castaway · April 17, 2018 21:58
diff --git a/default b/default
 server {
 	listen 80 default_server;
 	listen [::]:80 default_server;

 	# SSL configuration
 	#
 	# listen 443 ssl default_server;
 	# listen [::]:443 ssl default_server;
 	#
 	# Self signed certs generated by the ssl-cert package
 	# Don't use them in a production server!
 	#
 	# include snippets/snakeoil.conf;

 	root /var/www/html;

 	# Add index.php to the list if you are using PHP
 	index index.html index.htm index.nginx-debian.html;

 	server_name jandj.vps.bitfolk.com;

 	location / {
 		# First attempt to serve request as file, then
 		# as directory, then fall back to displaying a 404.
 		try_files $uri $uri/ =404;
 	}

 	# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
 	#
 	#location ~ \.php$ {
 	#	include snippets/fastcgi-php.conf;
 	#
 	#	# With php5-cgi alone:
 	#	fastcgi_pass 127.0.0.1:9000;
 	#	# With php5-fpm:
 	#	fastcgi_pass unix:/var/run/php5-fpm.sock;
 	#}

 	# deny access to .htaccess files, if Apache's document root
 	# concurs with nginx's one
 	#
 	#location ~ /\.ht {
 	#	deny all;
 	#}
 }
diff --git a/magicpantry b/magicpantry
 server {
 	listen 80;
 	listen [::]:80;

 	root /usr/src/magicpantry/;

 	# Add index.php to the list if you are using PHP
 	index index.html index.htm index.nginx-debian.html;

 	server_name www.magicpantry.co.uk, magicpantry.co.uk;

 	location / {
 	     try_files $uri @proxy;
 	}

        location @proxy {
            proxy_set_header Host $http_host;
 	    # proxy_http_version 1.1;
 	    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 	    proxy_set_header X-Forwarded-Proto $scheme;
            proxy_buffer_size   128k;
 	    proxy_buffers   4 256k;
 	    proxy_busy_buffers_size   256k;
            proxy_pass http://localhost:7779;
 	}

 	# return 301 https://$server_name$request_uri;
 }

 server {
 	# SSL configuration
 	#
 	listen 443 ssl;
 	listen [::]:443 ssl;
 	#

 	ssl on;
 	include /etc/nginx/snippets/strong-ssl.conf;
 	ssl_certificate /etc/letsencrypt/live/magicpantry.co.uk/fullchain.pem;
 	ssl_certificate_key /etc/letsencrypt/live/magicpantry.co.uk/privkey.pem;
 	server_name www.magicpantry.co.uk, magicpantry.co.uk;

 	root /usr/src/magicpantry/;

 	# Add index.php to the list if you are using PHP
 	# index index.html index.htm index.nginx-debian.html;

        location ~ /.well-known {
 		 root /var/ww/ssl/magicpantry/;
        }
 	
 	location / {
 	     try_files $uri @proxy;
 	}

        location @proxy {
            proxy_set_header Host $http_host;
 	    # proxy_http_version 1.1;
 	    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 	    proxy_set_header X-Forwarded-Proto $scheme;
            proxy_buffer_size   128k;
 	    proxy_buffers   4 256k;
 	    proxy_busy_buffers_size   256k;
            proxy_pass http://localhost:7779;
 	}


 	# deny access to .htaccess files, if Apache's document root
 	# concurs with nginx's one
 	#
 	location ~ /\.ht {
 		deny all;
 	}
 }
diff --git a/nginx.conf b/nginx.conf
 user www-data;
 worker_processes 4;
 pid /run/nginx.pid;

 events {
 	worker_connections 768;
 	# multi_accept on;
 }

 http {

 	##
 	# Basic Settings
 	##

 	sendfile on;
 	tcp_nopush on;
 	tcp_nodelay on;
 	keepalive_timeout 65;
 	types_hash_max_size 2048;
 	server_tokens off;

 	# server_names_hash_bucket_size 64;
 	# server_name_in_redirect off;

 	include /etc/nginx/mime.types;
 	default_type application/octet-stream;

 	##
 	# SSL Settings
 	##

 	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
 	ssl_prefer_server_ciphers on;

 	##
 	# Logging Settings
 	##

 	access_log /var/log/nginx/access.log;
 	error_log /var/log/nginx/error.log;

 	##
 	# Gzip Settings
 	##

 	gzip on;
 	gzip_disable "msie6";

 	# gzip_vary on;
 	# gzip_proxied any;
 	# gzip_comp_level 6;
 	# gzip_buffers 16 8k;
 	# gzip_http_version 1.1;
 	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

 	##
 	# Virtual Host Configs
 	##

 	include /etc/nginx/conf.d/*.conf;
 	include /etc/nginx/sites-enabled/*;
 }
diff --git a/strong-ssl.conf b/strong-ssl.conf
 # By Remy van Elst -- https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
 # Modified version by HTPC Guides -- https://www.htpcguides.com

