From c61e44d55b6e69b94bd6c7a31890263aba0c614a Mon Sep 17 00:00:00 2001
From: Lauri Ojansivu <x@xet7.org>
Date: Fri, 28 Dec 2018 17:26:30 +0200
Subject: - Add optional Nginx reverse proxy config to docker-compose.yml and
 nginx directory.

Thanks to MyTheValentinus !
---
 nginx/nginx.conf   | 92 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 nginx/ssl/.gitkeep |  1 +
 2 files changed, 93 insertions(+)
 create mode 100644 nginx/nginx.conf
 create mode 100644 nginx/ssl/.gitkeep

(limited to 'nginx')

diff --git a/nginx/nginx.conf b/nginx/nginx.conf
new file mode 100644
index 00000000..9029a2b4
--- /dev/null
+++ b/nginx/nginx.conf
@@ -0,0 +1,92 @@
+user  www-data;
+worker_processes  1;
+
+error_log  /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    keepalive_timeout  65;
+
+    map $http_host $this_host {
+        "" $host;
+        default $http_host;
+    }
+
+    map $http_x_forwarded_proto $the_scheme {
+        default $http_x_forwarded_proto;
+        "" $scheme;
+    }
+
+    map $http_x_forwarded_host $the_host {
+       default $http_x_forwarded_host;
+       "" $this_host;
+    }
+
+    map $http_upgrade $connection_upgrade {
+        default upgrade;
+        '' close;
+    }
+
+    server {
+   	listen 80;
+	listen 443 ssl;
+
+	if ($scheme = http) {
+  	    rewrite ^ https://$host$request_uri? permanent;
+	}
+
+
+  ssl_certificate /etc/nginx/ssl/server.crt;
+	ssl_certificate_key /etc/nginx/ssl/server.key;
+
+
+	ssl_protocols TLSv1.2;	
+	ssl_prefer_server_ciphers on;
+	ssl_ciphers EECDH+AESGCM:EECDH+CHACHA20:EECDH+AES;
+
+	ssl_session_cache shared:SSL:10m;
+	ssl_session_timeout 10m;
+
+	ssl_ecdh_curve sect571r1:secp521r1:brainpoolP512r1:secp384r1;
+	add_header Strict-Transport-Security "max-age=31536000; preload";
+
+        # Add headers to serve security related headers
+        add_header X-Content-Type-Options nosniff;
+        add_header X-XSS-Protection "1; mode=block";
+        add_header X-Robots-Tag none;
+        add_header X-Download-Options noopen;
+        add_header X-Permitted-Cross-Domain-Policies none;
+
+	add_header Referrer-Policy "same-origin";
+
+        root /var/www/html;
+        client_max_body_size 10G; # 0=unlimited - set max upload size
+        fastcgi_buffers 64 4K;
+
+        gzip off;
+
+	location / {
+		proxy_pass http://wekan:8080;
+		proxy_http_version 1.1;
+		proxy_set_header Upgrade $http_upgrade;
+		proxy_set_header Connection $connection_upgrade;
+		proxy_set_header X-Forwarded-For $remote_addr;
+	}
+    }
+}
diff --git a/nginx/ssl/.gitkeep b/nginx/ssl/.gitkeep
new file mode 100644
index 00000000..1fe3dd24
--- /dev/null
+++ b/nginx/ssl/.gitkeep
@@ -0,0 +1 @@
+PLACE YOUR SSL Certificates in this folder
-- 
cgit v1.2.3-1-g7c22