manifestinteractive · July 28, 2018 01:41
diff --git a/README.md b/README.md
diff --git a/basic.conf b/basic.conf
 # /usr/conf/snippets/basic.conf 

 #Specify a charset
 charset utf-8;

 # Setup Content Encoding
 gzip on;
 gzip_min_length 1100;
 gzip_buffers 4 32k;
 gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;
 gzip_vary on;

 # Force the latest IE version
 add_header "X-UA-Compatible" "IE=Edge";

 # Expire rules for static content

 # cache.appcache, your document html and data
 location ~* \.(?:manifest|appcache|html?|xml|json)$ {
  expires -1;
 }

 # Feed
 location ~* \.(?:rss|atom)$ {
  expires 1h;
 }

 # Media: images, icons, video, audio, HTC
 location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
  expires 1M;
  access_log off;
  add_header Cache-Control "public";
 }

 # CSS and Javascript
 location ~* \.(?:css|js)$ {
  expires 1y;
  access_log off;
 }

 # Cross domain webfont access
 location ~* \.(?:ttf|ttc|otf|eot|woff|woff2)$ {
  add_header "Access-Control-Allow-Origin" "*";
  expires 1M;
  access_log off;
  add_header Cache-Control "public";
 }

 # Prevent clients from accessing hidden files ( except .well-known )
 location ~* /\.(?!well-known\/) {
  deny all;
 }

 # Prevent clients from accessing to backup/config/source files
 location ~* (?:\.(?:bak|conf|dist|fla|in[ci]|log|psd|sh|sql|sw[op])|~)$ {
  deny all;
 }

 location ~ \.(?:css|htc|js|js2|js3|js4)$ {
  gzip_vary on;
 }

 location ~ /\.ht {
  deny all;
 }
diff --git a/nginx-node-api.conf b/nginx-node-api.conf
 #/etc/nginx/sites-available/api.mydomain.com

 # http://api.mydomain.com
 server {
  listen [::]:80 ipv6only=on;
  listen 80;
  server_name api.mydomain.com;
  return 301 https://$server_name$request_uri;
 }

 # https://api.mydomain.com
 server {
  listen [::]:443 ssl http2 ipv6only=on;
  listen 443 ssl http2;
  include snippets/ssl-api.mydomain.com.conf;
  include snippets/ssl-params.conf;
  include snippets/basic.conf;

  root /var/www/api.mydomain.com/html;
  index index.html;

  error_page 404 =200 @api_proxy;

  server_name api.mydomain.com;

  location ~ /.well-known {
    allow all;
    root /var/www/api.mydomain.com/html/;
  }

  location / {
    root /var/www/api.mydomain.com/html/app/static/;
    try_files $uri $uri/ @api_proxy;
  }

  location @api_proxy {
    proxy_pass http://127.0.0.1:5000;
    access_log off;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $host;
    proxy_hide_header X-Frame-Options;
  }

  location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico) {
    root /var/www/api.mydomain.com/html/app/static/;
    access_log off;
    expires max;
  }

  location ^~ /assets {
    root /var/www/api.mydomain.com/html/app/static/;
  }

  location ^~ /docs {
    auth_basic "API Developer Access";
    auth_basic_user_file /etc/nginx/.htpasswd;
    add_header X-Frame-Options "SAMEORIGIN";
    root /var/www/api.mydomain.com/html/app/static/;
  }

  location ~ ^/(docs.*) {
    add_header X-Frame-Options "SAMEORIGIN";
    root /var/www/api.mydomain.com/html/app/static/;
  }

  location ^~ /guide {
    add_header X-Frame-Options "SAMEORIGIN";
    root /var/www/api.mydomain.com/html/app/static/;
  }

  location ~ ^/(guide.*) {
    add_header X-Frame-Options "SAMEORIGIN";
    root /var/www/api.mydomain.com/html/app/static/;
  }

  # Media: images, icons, video, audio, HTC
  location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
    expires 1M;
    access_log off;
    add_header Cache-Control "public";
  }

  # CSS and Javascript
  location ~* \.(?:css|js)$ {
    expires 1y;
    access_log off;
    add_header Cache-Control "public";
  }
 }
diff --git a/ssl-api.mydomain.com.conf b/ssl-api.mydomain.com.conf
 # /usr/conf/snippets/ssl-api.mydomain.com.conf

 ssl_certificate /etc/letsencrypt/live/api.mydomain.com/fullchain.pem;
 ssl_certificate_key /etc/letsencrypt/live/api.mydomain.com/privkey.pem;
diff --git a/ssl-params.conf b/ssl-params.conf
 # /usr/conf/snippets/ssl-params.conf

 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_prefer_server_ciphers on;
 ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
 ssl_ecdh_curve secp384r1;
 ssl_session_cache shared:SSL:10m;
 ssl_session_timeout 1h;
 ssl_session_tickets off;
 ssl_stapling on;
 ssl_stapling_verify on;
 resolver 8.8.8.8 8.8.4.4 valid=300s;
 resolver_timeout 5s;

 add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
 add_header X-Frame-Options DENY;
 add_header X-Content-Type-Options nosniff;

 ssl_dhparam /etc/ssl/certs/dhparam.pem;
	# /usr/conf/snippets/basic.conf

	#Specify a charset
	charset utf-8;

