######################################################################
## SSL configuration
######################################################################
# recommended but not manditory directive
# leave commented out unless you know what it is doing
#more_set_headers 'Strict-Transport-Security: max-age=15768000';
ssl on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1h;
ssl_protocols TLSv1.2 TLSv1.1;
add_header Strict-Transport-Security "max-age=15768000" always;
ssl_stapling on;
ssl_stapling_verify on;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK;
ssl_certificate /var/www/clients/client132/web171/ssl/3dpaneli.ru-le.crt;
ssl_certificate_key /var/www/clients/client132/web171/ssl/3dpaneli.ru-le.key;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;nginx 80 --> 82 apache
nginx+ssl 443 -> 4443 apache +sslnginx 80 --> 82 apache
nginx+ssl 443 -> 80 apache + эмулировать что это httpsserver {
######################################################################
## Server configuration
######################################################################
listen *:443 ssl http2;
server_name 5job.ru www.5job.ru ;
root /var/www/5job.ru/web;
######################################################################
## Enable gzip for proxied requests and static files
######################################################################
# Enable gzip for proxied requests and static files
gzip on;
gzip_proxied any;
gzip_vary on;
gzip_http_version 1.1;
gzip_types application/javascript application/json text/css text/xml;
gzip_comp_level 4;
######################################################################
## SSL configuration
######################################################################
# recommended but not manditory directive
# leave commented out unless you know what it is doing
#more_set_headers 'Strict-Transport-Security: max-age=15768000';
ssl on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1h;
ssl_protocols TLSv1.2 TLSv1.1;
add_header Strict-Transport-Security "max-age=15768000" always;
ssl_stapling on;
ssl_stapling_verify on;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK;
ssl_certificate /var/www/clients/client26/web28/ssl/5job.ru-le.crt;
ssl_certificate_key /var/www/clients/client26/web28/ssl/5job.ru-le.key;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
######################################################################
## Log configuration
######################################################################
#Все логи отключены
error_log /dev/null crit;
access_log off;
######################################################################
## 555 Еrror requires password password
######################################################################
# Дев сайты закрыты htpass login:dev pass:dev (второй кусок ниже)
error_page 555 = @pass;
location @pass {
auth_basic "Unauthorized";
auth_basic_user_file /var/www/dev_htpasswd;
proxy_pass https://127.0.0.1:4443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header HTTPS YES;
}
######################################################################
## Errors send to apache2
######################################################################
# у апача своих алиасов куча, а так же некоторая статика отдается
# средствамси php, по этому все ошибки обрабатывать только apache2
error_page 401 403 404 405 500 502 503 = @fallback;
location @fallback {
proxy_pass https://127.0.0.1:4443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header HTTPS YES;
}
######################################################################
## Locations configuration
######################################################################
#Отключаем логирование ошибок No such file or directory
## Disable .htaccess files
location ~ /\.ht {
deny all;
access_log off;
log_not_found off;
}
##
location = /favicon.ico {
log_not_found off;
access_log off;
}
##
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
##
######################################################################
# сервисы на сайте phpmyadmin почта и letxencrypt
location /phpmyadmin/ {
deny all;
# поставить пароль на phpmyadmin
return 555;
root /usr/share/phpmyadmin/;
}
##
location /webmail/ {
rewrite ^/(.*)$ https://$http_host:8080/$1 permanent;
}
# letsencrypt
location /.well-known/acme-challenge/ {
alias /usr/local/ispconfig/interface/acme/;
default_type text/plain;
}
# static content
# Отдаем статику напрямую с nginx
location ~* ^.+\.(jpg|jpeg|svg|gif|png|ico|css|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|txt|tar|mid|midi|wav|bmp|rtf|js|swf|flv|mp3)$ {
root /var/www/5job.ru/web;
access_log off;
expires 30d;
gzip_static on;
}
# default location
location / {
index index.php index.html index.htm;
proxy_pass https://127.0.0.1:4443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header HTTPS YES;
######################################################################
## Dev site Protection Requests in location /
######################################################################
# Дабы дев сайты не индексировались поисковиками, принудительно
# Ставим пароли на них, все что начинается с dev,old. или домен ks03
if ($http_host ~* "^(dev|old|www.old|www.dev)\..*\..{2,8}$"){
return 555;
}
if ($http_host ~* "^.*\.ks03\.ru$"){
return 555;
}
proxy_set_header X-Forwarded-Proto https;
include /etc/nginx/locations.d/*.conf;
}
}server_name example.com www.example.com;ServerName example.com ya.ru google.com
ServerAlias www.example.com yandex.ruserver {
listen *:80;
server_name www.site.ru site.ru ;
root /var/www/site.ru/web;
.........
server {
listen *:443;
server_name www.site.ru site.ru ;
root /var/www/site.ru/web;
.........kurstudy.ru. 600 IN AAAA 2a03:6f00:1::5c35:602elisten 443 ssl;
server_name default_server ;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
root /var/www/html;
return 444;
}listen 443 ssl;
server_name default_server ;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
root /var/www/html;
return 444;
}