# Redirect all HTTP traffic to HTTPS server { listen 80 default_server; listen [::]:80 default_server; location / { return 301 https://$host$request_uri; } } # Default server server { listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; ssl_certificate /usr/local/etc/letsencrypt/live/EXAMPLE.COM/fullchain.pem; ssl_certificate_key /usr/local/etc/letsencrypt/live/EXAMPLE.COM/privkey.pem; location / { return 404; } } server { listen 443 ssl http2; listen [::]:443 ssl http2; # Server Whitelist for SNI Header (Server Name Indication) server_name EXAMPLE.COM *.TESTSERVER.COM 10.0.0.100; ssl_certificate /usr/local/etc/letsencrypt/live/EXAMPLE.COM/fullchain.pem; ssl_certificate_key /usr/local/etc/letsencrypt/live/EXAMPLE.COM/privkey.pem; # verify chain of trust of OCSP response using Root CA and Intermediate certs ssl_trusted_certificate /usr/local/etc/letsencrypt/live/EXAMPLE.COM/chain.pem; # OCSP stapling ssl_stapling on; ssl_stapling_verify on; # Improve HTTPS performance with session resumption ssl_session_timeout 1d; ssl_session_cache shared:SSL:10m; # about 40000 sessions ssl_session_tickets off; # only TLS 1.3 ciphers -> 100% ssllabs (cipher strength) ssl_protocols TLSv1.3; ssl_prefer_server_ciphers on; # curves which are equivalent of >=4096 rsa (only secp521r1 and secp384r1) -> 100% ssllabs (kex/key exchange) ssl_ecdh_curve secp521r1:secp384r1; # HSTS (ngx_http_headers_module is required) add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; # 1 year = 31536000 seconds # replace with the IP address of your resolver #resolver 127.0.0.1; #resolver [2606:4700:4700::1111] 1.1.1.1 [2606:4700:4700::1001] 1.0.0.1; resolver 192.168.1.4 [2606:4700:4700::1111] 1.1.1.1; root /home/http; index index.html index.php doku.php; client_max_body_size 15M; client_body_buffer_size 128K; location / { try_files $uri $uri/ @dokuwiki; } location ^~ /conf/ { return 403; } location ^~ /data/ { return 403; } location ~ /\.ht { deny all; } location @dokuwiki { rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last; rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last; rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last; rewrite ^/(.*) /doku.php?id=$1 last; } location ~ \.php$ { include fastcgi_params; fastcgi_pass 127.0.0.1:9000; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } location /cgi-bin/ { include fcgiwrap_params; fastcgi_pass unix:/var/run/fcgiwrap.socket; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } location ~ /cgi-bin/foto\.cgi$ { auth_basic "Multimedia"; auth_basic_user_file /home/etc/httpd/.htpwd_multimedia; include fcgiwrap_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_pass unix:/var/run/fcgiwrap.socket; } location /daten/mm/oeffentlich/ { auth_basic "Multimedia"; auth_basic_user_file /home/etc/httpd/.htpwd_multimedia; autoindex on; } location /foto/ { auth_basic "Multimedia"; auth_basic_user_file /home/etc/httpd/.htpwd_multimedia; } location ~* ^(\/_matrix|\/_synapse\/client) { proxy_pass http://localhost:8008; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; # Nginx by default only allows file uploads up to 1M in size # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml client_max_body_size 50M; } }