From fd3d8b0057a4089fc5be17d3b4efe5ef668c6291 Mon Sep 17 00:00:00 2001
From: Malanius <malanius@seznam.cz>
Date: Sun, 9 Sep 2018 13:50:54 +0200
Subject: [PATCH] Add nginx configuration for brmkan-test

---
 nginx/brmkan.malanius.net.conf | 57 +++++++++++++++++++++++
 nginx/nginx.conf               | 83 ++++++++++++++++++++++++++++++++++
 2 files changed, 140 insertions(+)
 create mode 100644 nginx/brmkan.malanius.net.conf
 create mode 100644 nginx/nginx.conf

diff --git a/nginx/brmkan.malanius.net.conf b/nginx/brmkan.malanius.net.conf
new file mode 100644
index 0000000..c6ebac8
--- /dev/null
+++ b/nginx/brmkan.malanius.net.conf
@@ -0,0 +1,57 @@
+# this section is needed to proxy web-socket connections
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    ''      close;
+}
+
+# HTTP
+server {
+    if ($host = brmkan.malanius.net) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+
+    #listen 80; # if this is not a default server, remove "default_server"
+    listen [::]:80;
+
+    server_name brmkan.malanius.net;
+
+    # redirect non-SSL to SSL
+    location / {
+        rewrite     ^ https://brmkan.malanius.net$request_uri? permanent;
+    }
+
+
+}
+
+# HTTPS server
+server {
+    listen 443 ssl http2; # we enable HTTP/2 here (previously SPDY)
+    server_name brmkan.malanius.net; # this domain must match Common Name (CN) in the SSL certificate
+    ssl_certificate /etc/letsencrypt/live/brmkan.malanius.net/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/brmkan.malanius.net/privkey.pem; # managed by Certbot
+
+    # If your application is not compatible with IE <= 10, this will redirect visitors to a page advising a browser update
+    # This works because IE 11 does not present itself as MSIE anymore
+    if ($http_user_agent ~ "MSIE" ) {
+        return 303 https://browser-update.org/update.html;
+    }
+
+    # Pass requests to Wekan.
+    # If you have Wekan at https://example.com/wekan , change location to:
+    # location /wekan {
+     location / {
+         proxy_pass http://127.0.0.1:3000; # has to be same port as wekan service is exposing
+         proxy_http_version 1.1;
+         proxy_set_header Upgrade $http_upgrade; # allow websockets
+         proxy_set_header Connection $connection_upgrade;
+         proxy_set_header X-Forwarded-For $remote_addr; # preserve client IP
+
+        # this setting allows the browser to cache the application in a way compatible with Meteor
+        # on every applicaiton update the name of CSS and JS file is different, so they can be cache infinitely (here: 30 days)
+        # the root path (/) MUST NOT be cached
+        #if ($uri != '/wekan') {
+        #    expires 30d;
+     }
+
+}
diff --git a/nginx/nginx.conf b/nginx/nginx.conf
new file mode 100644
index 0000000..cdf1850
--- /dev/null
+++ b/nginx/nginx.conf
@@ -0,0 +1,83 @@
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+	worker_connections 768;
+	# multi_accept on;
+}
+
+http {
+
+	##
+	# Basic Settings
+	##
+
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+	types_hash_max_size 2048;
+	server_tokens off;
+        set_real_ip_from 0.0.0.0/32; # All addresses get a real IP.
+        real_ip_header X-Forwarded-For;
+        limit_conn_zone $binary_remote_addr zone=arbeit:10m;
+        client_body_timeout 60;
+        client_header_timeout 60;
+        keepalive_timeout 10 10;
+        send_timeout 60;
+        reset_timedout_connection on;
+
+	# server_names_hash_bucket_size 64;
+	# server_name_in_redirect off;
+
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	##
+	# SSL Settings
+	##
+
+	ssl_protocols TLSv1.2 TLSv1.1 TLSv1; # Dropping SSLv3, ref: POODLE
+	ssl_prefer_server_ciphers on;
+        ssl_session_cache shared:SSL:30m;
+        ssl_session_timeout 1d;
+        ssl_ciphers ECDH+aRSA+AESGCM:ECDH+aRSA+SHA384:ECDH+aRSA+SHA256:ECDH:EDH+CAMELLIA:EDH+aRSA:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA;
+        ssl_dhparam /etc/ssl/dh_param.pem;
+        ssl_ecdh_curve secp384r1;
+        ssl_stapling on;
+        ssl_stapling_verify on;
+        add_header X-XSS-Protection '1; mode=block';
+        add_header X-Frame-Options SAMEORIGIN;
+        add_header Strict-Transport-Security 'max-age=31536000';
+        add_header X-Content-Options nosniff;
+        add_header X-Micro-Cache $upstream_cache_status;
+
+	##
+	# Logging Settings
+	##
+
+	access_log /var/log/nginx/access.log;
+	error_log /var/log/nginx/error.log;
+
+	##
+	# Gzip Settings
+	##
+
+	gzip on;
+	gzip_disable "msie6";
+        gzip_buffers 16 8k;
+        gzip_comp_level 1;
+        gzip_http_version 1.1;
+        gzip_min_length 10;
+        gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/x-icon application/vnd.ms-fontobject font/opentype application/x-font-ttf;
+        gzip_vary on;
+        gzip_proxied any; # Compression for all requests.
+
+	##
+	# Virtual Host Configs
+	##
+
+	include /etc/nginx/conf.d/*.conf;
+	include /etc/nginx/sites-enabled/*;
+}
\ No newline at end of file