pibby
July 31, 2018, 6:41pm
1
My domain is: pibby.com
I ran this command: ./letsencrypt-auto
It produced this output: No issues
My web server is (include version): nginx version: nginx/1.15.2
The operating system my web server runs on is (include version): Ubuntu 14.04.5 LTS
My hosting provider, if applicable, is: N/A
I can login to a root shell on my machine (yes or no, or I don’t know): Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No
Nginx Config:
server { ## listen for ipv4; this line is default and implied
root /var/www/pibby.com/_site;
index index.html;
# Make site accessible from http://localhost/
server_name pibby.com www.pibby.com;
access_log /var/log/nginx/access.pibby.com.log;
error_log /var/log/nginx/error.pibby.com.log;
listen 443 ssl http2; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
# Redirect non-https traffic to https
# if ($scheme != "https") {
# return 301 https://$host$request_uri;
# } # managed by Certbot
}
server {
if ($host = www.pibby.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = pibby.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name pibby.com www.pibby.com;
return 404; # managed by Certbot
}
This same config is working fine for another of my domains (pib.by), but I get too many redirects for pibby.com .
1 Like
https://www.pibby.com/ redirects to https://pibby.com/ but I don’t see that in your nginx configuration - is that configured elsewhere? (I’m wondering if whatever does that redirect might be misconfigured)
pibby
July 31, 2018, 6:51pm
3
I don’t have it anywhere else, the config I posted is the entire config that I have. I would like www.pibby.com to redirect to pibby.com .
Can you try nginx -T to dump the full configuration? Maybe something in one of your other server blocks is interfering.
First, I would test: For each 301 - redirect, add a # to inactivate this command. Three redirects -> three deactivated rows
# return 301 https://$host$request_uri;
If there is another domain with exact the same configuration, that should have no effect -> again a loop.
If there is again a loop: Are there other rewrite rules? Or is there a content management system?
If there is no loop - remove one of the #
rg305
July 31, 2018, 7:37pm
6
Do you also have a redirect in an .htaccess file ? ? ?
@rg305 , op is using nginx
pibby
July 31, 2018, 8:11pm
8
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
pibby
July 31, 2018, 8:21pm
9
This is the full output of nginx -T
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes 4;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 15;
types_hash_max_size 2048;
server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
#ssl_buffer_size 8k;
#ssl_session_tickets on;
##
# Logging Settings
##
#access_log /var/log/nginx/access.log;
access_log off;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 3;
gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
# Compress all output labeled with one of the following MIME-types.
gzip_types
application/atom+xml
application/javascript
application/x-javascript
application/json
application/rss+xml
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/svg+xml
image/x-icon
text/css
text/plain
text/x-component;
##
# nginx-naxsi config
##
# Uncomment it if you installed nginx-naxsi
##
#include /etc/nginx/naxsi_core.rules;
##
# nginx-passenger config
##
# Uncomment it if you installed nginx-passenger
##
#passenger_root /usr;
#passenger_ruby /usr/bin/ruby;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
pibby
July 31, 2018, 8:22pm
10
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
font/woff woff;
font/woff2 woff2;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.oasis.opendocument.graphics odg;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.text odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
docx;
application/vnd.wap.wmlc wmlc;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/conf.d/default.conf:
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log /var/log/nginx/log/host.access.log main;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# configuration file /etc/nginx/sites-enabled/a.pibby.com:
