diff options
Diffstat (limited to 'matrix/files/nginx.j2')
-rw-r--r-- | matrix/files/nginx.j2 | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/matrix/files/nginx.j2 b/matrix/files/nginx.j2 new file mode 100644 index 0000000..bce4643 --- /dev/null +++ b/matrix/files/nginx.j2 @@ -0,0 +1,63 @@ +server { + listen 80; + server_name {{ federation_server }}; + access_log /var/log/nginx/{{ federation_server }}/access.log combined; + error_log /var/log/nginx/{{ federation_server }}/error.log; + root /var/www/{{ federation_server }}; + +{% if ssl_available %} + location / { + return 301 https://{{ federation_server }}$request_uri; + rewrite ^ https://{{ federation_server }}$request_uri permanent; + } +{% endif %} + if ($request_uri ~ " ") { + return 444; + } + if ( $request_uri ~ ^/smoke/(.*)$ ) { + return 444; + } +} +{% if ssl_available %} +server { + listen 443; + server_name {{ federation_server }}; + access_log /var/log/nginx/{{ federation_server }}/access.ssl.log combined; + error_log /var/log/nginx/{{ federation_server }}/error.ssl.log; + root /var/www/{{ federation_server }}; + + if ($request_uri ~ " ") { + return 444; + } + if ( $request_uri ~ ^/smoke/(.*)$ ) { + return 444; + } + + location / { + proxy_pass http://[::1]:8008/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + } + + gzip_static on; + etag on; + + ssl on; + ssl_certificate /etc/ssl/certs/{{ federation_server }}.pem; + ssl_certificate_key /etc/ssl/private/{{ federation_server }}.key; + ssl_session_timeout 5m; + ssl_protocols TLSv1.2; + ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA"; + ssl_prefer_server_ciphers on; + ssl_stapling on; + ssl_stapling_verify on; + ssl_dhparam /etc/ssl/private/dhparams_4096.pem; + ssl_ecdh_curve secp384r1; + ssl_session_tickets off; + ssl_session_cache shared:matrix:2M; + add_header X-Frame-Options DENY; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + resolver 8.8.8.8 8.8.4.4 valid=300s; + resolver_timeout 5s; +} +{% endif %} |