classic/nginx.conf at master · TNohSam/classic · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
worker_processes 1;

events {
    worker_connections 1024;
}

stream {
    log_format proxy_log '$remote_addr [$time_local] '
                         '$protocol $status $bytes_sent $bytes_received '
                         '$session_time "$upstream_addr"';

    access_log /var/log/nginx/access.log proxy_log;
    error_log /var/log/nginx/error.log info;

    upstream login_server {
        server l1jserver:2000;
    }

    server {
        listen 2000;
        proxy_pass login_server;
    }
}

http {
    server {
        listen 80;
        listen [::]:80;
        # Replace with your domain if planning to use https
        server_name localhost;

        # Required for certbot renewal
        location /.well-known/acme-challenge/ {
            root /var/www/certbot;
        }

        # Redirect all HTTP to HTTPS
        location / {
            return 301 https://$host$request_uri;
        }
    }

    ### Request a Let's Encrypt certificate ###

    # 1) In server/listen 80 section, replace localhost with your actual domain
    # 2) Restart nginx (docker compose restart nginx) with: docker compose up -d nginx (make sure nginx is running without ssl first and without errors)
    # 2) Run the command below to obtain the certificate
    #       docker compose run --rm certbot certonly --webroot --webroot-path=/var/www/certbot -d yourdomain.com
    # 3) Uncomment the ssl section below and replace <yourdomain> with your actual domain and restart nginx (docker compose restart nginx)
    # 4) Set up a cron job to renew the certificate automatically (optional but recommended)
    #       docker-cert-renewal.sh is provided for this purpose

    ### SSL configuration ###

    # server {
    #     listen 443 ssl;
    #     listen [::]:443 ssl;
    #     server_name <yourdomain>;

    #     ssl_certificate /etc/letsencrypt/live/<yourdomain>/fullchain.pem;
    #     ssl_certificate_key /etc/letsencrypt/live/<yourdomain>/privkey.pem;

    #     # Add strong security headers (optional but recommended)
    #     ssl_protocols TLSv1.3 TLSv1.2;
    #     ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256';
    #     ssl_prefer_server_ciphers off;
    #     ssl_session_cache shared:SSL:10m;
    #     ssl_session_timeout 1d;
    #     ssl_session_tickets off;

    #     # Replace this with your actual application's proxy settings
    #     location / {
    #         # e.g., proxy to another container running on port 3000
    #         proxy_pass http://phpmyadmin:80;
    #         proxy_set_header Host $host;
    #         proxy_set_header X-Real-IP $remote_addr;
    #         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    #         proxy_set_header X-Forwarded-Proto $scheme;
    #     }
    # }
}