 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_prefer_server_ciphers on;
 ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
 ssl_ecdh_curve secp384r1;
 ssl_session_cache shared:SSL:10m;
 ssl_session_tickets off;
 ssl_stapling on;
 ssl_stapling_verify on;

 # Set Google's public DNS servers as upstream resolver
 resolver 8.8.8.8 8.8.4.4 valid=300s;
 resolver_timeout 5s;

 add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
 # add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always;

 # Modify X-Frame-Option from DENY to SAMEORIGIN, required for Deluge Web UI, ownCloud, etc.
 add_header X-Frame-Options SAMEORIGIN;

 add_header X-Content-Type-Options nosniff;

 # Use the 2048 bit DH key
 ssl_dhparam /etc/ssl/certs/dhparam.pem;
	server {
	listen 80 default_server;
	listen [::]:80 default_server;

	# SSL configuration
	#
	# listen 443 ssl default_server;
	# listen [::]:443 ssl default_server;
	#
	# Self signed certs generated by the ssl-cert package
	# Don't use them in a production server!
	#
	# include snippets/snakeoil.conf;

	root /var/www/html;

	# Add index.php to the list if you are using PHP
	index index.html index.htm index.nginx-debian.html;

	server_name jandj.vps.bitfolk.com;

	location / {
	# First attempt to serve request as file, then
	# as directory, then fall back to displaying a 404.
	try_files $uri $uri/ =404;
	}

	# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
	#
	#location ~ \.php$ {
	# include snippets/fastcgi-php.conf;
	#
	# # With php5-cgi alone:
	# fastcgi_pass 127.0.0.1:9000;
	# # With php5-fpm:
	# fastcgi_pass unix:/var/run/php5-fpm.sock;
	#}

	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	#location ~ /\.ht {
	# deny all;
	#}
	}
	server {
	listen 80;
	listen [::]:80;

	root /usr/src/magicpantry/;

	# Add index.php to the list if you are using PHP
	index index.html index.htm index.nginx-debian.html;

	server_name www.magicpantry.co.uk, magicpantry.co.uk;

	location / {
	try_files $uri @proxy;
	}

	location @proxy {
	proxy_set_header Host $http_host;
	# proxy_http_version 1.1;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_buffer_size 128k;
	proxy_buffers 4 256k;
	proxy_busy_buffers_size 256k;
	proxy_pass http://localhost:7779;
	}

	# return 301 https://$server_name$request_uri;
	}

	server {
	# SSL configuration
	#
	listen 443 ssl;
	listen [::]:443 ssl;
	#

	ssl on;
	include /etc/nginx/snippets/strong-ssl.conf;
	ssl_certificate /etc/letsencrypt/live/magicpantry.co.uk/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/magicpantry.co.uk/privkey.pem;
	server_name www.magicpantry.co.uk, magicpantry.co.uk;

	root /usr/src/magicpantry/;

	# Add index.php to the list if you are using PHP
	# index index.html index.htm index.nginx-debian.html;

	location ~ /.well-known {
	root /var/ww/ssl/magicpantry/;
	}

	location / {
	try_files $uri @proxy;
	}

	location @proxy {
	proxy_set_header Host $http_host;
	# proxy_http_version 1.1;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_buffer_size 128k;
	proxy_buffers 4 256k;
	proxy_busy_buffers_size 256k;
	proxy_pass http://localhost:7779;
	}


	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	location ~ /\.ht {
	deny all;
	}
	}
	user www-data;
	worker_processes 4;
	pid /run/nginx.pid;

	events {
	worker_connections 768;
	# multi_accept on;
	}

	http {

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;
	server_tokens off;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings
	##

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
	ssl_prefer_server_ciphers on;

	##
	# Logging Settings
	##

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;
	gzip_disable "msie6";

	# gzip_vary on;
	# gzip_proxied any;
	# gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
	}
	# By Remy van Elst -- https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
	# Modified version by HTPC Guides -- https://www.htpcguides.com

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;
	ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
	ssl_ecdh_curve secp384r1;
	ssl_session_cache shared:SSL:10m;
	ssl_session_tickets off;
	ssl_stapling on;
	ssl_stapling_verify on;

	# Set Google's public DNS servers as upstream resolver
	resolver 8.8.8.8 8.8.4.4 valid=300s;
	resolver_timeout 5s;

	add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
	# add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always;

	# Modify X-Frame-Option from DENY to SAMEORIGIN, required for Deluge Web UI, ownCloud, etc.
	add_header X-Frame-Options SAMEORIGIN;

	add_header X-Content-Type-Options nosniff;

	# Use the 2048 bit DH key
	ssl_dhparam /etc/ssl/certs/dhparam.pem;