#86 SSL Stapling + HTTP/2
This commit is contained in:
croax
parent
32e65bc0f9
commit
e9fa00522b
2 changed files with 28 additions and 25 deletions
|
|
@ -1,40 +1,40 @@
|
||||||
# Configuration autoconfig.a-lec.org
|
|
||||||
|
|
||||||
server {
|
server {
|
||||||
|
server_name autoconfig.a-lec.org;
|
||||||
|
|
||||||
|
listen 444 ssl http2 proxy_protocol;
|
||||||
|
listen [::]:443 ssl http2;
|
||||||
|
listen 80;
|
||||||
|
listen [::]:80;
|
||||||
|
|
||||||
set_real_ip_from 192.169.0.1;
|
set_real_ip_from 192.169.0.1;
|
||||||
real_ip_header proxy_protocol;
|
real_ip_header proxy_protocol;
|
||||||
|
|
||||||
ssi on;
|
ssi on;
|
||||||
ssi_last_modified on;
|
ssi_last_modified on;
|
||||||
|
|
||||||
listen 444 ssl proxy_protocol;
|
# IMPORTANT : PAS de redirection vers HTTPS
|
||||||
listen [::]:443 ssl;
|
|
||||||
listen 80;
|
|
||||||
listen [::]:80;
|
|
||||||
|
|
||||||
# Important : PAS de HSTS ni redirection HTTPS
|
|
||||||
# Thunderbird fait une requête en clair (HTTP)
|
# Thunderbird fait une requête en clair (HTTP)
|
||||||
|
|
||||||
ssl_certificate /etc/letsencrypt/live/mail.a-lec.org/fullchain.pem; # managed by Certbot
|
ssl_certificate /etc/letsencrypt/live/mail.a-lec.org/fullchain.pem; # managed by Certbot
|
||||||
ssl_certificate_key /etc/letsencrypt/live/mail.a-lec.org/privkey.pem; # managed by Certbot
|
ssl_certificate_key /etc/letsencrypt/live/mail.a-lec.org/privkey.pem; # managed by Certbot
|
||||||
|
|
||||||
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
|
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
|
||||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
|
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
|
||||||
|
ssl_stapling on;
|
||||||
|
ssl_stapling_verify on;
|
||||||
|
|
||||||
# Add index.php to the list if you are using PHP
|
|
||||||
root /var/www/html/autoconfig;
|
root /var/www/html/autoconfig;
|
||||||
server_name autoconfig.a-lec.org;
|
|
||||||
|
|
||||||
|
# On indique HSTS si ca pouvait pousser quelques êtres à utiliser HTTPS...
|
||||||
|
# car on sert du HTTPS aussi
|
||||||
add_header Strict-Transport-Security "max-age=31536000" always;
|
add_header Strict-Transport-Security "max-age=31536000" always;
|
||||||
|
|
||||||
# Section dédiée mail, si un jour on souhaite délocaliser de cette VM
|
# Section dédiée mail, si un jour on souhaite partager autoconfig avec
|
||||||
# le sous-domaine autoconfig et garder uniquement /mail
|
# d'autres VM et garder uniquement le path /mail
|
||||||
location /mail/ {
|
location /mail/ {
|
||||||
alias /var/www/html/autoconfig/mail/;
|
alias /var/www/html/autoconfig/mail/;
|
||||||
|
|
||||||
location ~* ^/mail/config-v1\.1\.xml(\?.*)$ {
|
# location ~* ^/mail/([a-zA-Z\-\.]+\.xml)(\?.*)?$ {
|
||||||
try_files /var/www/html/autoconfig/mail/config-v1.1.xml =404;
|
# try_files /var/www/html/autoconfig/mail/\1 =404;
|
||||||
}
|
# }
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,9 @@
|
||||||
server {
|
server {
|
||||||
server_name mail.a-lec.org;
|
server_name mail.a-lec.org;
|
||||||
|
|
||||||
listen 444 ssl proxy_protocol;
|
listen 444 ssl http2 proxy_protocol;
|
||||||
listen [::]:443 ssl;
|
listen [::]:443 ssl http2;
|
||||||
|
|
||||||
set_real_ip_from 192.168.0.1;
|
set_real_ip_from 192.168.0.1;
|
||||||
real_ip_header proxy_protocol;
|
real_ip_header proxy_protocol;
|
||||||
|
|
||||||
|
|
@ -10,12 +11,13 @@ server {
|
||||||
ssl_certificate_key /etc/letsencrypt/live/mail.a-lec.org/privkey.pem; # managed by Certbot
|
ssl_certificate_key /etc/letsencrypt/live/mail.a-lec.org/privkey.pem; # managed by Certbot
|
||||||
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
|
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
|
||||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
|
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
|
||||||
|
ssl_stapling on;
|
||||||
|
ssl_stapling_verify on;
|
||||||
client_max_body_size 100M;
|
|
||||||
|
|
||||||
root /var/www/html/roundcube;
|
root /var/www/html/roundcube;
|
||||||
|
|
||||||
|
client_max_body_size 100M;
|
||||||
|
|
||||||
add_header Strict-Transport-Security "max-age=31536000" always;
|
add_header Strict-Transport-Security "max-age=31536000" always;
|
||||||
|
|
||||||
index index.html index.htm index.php;
|
index index.html index.htm index.php;
|
||||||
|
|
@ -24,7 +26,7 @@ server {
|
||||||
try_files $uri $uri/ /index.php?q=$uri&$args;
|
try_files $uri $uri/ /index.php?q=$uri&$args;
|
||||||
}
|
}
|
||||||
|
|
||||||
# pass PHP scripts to FastCGI server
|
# pass PHP scripts to FastCGI server
|
||||||
location ~ \.php$ {
|
location ~ \.php$ {
|
||||||
include snippets/fastcgi-php.conf;
|
include snippets/fastcgi-php.conf;
|
||||||
# # With php-fpm (or other unix sockets):
|
# # With php-fpm (or other unix sockets):
|
||||||
|
|
@ -43,11 +45,12 @@ server {
|
||||||
server {
|
server {
|
||||||
server_name mail.a-lec.org;
|
server_name mail.a-lec.org;
|
||||||
|
|
||||||
listen 80 proxy_protocol;
|
listen 80 ;
|
||||||
listen [::]:80;
|
listen [::]:80;
|
||||||
|
|
||||||
set_real_ip_from 192.168.0.1;
|
set_real_ip_from 192.168.0.1;
|
||||||
real_ip_header proxy_protocol;
|
|
||||||
|
root /var/www/html/roundcube;
|
||||||
|
|
||||||
return 302 https://mail.a-lec.org$request_uri;
|
return 302 https://mail.a-lec.org$request_uri;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue