server { listen 80; server_name {{ federation_server }}; access_log /var/log/nginx/{{ federation_server }}/access.log combined; error_log /var/log/nginx/{{ federation_server }}/error.log; root /var/www/{{ federation_server }}; {% if ssl_available %} location / { return 301 https://{{ federation_server }}$request_uri; rewrite ^ https://{{ federation_server }}$request_uri permanent; } {% endif %} if ($request_uri ~ " ") { return 444; } if ( $request_uri ~ ^/smoke/(.*)$ ) { return 444; } } {% if ssl_available %} server { listen 443; server_name {{ federation_server }}; access_log /var/log/nginx/{{ federation_server }}/access.ssl.log combined; error_log /var/log/nginx/{{ federation_server }}/error.ssl.log; root /var/www/{{ federation_server }}; if ($request_uri ~ " ") { return 444; } if ( $request_uri ~ ^/smoke/(.*)$ ) { return 444; } location / { proxy_pass http://[::1]:8008/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; } gzip_static on; etag on; ssl on; ssl_certificate /etc/ssl/certs/{{ federation_server }}.pem; ssl_certificate_key /etc/ssl/private/{{ federation_server }}.key; ssl_session_timeout 5m; ssl_protocols TLSv1.2; ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA"; ssl_prefer_server_ciphers on; ssl_stapling on; ssl_stapling_verify on; ssl_dhparam /etc/ssl/private/dhparams_4096.pem; ssl_ecdh_curve secp384r1; ssl_session_tickets off; ssl_session_cache shared:matrix:2M; add_header X-Frame-Options DENY; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; } {% endif %}