server {
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/domain.ru/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.ru/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
# Редирект с www на без www
if ($host = www.domain.ru) {
return 301 https://domain.ru$request_uri;
}
server_name domain.ru www.domain.ru;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass https://192.168.1.85/;
}
}
# Редирект с https на https и www на без www
server {
if ($host = www.domain.ru) {
return 301 https://domain.ru$request_uri;
}
if ($host = domain.ru) {
return 301 https://domain.ru$request_uri;
}
listen 80;
server_name domain.ru www.domain.ru;
return 404;
}
server {
######################################################################
## Server configuration
######################################################################
listen *:443 ssl http2;
server_name 5job.ru www.5job.ru ;
root /var/www/5job.ru/web;
######################################################################
## Enable gzip for proxied requests and static files
######################################################################
# Enable gzip for proxied requests and static files
gzip on;
gzip_proxied any;
gzip_vary on;
gzip_http_version 1.1;
gzip_types application/javascript application/json text/css text/xml;
gzip_comp_level 4;
######################################################################
## SSL configuration
######################################################################
# recommended but not manditory directive
# leave commented out unless you know what it is doing
#more_set_headers 'Strict-Transport-Security: max-age=15768000';
ssl on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1h;
ssl_protocols TLSv1.2 TLSv1.1;
add_header Strict-Transport-Security "max-age=15768000" always;
ssl_stapling on;
ssl_stapling_verify on;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK;
ssl_certificate /var/www/clients/client26/web28/ssl/5job.ru-le.crt;
ssl_certificate_key /var/www/clients/client26/web28/ssl/5job.ru-le.key;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
######################################################################
## Log configuration
######################################################################
#Все логи отключены
error_log /dev/null crit;
access_log off;
######################################################################
## 555 Еrror requires password password
######################################################################
# Дев сайты закрыты htpass login:dev pass:dev (второй кусок ниже)
error_page 555 = @pass;
location @pass {
auth_basic "Unauthorized";
auth_basic_user_file /var/www/dev_htpasswd;
proxy_pass https://127.0.0.1:4443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header HTTPS YES;
}
######################################################################
## Errors send to apache2
######################################################################
# у апача своих алиасов куча, а так же некоторая статика отдается
# средствамси php, по этому все ошибки обрабатывать только apache2
error_page 401 403 404 405 500 502 503 = @fallback;
location @fallback {
proxy_pass https://127.0.0.1:4443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header HTTPS YES;
}
######################################################################
## Locations configuration
######################################################################
#Отключаем логирование ошибок No such file or directory
## Disable .htaccess files
location ~ /\.ht {
deny all;
access_log off;
log_not_found off;
}
##
location = /favicon.ico {
log_not_found off;
access_log off;
}
##
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
##
######################################################################
# сервисы на сайте phpmyadmin почта и letxencrypt
location /phpmyadmin/ {
deny all;
# поставить пароль на phpmyadmin
return 555;
root /usr/share/phpmyadmin/;
}
##
location /webmail/ {
rewrite ^/(.*)$ https://$http_host:8080/$1 permanent;
}
# letsencrypt
location /.well-known/acme-challenge/ {
alias /usr/local/ispconfig/interface/acme/;
default_type text/plain;
}
# static content
# Отдаем статику напрямую с nginx
location ~* ^.+\.(jpg|jpeg|svg|gif|png|ico|css|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|txt|tar|mid|midi|wav|bmp|rtf|js|swf|flv|mp3)$ {
root /var/www/5job.ru/web;
access_log off;
expires 30d;
gzip_static on;
}
# default location
location / {
index index.php index.html index.htm;
proxy_pass https://127.0.0.1:4443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header HTTPS YES;
######################################################################
## Dev site Protection Requests in location /
######################################################################
# Дабы дев сайты не индексировались поисковиками, принудительно
# Ставим пароли на них, все что начинается с dev,old. или домен ks03
if ($http_host ~* "^(dev|old|www.old|www.dev)\..*\..{2,8}$"){
return 555;
}
if ($http_host ~* "^.*\.ks03\.ru$"){
return 555;
}
proxy_set_header X-Forwarded-Proto https;
include /etc/nginx/locations.d/*.conf;
}
}