tomaskrejcicom_web_ghost/ghost_nginx_config

# map of content type -> expires header
map $sent_http_content_type $expires {
    default                    off;
    text/html                  epoch;
    text/css                   max;
    application/javascript     max;
    ~image/                    max;
}

# listen for BS traffic on 80 that lacks a hostname, and just serve
# the "welcome to NGINX" page
server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;

    root /user/share/nginx/html;
}

# listen on 80, and 301 all traffic to https
# allow .well-known on 80 though, for Let's Encrypt checks
server {
    listen [::]:80;
    listen 80;
    server_name tomaskrejci.com www.tomaskrejci.com;

    root /var/www/ghost/;
    location ~ /.well-known {
        allow all;
        break;
    }

    location / {
        return 301 https://tomaskrejci.com$request_uri;
    }
}

# listen on 443, and forward all www traffic to non-www
server {
    listen [::]:443 ssl http2;
    listen 443 ssl http2;
    server_name www.tomaskrejci.com;

    location / {
        return 301 https://tomaskrejci.com$request_uri;
    }
}

# what we're actually listening on
server {

    # allow ssl and http2 traffic
    listen [::]:443 ssl http2 default_server;
    listen 443 ssl http2 default_server;

    # our server name is our hostname
    server_name tomaskrejci.com;

    # point at our SSL certificates
    ssl_certificate /etc/letsencrypt/live/tomaskrejci.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/tomaskrejci.com/privkey.pem;

    # setup our access and error logs
    access_log /var/log/nginx/tomaskrejci.com.access.log;
    error_log /var/log/nginx/tomaskrejci.com.error.log;

    # add expires headers for static content
    expires $expires;

    # proxy all of our traffic to Ghost
    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header HOST $http_host;
        proxy_set_header X-NginX-Proxy true;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_pass http://127.0.0.1:2368;
        proxy_redirect off;
    }

    # allow Let's Encrypt checks on .well-known without proxying
    location ~ /.well-known {
        allow all;
    }
}
add nginx config 2023-07-19 20:10:07 +00:00			`# map of content type -> expires header`
			`map $sent_http_content_type $expires {`
			`default off;`
			`text/html epoch;`
			`text/css max;`
			`application/javascript max;`
			`~image/ max;`
			`}`

			`# listen for BS traffic on 80 that lacks a hostname, and just serve`
			`# the "welcome to NGINX" page`
			`server {`
			`listen 80 default_server;`
			`listen [::]:80 default_server;`
			`server_name _;`

			`root /user/share/nginx/html;`
			`}`

			`# listen on 80, and 301 all traffic to https`
			`# allow .well-known on 80 though, for Let's Encrypt checks`
			`server {`
			`listen [::]:80;`
			`listen 80;`
			`server_name tomaskrejci.com www.tomaskrejci.com;`

			`root /var/www/ghost/;`
			`location ~ /.well-known {`
			`allow all;`
			`break;`
			`}`

			`location / {`
			`return 301 https://tomaskrejci.com$request_uri;`
			`}`
			`}`

			`# listen on 443, and forward all www traffic to non-www`
			`server {`
			`listen [::]:443 ssl http2;`
			`listen 443 ssl http2;`
			`server_name www.tomaskrejci.com;`

			`location / {`
			`return 301 https://tomaskrejci.com$request_uri;`
			`}`
			`}`

			`# what we're actually listening on`
			`server {`

			`# allow ssl and http2 traffic`
			`listen [::]:443 ssl http2 default_server;`
			`listen 443 ssl http2 default_server;`

			`# our server name is our hostname`
			`server_name tomaskrejci.com;`

			`# point at our SSL certificates`
			`ssl_certificate /etc/letsencrypt/live/tomaskrejci.com/fullchain.pem;`
			`ssl_certificate_key /etc/letsencrypt/live/tomaskrejci.com/privkey.pem;`

			`# setup our access and error logs`
			`access_log /var/log/nginx/tomaskrejci.com.access.log;`
			`error_log /var/log/nginx/tomaskrejci.com.error.log;`

			`# add expires headers for static content`
			`expires $expires;`

			`# proxy all of our traffic to Ghost`
			`location / {`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header HOST $http_host;`
			`proxy_set_header X-NginX-Proxy true;`
			`proxy_set_header X-Forwarded-Proto $scheme;`

			`proxy_pass http://127.0.0.1:2368;`
			`proxy_redirect off;`
			`}`

			`# allow Let's Encrypt checks on .well-known without proxying`
			`location ~ /.well-known {`
			`allow all;`
			`}`
			`}`