# You may add here your
# server {
# ...
# }
# statements for each of your virtual hosts to this file
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# http://wiki.nginx.org/Pitfalls
# http://wiki.nginx.org/QuickStart
# http://wiki.nginx.org/Configuration
#
# Generally, you will want to move this file somewhere, and start with a clean
# file but keep this around for reference. Or just disable in sites-enabled.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
server {
root /var/www/a.pibby.com/public_html;
index index.html index.htm;
# Make site accessible from http://localhost/
server_name a.pibby.com;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
# Uncomment to enable naxsi on this location
# include /etc/nginx/naxsi.rules
}
# Only for nginx-naxsi used with nginx-naxsi-ui : process denied requests
#location /RequestDenied {
# proxy_pass http://127.0.0.1:8080;
#}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
#error_page 500 502 503 504 /50x.html;
#location = /50x.html {
# root /usr/share/nginx/html;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# fastcgi_split_path_info ^(.+\.php)(/.+)$;
# # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
#
# # With php5-cgi alone:
# fastcgi_pass 127.0.0.1:9000;
# # With php5-fpm:
# fastcgi_pass unix:/var/run/php5-fpm.sock;
# fastcgi_index index.php;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
}
# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;
# root html;
# index index.html index.htm;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}
# HTTPS server
#
#server {
# listen 443;
# server_name localhost;
#
# root html;
# index index.html index.htm;
#
# ssl on;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
#
# ssl_session_timeout 5m;
#
# ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
# ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
# ssl_prefer_server_ciphers on;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}
server {
if ($host = a.pibby.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
server_name a.pibby.com;
return 404; # managed by Certbot
}
# configuration file /etc/letsencrypt/options-ssl-nginx.conf:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
# configuration file /etc/nginx/sites-enabled/bio.pibby.com:
server { ## listen for ipv4; this line is default and implied
#listen [::]:80 default ipv6only=on; ## listen for ipv6
root /var/www/bio.pibby.com/public_html;
index index.html index.htm;
# Make site accessible from http://localhost/
server_name bio.pibby.com;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to index.html
try_files $uri $uri/ /index.html;
}
location ~* \.html$ {
expires -1;
}
# This block will catch static file requests, such as images, css, js
# The ?: prefix is a 'non-capturing' mark, meaning we do not require
# the pattern to be captured into $1 which should help improve performance
location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
# Some basic cache-control for static files to be sent to the browser
expires 7d;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/www;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
}
server {
if ($host = bio.pibby.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name bio.pibby.com;
return 404; # managed by Certbot
}
pibby
July 31, 2018, 8:23pm
11
# configuration file /etc/nginx/sites-enabled/dev.pibby.com:
server {
server_name dev.pibby.com;
return 301 $scheme://pibby.com$request_uri;
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
# Redirect non-https traffic to https
# if ($scheme != "https") {
# return 301 https://$host$request_uri;
# } # managed by Certbot
}
server {
if ($host = dev.pibby.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name dev.pibby.com;
return 404; # managed by Certbot
}
# configuration file /etc/nginx/sites-enabled/fanfic.weallfalter.com:
server {
listen 80; ## listen for ipv4; this line is default and implied
#listen [::]:80 default ipv6only=on; ## listen for ipv6
root /var/www/fanfic.weallfalter.com/public_html;
index index.html index.htm;
# Make site accessible from http://localhost/
server_name fanfic.weallfalter.com;
location / {
proxy_pass http://localhost:9090;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
# This block will catch static file requests, such as images, css, js
# The ?: prefix is a 'non-capturing' mark, meaning we do not require
# the pattern to be captured into $1 which should help improve performance
location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
# Some basic cache-control for static files to be sent to the browser
expires 30d;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
# Specify a charset
charset utf-8;
error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/www;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
access_log /var/log/nginx/access.fanfic.weallfalter.com.log;
error_log /var/log/nginx/error.fanfic.weallfalter.com.log;
}
# configuration file /etc/nginx/sites-enabled/frontenddit.weallfalter.com:
server {
listen 80; ## listen for ipv4; this line is default and implied
#listen [::]:80 default ipv6only=on; ## listen for ipv6
root /var/www/frontenddit.weallfalter.com/public_html;
index index.html index.htm;
# Make site accessible from http://localhost/
server_name frontenddit.weallfalter.com;
location / {
proxy_pass http://localhost:9292;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
