itamae/cookbooks/blog/files/etc/nginx/sites-available/blog

91 lines
2.3 KiB
Plaintext

server {
# allow access from localhost
listen 80 reuseport backlog=1024;
listen 443 ssl http2 backlog=1024;
server_name blog.kazu634.com;
ssl_certificate /etc/letsencrypt/live/blog.kazu634.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/blog.kazu634.com/privkey.pem;
ssl_dhparam /etc/letsencrypt/live/blog.kazu634.com/dhparams_4096.pem;
ssl_session_cache shared:SSL:3m;
ssl_buffer_size 4k;
ssl_session_timeout 10m;
ssl_session_tickets on;
ssl_session_ticket_key /etc/letsencrypt/live/blog.kazu634.com/ticket.key;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DES-CBC3-SHA;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 10s;
# Enable HSTS (HTTP Strict Transport Security)
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
root /var/www/blog;
index index.html index.htm;
access_log /var/log/nginx/blog.access.log ltsv;
error_log /var/log/nginx/blog.error.log;
location / {
gzip on;
gunzip on;
gzip_vary on;
# http2 server push:
http2_push_preload on;
http2_push /css/sanitize.css;
http2_push /css/responsive.css;
http2_push /css/highlight_monokai.css;
http2_push /css/theme.css;
http2_push /css/custom.css;
http2_push /images/profile.png;
http2_push /js/highlight.pack.js;
if (-e "/tmp/maintenance") {
return 503;
}
location /feed {
return 301 http://blog.kazu634.com/index.xml;
}
location /wp-content {
return 404;
}
location ~* \.css {
gzip_static always;
expires max;
}
location ~* \.js {
gzip_static always;
expires max;
}
location /images {
gzip_static always;
expires max;
}
location = /favicon.ico {
access_log off;
empty_gif;
expires max;
}
try_files $uri $uri/ /index.html;
}
}