user www-data; worker_processes auto; pid /run/nginx.pid; #include /etc/nginx/modules-enabled/*.conf; events { worker_connections 768; # multi_accept on; } http { ## # Basic Settings ## sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; # server_tokens off; # server_names_hash_bucket_size 64; # server_name_in_redirect off; include /etc/nginx/mime.types; default_type application/octet-stream; ##New lines proxy_buffering off; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-Ssl on; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_http_version 1.1; upstream jatos-backend { server 127.0.0.1:9000; } # needed for websockets map $http_upgrade $connection_upgrade { default upgrade; '' close; } # redirect http to https server { listen 80; server_name www.tcoding.tech; rewrite ^ https://www.tcoding.tech$request_uri? permanent; } server { listen 443; ssl on; # http://www.selfsignedcertificate.com/ is useful for development testing ssl_certificate /etc/ssl/certs/tcoding.tech_chain.crt; ssl_certificate_key /etc/ssl/private/tcoding.tech_key.key; # From https://bettercrypto.org/static/applied-crypto-hardening.pdf ssl_prefer_server_ciphers on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'; add_header Strict-Transport-Security "max-age=15768000; includeSubDomains"; keepalive_timeout 70; server_name www.tcoding.tech; # websocket location (JATOS' group and batch channel and the test page) location ~ "/(jatos/testWebSocket|publix/[\d]+/(group/join|batch/open))" { proxy_pass http://jatos-backend; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_connect_timeout 7d; # keep open for 7 days even without any transmission proxy_send_timeout 7d; proxy_read_timeout 7d; } # restrict access to JATOS' GUI to local network #location /jatos { # allow 192.168.1.0/24; # deny all; # proxy_pass http://jatos-backend; #} # all other traffic location / { proxy_pass http://jatos-backend; } } ##New lines end ## # Logging Settings ## access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; ## # Gzip Settings ## gzip on; # gzip_vary on; # gzip_proxied any; # gzip_comp_level 6; # gzip_buffers 16 8k; # gzip_http_version 1.1; # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; ## # Virtual Host Configs ## include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; } #mail { # # See sample authentication script at: # # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript # # # auth_http localhost/auth.php; # # pop3_capabilities "TOP" "USER"; # # imap_capabilities "IMAP4rev1" "UIDPLUS"; # # server { # listen localhost:110; # protocol pop3; # proxy on; # } # # server { # listen localhost:143; # protocol imap; # proxy on; # } #}