86 lines
2.2 KiB
Plaintext
86 lines
2.2 KiB
Plaintext
|
# map of content type -> expires header
|
||
|
map $sent_http_content_type $expires {
|
||
|
default off;
|
||
|
text/html epoch;
|
||
|
text/css max;
|
||
|
application/javascript max;
|
||
|
~image/ max;
|
||
|
}
|
||
|
|
||
|
# listen for BS traffic on 80 that lacks a hostname, and just serve
|
||
|
# the "welcome to NGINX" page
|
||
|
server {
|
||
|
listen 80 default_server;
|
||
|
listen [::]:80 default_server;
|
||
|
server_name _;
|
||
|
|
||
|
root /user/share/nginx/html;
|
||
|
}
|
||
|
|
||
|
# listen on 80, and 301 all traffic to https
|
||
|
# allow .well-known on 80 though, for Let's Encrypt checks
|
||
|
server {
|
||
|
listen [::]:80;
|
||
|
listen 80;
|
||
|
server_name tomaskrejci.com www.tomaskrejci.com;
|
||
|
|
||
|
root /var/www/ghost/;
|
||
|
location ~ /.well-known {
|
||
|
allow all;
|
||
|
break;
|
||
|
}
|
||
|
|
||
|
location / {
|
||
|
return 301 https://tomaskrejci.com$request_uri;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
# listen on 443, and forward all www traffic to non-www
|
||
|
server {
|
||
|
listen [::]:443 ssl http2;
|
||
|
listen 443 ssl http2;
|
||
|
server_name www.tomaskrejci.com;
|
||
|
|
||
|
location / {
|
||
|
return 301 https://tomaskrejci.com$request_uri;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
# what we're actually listening on
|
||
|
server {
|
||
|
|
||
|
# allow ssl and http2 traffic
|
||
|
listen [::]:443 ssl http2 default_server;
|
||
|
listen 443 ssl http2 default_server;
|
||
|
|
||
|
# our server name is our hostname
|
||
|
server_name tomaskrejci.com;
|
||
|
|
||
|
# point at our SSL certificates
|
||
|
ssl_certificate /etc/letsencrypt/live/tomaskrejci.com/fullchain.pem;
|
||
|
ssl_certificate_key /etc/letsencrypt/live/tomaskrejci.com/privkey.pem;
|
||
|
|
||
|
# setup our access and error logs
|
||
|
access_log /var/log/nginx/tomaskrejci.com.access.log;
|
||
|
error_log /var/log/nginx/tomaskrejci.com.error.log;
|
||
|
|
||
|
# add expires headers for static content
|
||
|
expires $expires;
|
||
|
|
||
|
# proxy all of our traffic to Ghost
|
||
|
location / {
|
||
|
proxy_set_header X-Real-IP $remote_addr;
|
||
|
proxy_set_header HOST $http_host;
|
||
|
proxy_set_header X-NginX-Proxy true;
|
||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||
|
|
||
|
proxy_pass http://127.0.0.1:2368;
|
||
|
proxy_redirect off;
|
||
|
}
|
||
|
|
||
|
# allow Let's Encrypt checks on .well-known without proxying
|
||
|
location ~ /.well-known {
|
||
|
allow all;
|
||
|
}
|
||
|
}
|