ivandimitrov8080/configuration.nix
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nginx config

Browse Source
This commit is contained in:
Ivan Dimitrov 2023-09-15 20:44:25 +03:00
parent b52ae6a859
commit c58488dab6
1 changed files with 47 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
sys/mailserver/mailserver.nix
View File

@ -17,17 +17,54 @@
services = { services = {
nginx = { nginx = {
virtualHosts = { # Use recommended settings
"idimitrov.dev" = { recommendedGzipSettings = true;
addSSL = true; recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
# Only allow PFS-enabled ciphers with AES256
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
appendHttpConfig = ''
# Add HSTS header with preloading to HTTPS requests.
# Adding this header to HTTP requests is discouraged
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
add_header Strict-Transport-Security $hsts_header;
# Enable CSP for your services.
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
# Minimize information leaked to other domains
add_header 'Referrer-Policy' 'origin-when-cross-origin';
# Disable embedding as a frame
add_header X-Frame-Options DENY;
# Prevent injection of code in other mime types (XSS Attacks)
add_header X-Content-Type-Options nosniff;
# This might create errors
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
'';
# Add any further config to match your needs, e.g.:
virtualHosts =
let
base = locations: {
inherit locations;
forceSSL = true;
enableACME = true; enableACME = true;
locations = {
"/" = {
proxyPass = "http://localhost:3000/"; # Pointing to Next.js app
proxyWebsockets = true;
};
}; };
proxy = port: base {
"/".proxyPass = "http://127.0.0.1:" + toString (port) + "/";
}; };
in
{
"idimitrov.dev" = proxy 3000 // { default = true; };
}; };
}; };
}; };