batch-shipyard/heimdall/nginx.conf

94 строки
2.5 KiB
Nginx Configuration File
Исходник Обычный вид История

server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {FQDN};
index index.html index.htm;
server_tokens off;
ssl_certificate /etc/letsencrypt/live/{FQDN}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{FQDN}/privkey.pem;
ssl_buffer_size 8k;
ssl_dhparam /etc/ssl/certs/dhparam-2048.pem;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_ecdh_curve secp384r1;
ssl_session_tickets off;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver {RESOLVER};
location ^~ /.well-known/acme-challenge {
root /usr/share/nginx/html;
default_type text/plain;
allow all;
}
location / {
proxy_pass http://grafana:3000/;
# Security Headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
# CSP
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
}
}
server {
listen {PROMETHEUS_PORT} ssl http2;
listen [::]:{PROMETHEUS_PORT} ssl http2;
server_name {FQDN};
index index.html index.htm;
server_tokens off;
ssl_certificate /etc/letsencrypt/live/{FQDN}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{FQDN}/privkey.pem;
ssl_buffer_size 8k;
ssl_dhparam /etc/ssl/certs/dhparam-2048.pem;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_ecdh_curve secp384r1;
ssl_session_tickets off;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver {RESOLVER};
location ^~ /.well-known/acme-challenge {
root /usr/share/nginx/html;
default_type text/plain;
allow all;
}
location / {
proxy_pass http://prometheus:9090/;
# Security Headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
# CSP
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
}
}