# This block will catch static file requests, such as images, css, js
# The ?: prefix is a 'non-capturing' mark, meaning we do not require
# the pattern to be captured into $1 which should help improve performance
location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
# Some basic cache-control for static files to be sent to the browser
expires 30d;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
# Specify a charset
charset utf-8;
error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/www;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
access_log /var/log/nginx/access.frontenddit.weallfalter.com.log;
error_log /var/log/nginx/error.frontenddit.weallfalter.com.log;
}
# configuration file /etc/nginx/sites-enabled/git.pib.by:
server {
if ($host = git.pib.by) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
# listen on the www host
server_name git.pib.by;
rewrite ^/(.*) https://git.pib.by/$1 permanent;
# Redirect non-https traffic to https
# if ($scheme != "https") {
# return 301 https://$host$request_uri;
# } # managed by Certbot
}
server {
listen 443 http2;
#listen 443 ssl http2;
#listen [::]:80 default_server ipv6only=on;
root /var/www/git.pib.by/public_html;
index index.html index.htm;
# Make site accessible from http://localhost/
#server_name 172.245.57.115;
server_name git.pib.by;
ssl on;
ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
#ssl_session_tickets off;
# openssl dhparam -out dhparam.pem 2048
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
#ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
#ssl_trusted_certificate /etc/letsencrypt/live/git.pib.by/chain.pem;
resolver 8.8.8.8 8.8.4.4 valid=86400;
resolver_timeout 10;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to index.html
try_files $uri $uri/ /index.html;
}
charset utf-8;
error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/www;
}
location ~* \.html$ {
expires -1;
}
# This block will catch static file requests, such as images, css, js
# The ?: prefix is a 'non-capturing' mark, meaning we do not require
# the pattern to be captured into $1 which should help improve performance
location ~* \.(?:ico|css|js|gif|jpg|jpeg|png|woff|ttf|svg|eot|mp4)$ {
# Some basic cache-control for static files to be sent to the browser
expires 1M;
add_header Cache-Control public;
add_header Vary Accept-Encoding;
}
}
# configuration file /etc/nginx/sites-enabled/git.pibby.com:
server { ## listen for ipv4; this line is default and implied
root /var/www/git.pibby.com/public_html;
index index.html;
# Make site accessible from http://localhost/
server_name git.pibby.com;
access_log /var/log/nginx/access.git.pibby.com.log;
error_log /var/log/nginx/error.git.pibby.com.log;
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
}
server {
if ($host = git.pibby.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name git.pibby.com;
return 404; # managed by Certbot
}
# configuration file /etc/nginx/sites-enabled/git.weallfalter.com:
server {
listen 80;
# listen on the www host
server_name git.weallfalter.com;
# and redirect to the non-www host (declared below)
# return 301 $scheme://weallfalter.com$request_uri;
location / {
rewrite ^(.*)$ https://git.weallfalter.com$1 permanent;
}
}
server {
listen 443 http2; ## listen for ipv4; this line is default and implied
#listen 443 ssl http2; ## listen for ipv4; this line is default and implied
#listen [::]:80 default ipv6only=on; ## listen for ipv6
root /var/www/git.weallfalter.com/public_html;
index index.html index.htm;
# Make site accessible from http://localhost/
server_name git.weallfalter.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/git.weallfalter.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/git.weallfalter.com/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
# modern configuration. tweak to your needs.
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
#ssl_dhparam /etc/nginx/ssl/dhparams.pem;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to index.html
try_files $uri $uri/ /index.html;
}
location ~* \.html$ {
expires -1;
}
# This block will catch static file requests, such as images, css, js
# The ?: prefix is a 'non-capturing' mark, meaning we do not require
# the pattern to be captured into $1 which should help improve performance
location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
# Some basic cache-control for static files to be sent to the browser
expires 7d;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
# Specify a charset
charset utf-8;
error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/www;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# configuration file /etc/nginx/sites-enabled/katieharron.com:
server { ## listen for ipv4; this line is default and implied
root /var/www/katieharron.com/public_html;
index index.html;
# Make site accessible from http://localhost/
server_name katieharron.com www.katieharron.com;
access_log /var/log/nginx/access.katieharron.com.log;
error_log /var/log/nginx/error.katieharron.com.log;
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
# Redirect non-https traffic to https
# if ($scheme != "https") {
# return 301 https://$host$request_uri;
# } # managed by Certbot
}
server {
if ($host = www.katieharron.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = katieharron.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name katieharron.com www.katieharron.com;
return 404; # managed by Certbot
}
pibby
July 31, 2018, 8:24pm
12
# configuration file /etc/nginx/sites-enabled/milton.pibby.com:
server { ## listen for ipv4; this line is default and implied
#listen [::]:80 default ipv6only=on; ## listen for ipv6
root /var/www/milton.pibby.com/public_html;
index index.html index.htm;
# Make site accessible from http://localhost/
server_name milton.pibby.com;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to index.html
try_files $uri $uri/ /index.html;
}
location ~* \.html$ {
expires -1;
}
# This block will catch static file requests, such as images, css, js
# The ?: prefix is a 'non-capturing' mark, meaning we do not require
# the pattern to be captured into $1 which should help improve performance
location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
# Some basic cache-control for static files to be sent to the browser
expires 7d;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/www;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
}
server {
if ($host = milton.pibby.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name milton.pibby.com;
return 404; # managed by Certbot
}
# configuration file /etc/nginx/sites-enabled/pib.by:
server { ## listen for ipv4; this line is default and implied
root /var/www/pib.by/public_html;
index index.html;
# Make site accessible from http://localhost/
server_name pib.by www.pib.by;
access_log /var/log/nginx/access.pib.by.log;
error_log /var/log/nginx/error.pib.by.log;
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
# Redirect non-https traffic to https
# if ($scheme != "https") {
# return 301 https://$host$request_uri;
# } # managed by Certbot
}
server {
if ($host = www.pib.by) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = pib.by) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name pib.by www.pib.by;
return 404; # managed by Certbot
}
# configuration file /etc/nginx/sites-enabled/pibby.com:
server { ## listen for ipv4; this line is default and implied
root /var/www/pibby.com/_site;
index index.html;
# Make site accessible from http://localhost/
server_name pibby.com www.pibby.com;
access_log /var/log/nginx/access.pibby.com.log;
error_log /var/log/nginx/error.pibby.com.log;
listen 443 ssl http2; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
# Redirect non-https traffic to https
# if ($scheme != "https") {
# return 301 https://$host$request_uri;
# } # managed by Certbot
}
server {
if ($host = www.pibby.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = pibby.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name pibby.com www.pibby.com;
return 404; # managed by Certbot
}
# configuration file /etc/nginx/sites-enabled/tea.pib.by:
server {
if ($host = tea.pib.by) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
# listen on the www host
server_name tea.pib.by;
# and redirect to the non-www host (declared below)
# return 301 $scheme://twt.pib.by$request_uri;
location / {
return 301 https://$host$request_uri;
}
# Redirect non-https traffic to https
# if ($scheme != "https") {
# return 301 https://$host$request_uri;
# } # managed by Certbot
}
server {
#listen 80;
listen 443 http2;
#listen 443 ssl http2;
root /var/www/tea.pib.by/public_html;
index index.html index.htm;
server_name tea.pib.by;
ssl on;
ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot
ssl_session_timeout 1d;
#ssl_session_cache shared:SSL:10m;
#ssl_session_tickets off;
# openssl dhparam -out dhparam.pem 2048
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
#ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
ssl_trusted_certificate /etc/letsencrypt/live/weallfalter.com/chain.pem;
resolver 8.8.8.8 8.8.4.4 valid=86400;
resolver_timeout 10;
location / {
proxy_pass http://localhost:9696;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
charset utf-8;
error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/www;
}
location ~* \.html$ {
expires -1;
}
client_max_body_size 10M; # Allow files up to 10MB
}
# configuration file /etc/nginx/sites-enabled/test.pibby.com:
server { ## listen for ipv4; this line is default and implied
#listen [::]:80 default ipv6only=on; ## listen for ipv6
root /var/www/test.pibby.com/public_html;
index index.html index.htm;
# Make site accessible from http://localhost/
server_name test.pibby.com;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to index.html
try_files $uri $uri/ /index.html;
}
location ~* \.html$ {
expires -1;
}
# This block will catch static file requests, such as images, css, js
# The ?: prefix is a 'non-capturing' mark, meaning we do not require
# the pattern to be captured into $1 which should help improve performance
location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
# Some basic cache-control for static files to be sent to the browser
expires 7d;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/www;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
access_log /var/log/nginx/access.test.pibby.com.log;
error_log /var/log/nginx/error.test.pibby.com.log;
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
}
server {
if ($host = test.pibby.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name test.pibby.com;
return 404; # managed by Certbot
}
# configuration file /etc/nginx/sites-enabled/twt.pib.by:
server {
if ($host = twt.pib.by) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
# listen on the www host
server_name twt.pib.by;
# and redirect to the non-www host (declared below)
# return 301 $scheme://twt.pib.by$request_uri;
location / {
return 301 https://$host$request_uri;
}
# Redirect non-https traffic to https
# if ($scheme != "https") {
# return 301 https://$host$request_uri;
# } # managed by Certbot
}
server {
#listen 80;
listen 443 http2;
root /var/www/twt.pib.by/public_html;
index index.html index.htm;
# Make site accessible from http://localhost/
#server_name 172.245.57.115;
server_name twt.pib.by;
ssl on;
ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot
ssl_session_timeout 1d;
#ssl_session_cache shared:SSL:10m;
#ssl_session_tickets off;
# openssl dhparam -out dhparam.pem 2048
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
#ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
ssl_trusted_certificate /etc/letsencrypt/live/weallfalter.com/chain.pem;
resolver 8.8.8.8 8.8.4.4 valid=86400;
resolver_timeout 10;
location / {
proxy_pass http://localhost:9494;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
charset utf-8;
error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/www;
}
location ~* \.html$ {
expires -1;
}
# This block will catch static file requests, such as images, css, js
# The ?: prefix is a 'non-capturing' mark, meaning we do not require
# the pattern to be captured into $1 which should help improve performance
location ~* \.(?:ico|css|js|gif|jpg|jpeg|png|woff|ttf|svg|eot|mp4)$ {
# Some basic cache-control for static files to be sent to the browser
expires 1M;
add_header Cache-Control public;
add_header Vary Accept-Encoding;
}
}
# configuration file /etc/nginx/sites-enabled/weallfalter.com:
server {
listen 80;
# listen on the www host
server_name weallfalter.com www.weallfalter.com;
# and redirect to the non-www host (declared below)
# return 301 $scheme://weallfalter.com$request_uri;
location / {
rewrite ^(.*)$ https://weallfalter.com$1 permanent;
}
}
server {
listen 443 http2; ## listen for ipv4; this line is default and implied
#listen 443 ssl http2; ## listen for ipv4; this line is default and implied
#listen [::]:80 default ipv6only=on; ## listen for ipv6
root /var/www/weallfalter.com/public_html;
index index.html index.htm;
# Make site accessible from http://localhost/
server_name weallfalter.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/weallfalter.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/weallfalter.com/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
# modern configuration. tweak to your needs.
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
#ssl_dhparam /etc/nginx/ssl/dhparams.pem;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to index.html
try_files $uri $uri/ /index.html;
}
location ~* \.html$ {
expires -1;
}
# This block will catch static file requests, such as images, css, js
# The ?: prefix is a 'non-capturing' mark, meaning we do not require
# the pattern to be captured into $1 which should help improve performance
location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
# Some basic cache-control for static files to be sent to the browser
expires 30d;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
# Specify a charset
charset utf-8;
error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/www;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
access_log /var/log/nginx/access.weallfalter.com.log;
error_log /var/log/nginx/error.weallfalter.com.log;
}
# configuration file /etc/nginx/sites-enabled/work.pibby.com:
server { ## listen for ipv4; this line is default and implied
root /var/www/work.pibby.com/public_html;
index index.html index.htm;
# Make site accessible from http://localhost/
server_name work.pibby.com;
location / {
proxy_pass http://localhost:4000;
#auth_basic "Restricted";
#auth_basic_user_file /etc/nginx/.htpasswd;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
}
server {
if ($host = work.pibby.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name work.pibby.com;
return 404; # managed by Certbot
}
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes 4;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 15;
types_hash_max_size 2048;
server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
#ssl_buffer_size 8k;
#ssl_session_tickets on;
##
# Logging Settings
##
#access_log /var/log/nginx/access.log;
access_log off;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 3;
gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
# Compress all output labeled with one of the following MIME-types.
gzip_types
application/atom+xml
application/javascript
application/x-javascript
application/json
application/rss+xml
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/svg+xml
image/x-icon
text/css
text/plain
text/x-component;
##
# nginx-naxsi config
##
# Uncomment it if you installed nginx-naxsi
##
#include /etc/nginx/naxsi_core.rules;
##
# nginx-passenger config
##
# Uncomment it if you installed nginx-passenger
##
#passenger_root /usr;
#passenger_ruby /usr/bin/ruby;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
pibby
July 31, 2018, 8:25pm
13
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
font/woff woff;
font/woff2 woff2;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.oasis.opendocument.graphics odg;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.text odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
docx;
application/vnd.wap.wmlc wmlc;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/conf.d/default.conf:
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log /var/log/nginx/log/host.access.log main;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# configuration file /etc/nginx/sites-enabled/a.pibby.com:
