diff --git a/sites-enabled/default b/sites-enabled/default new file mode 100644 index 0000000..1295f08 --- /dev/null +++ b/sites-enabled/default @@ -0,0 +1,120 @@ +server { + listen 80 default_server; + listen [::]:80 default_server; + server_name _; + root /dev/null; + + location ~ /\.(?!well-known) { + deny all; + } + + location / { + return 301 https://$host$request_uri; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header Referrer-Policy "no-referrer-when-downgrade"; + add_header Content-Security-Policy "upgrade-insecure-requests"; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name www.thelyoncompany.com; + + ssl_certificate /etc/letsencrypt/live/thelyoncompany.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/thelyoncompany.com/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/thelyoncompany.com/chain.pem; + ssl_dhparam /etc/nginx/dhparam.pem; + + return 301 https://thelyoncompany.com$request_uri; +} + +server { + listen 443 ssl http2 default_server; + listen [::]:443 ssl http2 default_server; + + server_name thelyoncompany.com; + + root /var/www/html/public; + index index.html; + + ssl_certificate /etc/letsencrypt/live/thelyoncompany.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/thelyoncompany.com/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/thelyoncompany.com/fullchain.pem; + ssl_dhparam /etc/nginx/dhparam.pem; + + #ssl_client_certificate /etc/nginx/ssl/cloudflare.crt; + #ssl_verify_client optional; + + add_header X-Download-Options noopen always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Referrer-Policy "no-referrer-when-downgrade" always; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + add_header Content-Security-Policy "upgrade-insecure-requests"; + add_header Permissions-Policy "interest-cohort=();geolocation=(self);midi=();notifications=();push=(self);sync-xhr=(self);microphone=();camera=();magnetometer=();gyroscope=();speaker=();vibrate=();fullscreen=(self);payment=()"; + + charset utf-8; + charset_types text/css text/plain text/vnd.wap.wml text/javascript text/markdown text/calendar text/x-component text/vcard text/cache-manifest text/vtt application/json application/manifest+json; + + error_page 404 /404.html; + + location / { + try_files $uri $uri/ /index.html =404; + } + + # favicon.ico + location = /favicon.ico { + log_not_found off; + access_log off; + } + + # robots.txt + location = /robots.txt { + log_not_found off; + access_log off; + } + + # assets, media + location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ { + add_header Cache-Control "public"; + add_header X-Frame-Options "SAMEORIGIN"; + expires 7d; + access_log off; + } + + # svg, fonts + location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ { + add_header Access-Control-Allow-Origin "*"; + add_header Timing-Allow-Origin "*"; + expires 7d; + access_log off; + } + + location ~* \.(?:manifest|appcache|html?|xml|json)$ { + expires -1; + access_log off; + } + + location ~* \.(zip|gz|gzip|bz2|csv|xml)$ { + add_header Cache-Control "no-store"; + add_header X-Frame-Options "SAMEORIGIN"; + expires off; + } + + location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|mp4|ogg|ogv|webm|htc)$ { + access_log off; + add_header Cache-Control "max-age=2592000"; + } + + location ~* \.(?:css|js)$ { + access_log off; + add_header Cache-Control "max-age=31536000"; + } + + location ~* (?:#.*#|\.(?:bak|conf|dist|fla|in[ci]|log|orig|psd|sh|sql|sw[op])|~)$ { + deny all; + } +}