Hexbear is the engine that powers Chapochat. It is a customization of the Lemmy project.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

61 lines
2.2 KiB

3 years ago
  1. server {
  2. listen 80;
  3. server_name {{ domain }};
  4. location /.well-known/acme-challenge/ {
  5. root /var/www/certbot;
  6. }
  7. location / {
  8. return 301 https://$host$request_uri;
  9. }
  10. }
  11. server {
  12. listen 443 ssl http2;
  13. server_name {{ domain }};
  14. ssl_certificate /etc/letsencrypt/live/{{domain}}/fullchain.pem;
  15. ssl_certificate_key /etc/letsencrypt/live/{{domain}}/privkey.pem;
  16. # Various TLS hardening settings
  17. # https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
  18. ssl_protocols TLSv1.2 TLSv1.3;
  19. ssl_prefer_server_ciphers on;
  20. ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
  21. ssl_session_timeout 10m;
  22. ssl_session_cache shared:SSL:10m;
  23. ssl_session_tickets off;
  24. ssl_stapling on;
  25. ssl_stapling_verify on;
  26. # Hide nginx version
  27. server_tokens off;
  28. # Enable compression for JS/CSS/HTML bundle, for improved client load times.
  29. # It might be nice to compress JSON, but leaving that out to protect against potential
  30. # compression+encryption information leak attacks like BREACH.
  31. gzip on;
  32. gzip_types text/css application/javascript;
  33. gzip_vary on;
  34. # Only connect to this site via HTTPS for the two years
  35. add_header Strict-Transport-Security "max-age=63072000";
  36. # Various content security headers
  37. add_header Referrer-Policy "same-origin";
  38. add_header X-Content-Type-Options "nosniff";
  39. add_header X-Frame-Options "DENY";
  40. add_header X-XSS-Protection "1; mode=block";
  41. location / {
  42. rewrite (\/(user|u|inbox|post|community|c|login|search|sponsors|communities|modlog|home)+) /static/index.html break;
  43. proxy_pass http://0.0.0.0:8536;
  44. proxy_set_header X-Real-IP $remote_addr;
  45. proxy_set_header Host $host;
  46. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  47. # WebSocket support
  48. proxy_http_version 1.1;
  49. proxy_set_header Upgrade $http_upgrade;
  50. proxy_set_header Connection "upgrade";
  51. }
  52. }