	# Setup Content Encoding
	gzip on;
	gzip_min_length 1100;
	gzip_buffers 4 32k;
	gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;
	gzip_vary on;

	# Force the latest IE version
	add_header "X-UA-Compatible" "IE=Edge";

	# Expire rules for static content

	# cache.appcache, your document html and data
	location ~* \.(?:manifest\|appcache\|html?\|xml\|json)$ {
	expires -1;
	}

	# Feed
	location ~* \.(?:rss\|atom)$ {
	expires 1h;
	}

	# Media: images, icons, video, audio, HTC
	location ~* \.(?:jpg\|jpeg\|gif\|png\|ico\|cur\|gz\|svg\|svgz\|mp4\|ogg\|ogv\|webm\|htc)$ {
	expires 1M;
	access_log off;
	add_header Cache-Control "public";
	}

	# CSS and Javascript
	location ~* \.(?:css\|js)$ {
	expires 1y;
	access_log off;
	}

	# Cross domain webfont access
	location ~* \.(?:ttf\|ttc\|otf\|eot\|woff\|woff2)$ {
	add_header "Access-Control-Allow-Origin" "*";
	expires 1M;
	access_log off;
	add_header Cache-Control "public";
	}

	# Prevent clients from accessing hidden files ( except .well-known )
	location ~* /\.(?!well-known\/) {
	deny all;
	}

	# Prevent clients from accessing to backup/config/source files
	location ~* (?:\.(?:bak\|conf\|dist\|fla\|in[ci]\|log\|psd\|sh\|sql\|sw[op])\|~)$ {
	deny all;
	}

	location ~ \.(?:css\|htc\|js\|js2\|js3\|js4)$ {
	gzip_vary on;
	}

	location ~ /\.ht {
	deny all;
	}
	#/etc/nginx/sites-available/api.mydomain.com

	# http://api.mydomain.com
	server {
	listen [::]:80 ipv6only=on;
	listen 80;
	server_name api.mydomain.com;
	return 301 https://$server_name$request_uri;
	}

	# https://api.mydomain.com
	server {
	listen [::]:443 ssl http2 ipv6only=on;
	listen 443 ssl http2;
	include snippets/ssl-api.mydomain.com.conf;
	include snippets/ssl-params.conf;
	include snippets/basic.conf;

	root /var/www/api.mydomain.com/html;
	index index.html;

	error_page 404 =200 @api_proxy;

	server_name api.mydomain.com;

	location ~ /.well-known {
	allow all;
	root /var/www/api.mydomain.com/html/;
	}

	location / {
	root /var/www/api.mydomain.com/html/app/static/;
	try_files $uri $uri/ @api_proxy;
	}

	location @api_proxy {
	proxy_pass http://127.0.0.1:5000;
	access_log off;

	proxy_http_version 1.1;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "upgrade";
	proxy_set_header Host $host;
	proxy_hide_header X-Frame-Options;
	}

	location ~ ^/(assets/\|robots.txt\|humans.txt\|favicon.ico) {
	root /var/www/api.mydomain.com/html/app/static/;
	access_log off;
	expires max;
	}

	location ^~ /assets {
	root /var/www/api.mydomain.com/html/app/static/;
	}

	location ^~ /docs {
	auth_basic "API Developer Access";
	auth_basic_user_file /etc/nginx/.htpasswd;
	add_header X-Frame-Options "SAMEORIGIN";
	root /var/www/api.mydomain.com/html/app/static/;
	}

	location ~ ^/(docs.*) {
	add_header X-Frame-Options "SAMEORIGIN";
	root /var/www/api.mydomain.com/html/app/static/;
	}

	location ^~ /guide {
	add_header X-Frame-Options "SAMEORIGIN";
	root /var/www/api.mydomain.com/html/app/static/;
	}

	location ~ ^/(guide.*) {
	add_header X-Frame-Options "SAMEORIGIN";
	root /var/www/api.mydomain.com/html/app/static/;
	}

	# Media: images, icons, video, audio, HTC
	location ~* \.(?:jpg\|jpeg\|gif\|png\|ico\|cur\|gz\|svg\|svgz\|mp4\|ogg\|ogv\|webm\|htc)$ {
	expires 1M;
	access_log off;
	add_header Cache-Control "public";
	}

	# CSS and Javascript
	location ~* \.(?:css\|js)$ {
	expires 1y;
	access_log off;
	add_header Cache-Control "public";
	}
	}
	# /usr/conf/snippets/ssl-api.mydomain.com.conf

	ssl_certificate /etc/letsencrypt/live/api.mydomain.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/api.mydomain.com/privkey.pem;
	# /usr/conf/snippets/ssl-params.conf

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;
	ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
	ssl_ecdh_curve secp384r1;
	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 1h;
	ssl_session_tickets off;
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 8.8.8.8 8.8.4.4 valid=300s;
	resolver_timeout 5s;

	add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
	add_header X-Frame-Options DENY;
	add_header X-Content-Type-Options nosniff;

	ssl_dhparam /etc/ssl/certs/dhparam.pem;