# You may add here your
# server {
# ...
# }
# statements for each of your virtual hosts to this file
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# http://wiki.nginx.org/Pitfalls
# http://wiki.nginx.org/QuickStart
# http://wiki.nginx.org/Configuration
#
# Generally, you will want to move this file somewhere, and start with a clean
# file but keep this around for reference. Or just disable in sites-enabled.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
server {
root /var/www/a.pibby.com/public_html;
index index.html index.htm;
# Make site accessible from http://localhost/
server_name a.pibby.com;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
# Uncomment to enable naxsi on this location
# include /etc/nginx/naxsi.rules
}
# Only for nginx-naxsi used with nginx-naxsi-ui : process denied requests
#location /RequestDenied {
# proxy_pass http://127.0.0.1:8080;
#}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
#error_page 500 502 503 504 /50x.html;
#location = /50x.html {
# root /usr/share/nginx/html;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# fastcgi_split_path_info ^(.+\.php)(/.+)$;
# # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
#
# # With php5-cgi alone:
# fastcgi_pass 127.0.0.1:9000;
# # With php5-fpm:
# fastcgi_pass unix:/var/run/php5-fpm.sock;
# fastcgi_index index.php;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
}
# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;
# root html;
# index index.html index.htm;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}
# HTTPS server
#
#server {
# listen 443;
# server_name localhost;
#
# root html;
# index index.html index.htm;
#
# ssl on;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
#
# ssl_session_timeout 5m;
#
# ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
# ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
# ssl_prefer_server_ciphers on;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}
server {
if ($host = a.pibby.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
server_name a.pibby.com;
return 404; # managed by Certbot
}
# configuration file /etc/letsencrypt/options-ssl-nginx.conf:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
# configuration file /etc/nginx/sites-enabled/bio.pibby.com:
server { ## listen for ipv4; this line is default and implied
#listen [::]:80 default ipv6only=on; ## listen for ipv6
root /var/www/bio.pibby.com/public_html;
index index.html index.htm;
# Make site accessible from http://localhost/
server_name bio.pibby.com;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to index.html
try_files $uri $uri/ /index.html;
}
location ~* \.html$ {
expires -1;
}
# This block will catch static file requests, such as images, css, js
# The ?: prefix is a 'non-capturing' mark, meaning we do not require
# the pattern to be captured into $1 which should help improve performance
location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
# Some basic cache-control for static files to be sent to the browser
expires 7d;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/www;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
}
server {
if ($host = bio.pibby.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name bio.pibby.com;
return 404; # managed by Certbot
}
# configuration file /etc/nginx/sites-enabled/dev.pibby.com:
server {
server_name dev.pibby.com;
return 301 $scheme://pibby.com$request_uri;
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
# Redirect non-https traffic to https
# if ($scheme != "https") {
# return 301 https://$host$request_uri;
# } # managed by Certbot
}
server {
if ($host = dev.pibby.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name dev.pibby.com;
return 404; # managed by Certbot
}
# configuration file /etc/nginx/sites-enabled/git.pibby.com:
server { ## listen for ipv4; this line is default and implied
root /var/www/git.pibby.com/public_html;
index index.html;
# Make site accessible from http://localhost/
server_name git.pibby.com;
access_log /var/log/nginx/access.git.pibby.com.log;
error_log /var/log/nginx/error.git.pibby.com.log;
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
}
server {
if ($host = git.pibby.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name git.pibby.com;
return 404; # managed by Certbot
}
# configuration file /etc/nginx/sites-enabled/katieharron.com:
server { ## listen for ipv4; this line is default and implied
root /var/www/katieharron.com/public_html;
index index.html;
# Make site accessible from http://localhost/
server_name katieharron.com www.katieharron.com;
access_log /var/log/nginx/access.katieharron.com.log;
error_log /var/log/nginx/error.katieharron.com.log;
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
# Redirect non-https traffic to https
# if ($scheme != "https") {
# return 301 https://$host$request_uri;
# } # managed by Certbot
}
server {
if ($host = www.katieharron.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = katieharron.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name katieharron.com www.katieharron.com;
