From 89694f2047c781401c2cf19d5dcfcf83440f623e Mon Sep 17 00:00:00 2001
From: Tomas Krejci <tk@tomaskrejci.com>
Date: Wed, 19 Jul 2023 22:10:07 +0200
Subject: [PATCH] add nginx config

---
 ghost_nginx_config | 85 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 85 insertions(+)
 create mode 100644 ghost_nginx_config

diff --git a/ghost_nginx_config b/ghost_nginx_config
new file mode 100644
index 0000000..dcbe0dd
--- /dev/null
+++ b/ghost_nginx_config
@@ -0,0 +1,85 @@
+# map of content type -> expires header
+map $sent_http_content_type $expires {
+    default                    off;
+    text/html                  epoch;
+    text/css                   max;
+    application/javascript     max;
+    ~image/                    max;
+}
+
+# listen for BS traffic on 80 that lacks a hostname, and just serve
+# the "welcome to NGINX" page
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    server_name _;
+
+    root /user/share/nginx/html;
+}
+
+# listen on 80, and 301 all traffic to https
+# allow .well-known on 80 though, for Let's Encrypt checks
+server {
+    listen [::]:80;
+    listen 80;
+    server_name tomaskrejci.com www.tomaskrejci.com;
+
+    root /var/www/ghost/;
+    location ~ /.well-known {
+        allow all;
+        break;
+    }
+
+    location / {
+        return 301 https://tomaskrejci.com$request_uri;
+    }
+}
+
+# listen on 443, and forward all www traffic to non-www
+server {
+    listen [::]:443 ssl http2;
+    listen 443 ssl http2;
+    server_name www.tomaskrejci.com;
+
+    location / {
+        return 301 https://tomaskrejci.com$request_uri;
+    }
+}
+
+# what we're actually listening on
+server {
+
+    # allow ssl and http2 traffic
+    listen [::]:443 ssl http2 default_server;
+    listen 443 ssl http2 default_server;
+
+    # our server name is our hostname
+    server_name tomaskrejci.com;
+
+    # point at our SSL certificates
+    ssl_certificate /etc/letsencrypt/live/tomaskrejci.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/tomaskrejci.com/privkey.pem;
+
+    # setup our access and error logs
+    access_log /var/log/nginx/tomaskrejci.com.access.log;
+    error_log /var/log/nginx/tomaskrejci.com.error.log;
+
+    # add expires headers for static content
+    expires $expires;
+
+    # proxy all of our traffic to Ghost
+    location / {
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header HOST $http_host;
+        proxy_set_header X-NginX-Proxy true;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        proxy_pass http://127.0.0.1:2368;
+        proxy_redirect off;
+    }
+
+    # allow Let's Encrypt checks on .well-known without proxying
+    location ~ /.well-known {
+        allow all;
+    }
+}