ini VestaCP：Phoenix Nginx SSL Conf

Posted 2021-05-24

# Getting Started.
# 1. Enter visual mode V, then use s/myapp/domain/g to replace all myapp to domain.
# 2. Change upstream port to PORT ENV variable defined in /etc/init.d/myapp

# hide server information
http {
  server_tokens off;
}

server {
  listen 80 default_server;
  listen [::]:80 default_server;
  server_name myapp.com www.myapp.com;

  return 301 https://$server_name$request_uri;
}

# Getting Started.
# 1. Enter visual mode V, then use s/myapp.com/domain.com/g to replace all myapp to domain.
# 2. Change upstream port to PORT ENV variable defined in /etc/init.d/myapp

upstream myapp {
  server localhost:34567;
}

# hide server information
http {
  server_tokens off;
}

# the main server directive for ssl connections
# where we also use http2 (see asset delivery)
server {
  listen 443 ssl http2 default_server;
  listen [::]:443 ssl http2 default_server;
  server_name myapp.com www.myapp.com;

  # paths to certificate and key provided by Let's Encrypt
  #ssl_certificate /etc/letsencrypt/live/myapp.com/fullchain.pem;
  #ssl_certificate_key /etc/letsencrypt/live/myapp.com/privkey.pem;
  ssl_certificate /home/admin/conf/web/myapp.com.pem;
  ssl_certificate /home/admin/conf/web/myapp.com.key;

  # SSL settings that currently offer good results in the SSL check
  # and have a reasonable backwards-compatibility, taken from
  # - https://cipherli.st/
  # - https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
  ssl_ecdh_curve secp384r1;
  ssl_session_cache shared:SSL:10m;
  ssl_session_tickets off;
  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_dhparam /etc/ssl/certs/dhparam.pem;

  # security enhancements
  add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
  add_header X-Frame-Options DENY;
  add_header X-Content-Type-Options nosniff;

  # Let's Encrypt keeps its files here
  location ~ /.well-known {
    root /home/admin/conf/web/myapp.com/public_html;
    allow all;
  }

  # besides referencing the extracted upstream this stays the same
  location / {
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_redirect off;
    proxy_pass http://myapp;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    
    # asset delivery using NGINX
    location ~* ^.+\.(css|cur|gif|gz|ico|jpg|jpeg|js|png|svg|woff|woff2|mp3|mp4)$ {
      root /home/admin/myapp/priv/static;
      etag off;
      expires max;
      add_header Cache-Control public;
    }
    
    # php support for Vesta
    location ~ [^/]\.php(/|$) {
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        if (!-f $document_root$fastcgi_script_name) {
            return  404;
        }

        fastcgi_pass    127.0.0.1:9002;
        fastcgi_index   index.php;
        include         /etc/nginx/fastcgi_params;
    }
  }
   
  error_page  403 /error/404.html;
  error_page  404 /error/404.html;
  error_page  500 502 503 504 /error/50x.html;

  location /error/ {
      alias   /home/admin/web/myapp.com/document_errors/;
  }

  location ~* "/\.(htaccess|htpasswd)$" {
      deny    all;
      return  404;
  }

  location /vstats/ {
      alias   /home/admin/web/myapp.com/stats/;
      include /home/admin/web/myapp.com/stats/auth.conf*;
  }
  
  include     /etc/nginx/conf.d/phpmyadmin.inc*;
  include     /etc/nginx/conf.d/phppgadmin.inc*;
  include     /etc/nginx/conf.d/webmail.inc*;
  
}

#Configuration file for a phoenix app running on a subdirectory. 

upstream myapp {
  server localhost:34567;
}

# hide server information
http {
  server_tokens off;
}

server {
  listen 443 ssl http2 default_server;
  listen [::]:443 ssl http2 default_server;
  server_name myapp.com www.myapp.com;

  root /home/admin/web/myapp.com/public_html;
  index index.html;

  location / {
    try_files $uri $uri/ =404;
  }
  
  location /subdirectory {
    # pass the requests on to our proxy
    try_files $uri @proxy;
  }
  
  location @proxy {
    include proxy_params;
    proxy_redirect off;
    proxy_pass http://myapp_phoenix;
  }
}

#Configuration file for a phoenix app running on a subdirectory. 

upstream myapp {
  server localhost:37340;
}

# hide server information
http {
  server_tokens off;
}

server {
  listen 443 ssl http2 default_server;
  listen [::]:443 ssl http2 default_server;
  server_name myapp.com www.myapp.com;

  root /home/admin/web/myapp.com/public_html;
  index index.html;
  
  # paths to certificate and key provided by Let's Encrypt
  #ssl_certificate /etc/letsencrypt/live/myapp.com/fullchain.pem;
  #ssl_certificate_key /etc/letsencrypt/live/myapp.com/privkey.pem;
  ssl_certificate /home/admin/conf/web/myapp.com.pem;
  ssl_certificate /home/admin/conf/web/myapp.com.key;

  # SSL settings that currently offer good results in the SSL check
  # and have a reasonable backwards-compatibility, taken from
  # - https://cipherli.st/
  # - https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
  ssl_ecdh_curve secp384r1;
  ssl_session_cache shared:SSL:10m;
  ssl_session_tickets off;
  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_dhparam /etc/ssl/certs/dhparam.pem;

  # security enhancements
  add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
  add_header X-Frame-Options DENY;
  add_header X-Content-Type-Options nosniff;

  location / {
    # pass the requests on to our proxy
    try_files $uri @proxy;
    
    # asset delivery using NGINX
    location ~* ^.+\.(css|cur|gif|gz|ico|jpg|jpeg|js|png|svg|woff|woff2|mp3|mp4)$ {
      root /home/admin/myapp/priv/static;
      etag off;
      expires max;
      add_header Cache-Control public;
    }
    
    # php delivery support
    location ~ [^/]\.php(/|$) {
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        if (!-f $document_root$fastcgi_script_name) {
            return  404;
        }

        fastcgi_pass    127.0.0.1:9002;
        fastcgi_index   index.php;
        include         /etc/nginx/fastcgi_params;
    }
    
  }
 
  location @proxy {
    include proxy_params;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_redirect off;
    proxy_pass http://myapp;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }
  
  # Let's Encrypt keeps its files here
  location ~ /.well-known {
    root /home/admin/web/myapp.com/public_html;
    allow all;
  }
  
  include     /etc/nginx/conf.d/phpmyadmin.inc*;
  include     /etc/nginx/conf.d/phppgadmin.inc*;
  include     /etc/nginx/conf.d/webmail.inc*;
  
}