return 404; # managed by Certbot
}
# configuration file /etc/nginx/sites-enabled/milton.pibby.com:
server { ## listen for ipv4; this line is default and implied
#listen [::]:80 default ipv6only=on; ## listen for ipv6
root /var/www/milton.pibby.com/public_html;
index index.html index.htm;
# Make site accessible from http://localhost/
server_name milton.pibby.com;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to index.html
try_files $uri $uri/ /index.html;
}
location ~* \.html$ {
expires -1;
}
# This block will catch static file requests, such as images, css, js
# The ?: prefix is a 'non-capturing' mark, meaning we do not require
# the pattern to be captured into $1 which should help improve performance
location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
# Some basic cache-control for static files to be sent to the browser
expires 7d;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/www;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
}
server {
if ($host = milton.pibby.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name milton.pibby.com;
return 404; # managed by Certbot
}
# configuration file /etc/nginx/sites-enabled/pib.by:
server { ## listen for ipv4; this line is default and implied
root /var/www/pib.by/public_html;
index index.html;
# Make site accessible from http://localhost/
server_name pib.by www.pib.by;
access_log /var/log/nginx/access.pib.by.log;
error_log /var/log/nginx/error.pib.by.log;
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
# Redirect non-https traffic to https
# if ($scheme != "https") {
# return 301 https://$host$request_uri;
# } # managed by Certbot
}
server {
if ($host = www.pib.by) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = pib.by) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name pib.by www.pib.by;
return 404; # managed by Certbot
}
# configuration file /etc/nginx/sites-enabled/pibby.com:
server { ## listen for ipv4; this line is default and implied
root /var/www/pibby.com/_site;
index index.html;
# Make site accessible from http://localhost/
server_name pibby.com www.pibby.com;
access_log /var/log/nginx/access.pibby.com.log;
error_log /var/log/nginx/error.pibby.com.log;
listen 443 ssl http2; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
# Redirect non-https traffic to https
# if ($scheme != "https") {
# return 301 https://$host$request_uri;
# } # managed by Certbot
}
server {
if ($host = www.pibby.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = pibby.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name pibby.com www.pibby.com;
return 404; # managed by Certbot
}
# configuration file /etc/nginx/sites-enabled/tea.pib.by:
server {
if ($host = tea.pib.by) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
# listen on the www host
server_name tea.pib.by;
# and redirect to the non-www host (declared below)
# return 301 $scheme://twt.pib.by$request_uri;
location / {
return 301 https://$host$request_uri;
}
# Redirect non-https traffic to https
# if ($scheme != "https") {
# return 301 https://$host$request_uri;
# } # managed by Certbot
}
server {
#listen 80;
listen 443 ssl http2;
root /var/www/tea.pib.by/public_html;
index index.html index.htm;
server_name tea.pib.by;
#ssl on;
ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot
ssl_session_timeout 1d;
#ssl_session_cache shared:SSL:10m;
#ssl_session_tickets off;
# openssl dhparam -out dhparam.pem 2048
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
#ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
ssl_trusted_certificate /etc/letsencrypt/live/weallfalter.com/chain.pem;
resolver 8.8.8.8 8.8.4.4 valid=86400;
resolver_timeout 10;
location / {
proxy_pass http://localhost:9696;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
charset utf-8;
error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/www;
}
location ~* \.html$ {
expires -1;
}
client_max_body_size 10M; # Allow files up to 10MB
}
# configuration file /etc/nginx/sites-enabled/test.pibby.com:
server { ## listen for ipv4; this line is default and implied
#listen [::]:80 default ipv6only=on; ## listen for ipv6
root /var/www/test.pibby.com/public_html;
index index.html index.htm;
# Make site accessible from http://localhost/
server_name test.pibby.com;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to index.html
try_files $uri $uri/ /index.html;
}
location ~* \.html$ {
expires -1;
}
# This block will catch static file requests, such as images, css, js
# The ?: prefix is a 'non-capturing' mark, meaning we do not require
# the pattern to be captured into $1 which should help improve performance
location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
# Some basic cache-control for static files to be sent to the browser
expires 7d;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/www;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
access_log /var/log/nginx/access.test.pibby.com.log;
