itsprofcjs · August 20, 2021 20:03
diff --git a/nginx config sample b/nginx config sample
 server {
    listen                  443 ssl http2;
    listen                  [::]:443 ssl http2;
    server_name             website;
    root                    /srv/sites/website;

    # index.html fallback
    location / {
        try_files $uri $uri/ /index.html;
    }

    location /api {
        proxy_pass http://localhost:port;
    }

    # . files
    location ~ /\.(?!well-known) {
        deny all;
    }

    # static config
    # include                 config/static.conf;
    # favicon.ico
    location = /favicon.ico {
        log_not_found off;
        access_log    off;
    }

    # robots.txt
    location = /robots.txt {
        log_not_found off;
        access_log    off;
    }

    # service-worker.js
    location = /service-worker.js {
        log_not_found off;
        access_log    off;

        expires        -1;
    }

    # assets, media
    location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
        expires    30d;
        access_log off;
    }

    # svg, fonts
    location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
        add_header Access-Control-Allow-Origin "*";
        expires    30d;
        access_log off;
    }

    # compression config
    # include                 config/compression.conf
    # gzip
    gzip                    on;
    gzip_vary               on;
    gzip_proxied            any;
    gzip_comp_level         6;
    gzip_types              text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;


    # SSL
    ssl_certificate         /etc/letsencrypt/live/website/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/website/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/website/chain.pem;

    # security
    # include                 config/security.conf;
    # security headers
    add_header X-Frame-Options           "SAMEORIGIN" always;
    add_header X-XSS-Protection          "1; mode=block" always;
    add_header X-Content-Type-Options    "nosniff" always;
    add_header Referrer-Policy           "no-referrer-when-downgrade" always;
    add_header Content-Security-Policy   "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

 }

 # subdomains redirect
 server {
    listen                  443 ssl http2;
    listen                  [::]:443 ssl http2;
    server_name             *.website;

    # SSL
    ssl_certificate         /etc/letsencrypt/live/website/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/website/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/website/chain.pem;
    return                  301 https://$host$request_uri;
 }

 # HTTP redirect
 server {
    listen      80;
    listen      [::]:80;
    server_name .website;
    # include     nginxconfig.io/letsencrypt.conf;

    location / {
        return 301 https://$host$request_uri;
    }
 }
	server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	server_name website;
	root /srv/sites/website;

	# index.html fallback
	location / {
	try_files $uri $uri/ /index.html;
	}

	location /api {
	proxy_pass http://localhost:port;
	}

	# . files
	location ~ /\.(?!well-known) {
	deny all;
	}

	# static config
	# include config/static.conf;
	# favicon.ico
	location = /favicon.ico {
	log_not_found off;
	access_log off;
	}

	# robots.txt
	location = /robots.txt {
	log_not_found off;
	access_log off;
	}

	# service-worker.js
	location = /service-worker.js {
	log_not_found off;
	access_log off;

	expires -1;
	}

	# assets, media
	location ~* \.(?:css(\.map)?\|js(\.map)?\|jpe?g\|png\|gif\|ico\|cur\|heic\|webp\|tiff?\|mp3\|m4a\|aac\|ogg\|midi?\|wav\|mp4\|mov\|webm\|mpe?g\|avi\|ogv\|flv\|wmv)$ {
	expires 30d;
	access_log off;
	}

	# svg, fonts
	location ~* \.(?:svgz?\|ttf\|ttc\|otf\|eot\|woff2?)$ {
	add_header Access-Control-Allow-Origin "*";
	expires 30d;
	access_log off;
	}

	# compression config
	# include config/compression.conf
	# gzip
	gzip on;
	gzip_vary on;
	gzip_proxied any;
	gzip_comp_level 6;
	gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;


	# SSL
	ssl_certificate /etc/letsencrypt/live/website/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/website/privkey.pem;
	ssl_trusted_certificate /etc/letsencrypt/live/website/chain.pem;

	# security
	# include config/security.conf;
	# security headers
	add_header X-Frame-Options "SAMEORIGIN" always;
	add_header X-XSS-Protection "1; mode=block" always;
	add_header X-Content-Type-Options "nosniff" always;
	add_header Referrer-Policy "no-referrer-when-downgrade" always;
	add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

	}

	# subdomains redirect
	server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	server_name *.website;

	# SSL
	ssl_certificate /etc/letsencrypt/live/website/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/website/privkey.pem;
	ssl_trusted_certificate /etc/letsencrypt/live/website/chain.pem;
	return 301 https://$host$request_uri;
	}

	# HTTP redirect
	server {
	listen 80;
	listen [::]:80;
	server_name .website;
	# include nginxconfig.io/letsencrypt.conf;

	location / {
	return 301 https://$host$request_uri;
	}
	}