
|
|
|
|
|
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
|
|
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
|
|
|
|
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
|
|
|
|
|
|
|
|
ssl_ecdh_curve secp384r1;
|
|
|
|
ssl_session_tickets off;
|
|
|
|
|
|
|
|
# OCSP stapling
|
|
|
|
ssl_stapling on;
|
|
|
|
ssl_stapling_verify on;
|
|
|
|
resolver {RESOLVER};
|
|
|
|
|
|
|
|
location ^~ /.well-known/acme-challenge {
|
|
|
|
root /usr/share/nginx/html;
|
|
|
|
default_type text/plain;
|
|
|
|
allow all;
|
|
|
|
}
|
|
|
|
|
|
|
|
location / {
|
|
|
|
proxy_pass http://prometheus:9090/;
|
|
|
|
# Security Headers
|
|
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
|
|
|
|
add_header X-XSS-Protection "1; mode=block" always;
|
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
|
|
add_header X-Frame-Options "DENY" always;
|
|
|
|
# CSP
|
|
|
|
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
|
|
|
}
|
|
|
|
}
|