error_log /var/log/nginx/error.test.pibby.com.log;
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
}
server {
if ($host = test.pibby.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name test.pibby.com;
return 404; # managed by Certbot
}
# configuration file /etc/nginx/sites-enabled/twt.pib.by:
server {
if ($host = twt.pib.by) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
# listen on the www host
server_name twt.pib.by;
# and redirect to the non-www host (declared below)
# return 301 $scheme://twt.pib.by$request_uri;
location / {
return 301 https://$host$request_uri;
}
# Redirect non-https traffic to https
# if ($scheme != "https") {
# return 301 https://$host$request_uri;
# } # managed by Certbot
}
server {
#listen 80;
listen 443 http2;
root /var/www/twt.pib.by/public_html;
index index.html index.htm;
# Make site accessible from http://localhost/
#server_name 172.245.57.115;
server_name twt.pib.by;
#ssl on;
ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot
ssl_session_timeout 1d;
#ssl_session_cache shared:SSL:10m;
#ssl_session_tickets off;
# openssl dhparam -out dhparam.pem 2048
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
#ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
ssl_trusted_certificate /etc/letsencrypt/live/weallfalter.com/chain.pem;
resolver 8.8.8.8 8.8.4.4 valid=86400;
resolver_timeout 10;
location / {
proxy_pass http://localhost:9494;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
charset utf-8;
error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/www;
}
location ~* \.html$ {
expires -1;
}
# This block will catch static file requests, such as images, css, js
# The ?: prefix is a 'non-capturing' mark, meaning we do not require
# the pattern to be captured into $1 which should help improve performance
location ~* \.(?:ico|css|js|gif|jpg|jpeg|png|woff|ttf|svg|eot|mp4)$ {
# Some basic cache-control for static files to be sent to the browser
expires 1M;
add_header Cache-Control public;
add_header Vary Accept-Encoding;
}
}
# configuration file /etc/nginx/sites-enabled/work.pibby.com:
server { ## listen for ipv4; this line is default and implied
root /var/www/work.pibby.com/public_html;
index index.html index.htm;
# Make site accessible from http://localhost/
server_name work.pibby.com;
location / {
proxy_pass http://localhost:4000;
#auth_basic "Restricted";
#auth_basic_user_file /etc/nginx/.htpasswd;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/tea.pib.by/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/tea.pib.by/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
}
server {
if ($host = work.pibby.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name work.pibby.com;
return 404; # managed by Certbot
}
That's the only thing I can see that looks like it would redirect to pibby.com specifically, as opposed to whatever $host happens to be. I don't see why that server block would be selected, though. Maybe one of the nginx experts here can chime in with some insight...
pibby:
server_name
I don't use nginx. But there are warnings, that the if - statement is difficult.
If Is Evil
How nginx "location if" works
There is a sample, which looks really bad:
Case 4
location /proxy {http://127.0.0.1 :$server_port/$a;
location ~ /(\d+) {
Here, ngx_header_more's more_set_headers will also be inherited by the implicit location created by the "if" block. So you will get:
$ curl localhost/proxy
So the return statement doesn't stop the execution -->> add a break after the lines with return 301.
pibby
July 31, 2018, 9:53pm
17
I didn’t add the Ifs, letsencrypt-auto did. Adding a break after the return 301 doesn’t seem to do anything.
rg305
July 31, 2018, 10:59pm
18
There is an "if scheme not https" check inside a "listen 443 ssl" block.
Hi @pibby ,
You said you are using nginx/1.15.2 which is the last development version… (if this is a production server you should use the stable version)… anyway, you ran nginx -T and you didn’t receive any error nor warning message:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
You are using ssl on; on several server blocks but ssl directive is deprecated in nginx version 1.15.x so you should have several warning messages saying this:
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /etc/nginx/sites-enabled/xxxxxx.conf:xxx
So, or you didn’t copy the entire output of nginx -T or you are not using nginx 1.15.2.
How did you install nginx 1.15.2 on Ubuntu 14.04.5 ?.
I’m really curious about your redirection issues and I tried to reproduce them using the conf you have posted but I can’t reproduce them, it is working fine here. Could you please package the entire nginx directory and upload it somewhere or put it in some of your working domains like milton?
tar zcvf /var/www/milton.pibby.com/public_html/nginx-pibby.tar.gz /etc/nginx/
I’ll check tomorrow, it’s time for bed here.
Cheers,
1 Like
_az
August 1, 2018, 12:21am
20
IME mainline is safe to use in production, it's not like running from trunk/master.
