From 9d75f5731c60541b76a3a222eb207c295afba7ab Mon Sep 17 00:00:00 2001
From: khalid belkhir <khalid.belkhir@univ-montp2.fr>
Date: Tue, 10 Dec 2019 09:46:10 +0100
Subject: [PATCH] Add system files for deployment

---
 system/nginx_conf.d_10-rstudio.conf   | 25 +++++++++++++++++++++++
 system/nginx_nginx.conf               | 27 +++++++++++++++++++++++++
 system/nginx_sites-available_default  | 29 +++++++++++++++++++++++++++
 system/nginx_snippets_ssl-params.conf | 19 ++++++++++++++++++
 4 files changed, 100 insertions(+)
 create mode 100644 system/nginx_conf.d_10-rstudio.conf
 create mode 100644 system/nginx_nginx.conf
 create mode 100644 system/nginx_sites-available_default
 create mode 100644 system/nginx_snippets_ssl-params.conf

diff --git a/system/nginx_conf.d_10-rstudio.conf b/system/nginx_conf.d_10-rstudio.conf
new file mode 100644
index 0000000..ba4877c
--- /dev/null
+++ b/system/nginx_conf.d_10-rstudio.conf
@@ -0,0 +1,25 @@
+map $http_upgrade $connection_upgrade {
+  default upgrade;
+  ''      close;
+}
+server {
+listen 80;
+listen [::]:80;
+server_name example.com;
+return 301 https://$server_name$request_uri;
+}
+server {
+listen 443 ssl http2;
+listen [::]:443 ssl http2;
+include snippets/self-signed.conf;
+include snippets/ssl-params.conf;
+location / {
+proxy_pass http://127.0.0.1:8787;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header Host $host;
+proxy_http_version 1.1;
+proxy_set_header Upgrade $http_upgrade;
+proxy_set_header Connection $connection_upgrade;
+}
+}
+
diff --git a/system/nginx_nginx.conf b/system/nginx_nginx.conf
new file mode 100644
index 0000000..6fe48a7
--- /dev/null
+++ b/system/nginx_nginx.conf
@@ -0,0 +1,27 @@
+user nginx;
+worker_processes auto;
+error_log /var/log/nginx/error.log;
+pid /run/nginx.pid;
+include /usr/share/nginx/modules/*.conf;
+events {
+worker_connections 1024;
+}
+http {
+log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+'$status $body_bytes_sent "$http_referer" '
+'"$http_user_agent" "$http_x_forwarded_for"';
+access_log /var/log/nginx/access.log main;
+sendfile on;
+tcp_nopush on;
+tcp_nodelay on;
+keepalive_timeout 65;
+types_hash_max_size 2048;
+include /etc/nginx/mime.types;
+default_type application/octet-stream;
+# Load modular configuration files from the /etc/nginx/conf.d directory.
+# See http://nginx.org/en/docs/ngx_core_module.html#include
+# for more information.
+include /etc/nginx/conf.d/*.conf;
+client_max_body_size 0;
+}
+
diff --git a/system/nginx_sites-available_default b/system/nginx_sites-available_default
new file mode 100644
index 0000000..a5e2260
--- /dev/null
+++ b/system/nginx_sites-available_default
@@ -0,0 +1,29 @@
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    server_name server_domain_or_IP;
+    return 301 https://$server_name$request_uri;
+}
+
+server {
+
+    # SSL configuration
+
+    listen 443 ssl http2 default_server;
+    listen [::]:443 ssl http2 default_server;
+    include snippets/self-signed.conf;
+    include snippets/ssl-params.conf;
+    root /var/www/html;
+
+    # Add index.php to the list if you are using PHP
+    index index.html index.htm index.nginx-debian.html;
+
+    server_name _;
+
+    location / {
+            # First attempt to serve request as file, then
+            # as directory, then fall back to displaying a 404.
+            try_files $uri $uri/ =404;
+    }
+}
+
diff --git a/system/nginx_snippets_ssl-params.conf b/system/nginx_snippets_ssl-params.conf
new file mode 100644
index 0000000..865be91
--- /dev/null
+++ b/system/nginx_snippets_ssl-params.conf
@@ -0,0 +1,19 @@
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_prefer_server_ciphers on;
+ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+ssl_ecdh_curve secp384r1;
+ssl_session_cache shared:SSL:10m;
+ssl_session_tickets off;
+ssl_stapling on;
+ssl_stapling_verify on;
+resolver 8.8.8.8 8.8.4.4 valid=300s;
+resolver_timeout 5s;
+# Disable preloading HSTS for now.  You can use the commented out header line that includes
+# the "preload" directive if you understand the implications.
+#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
+add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
+# add_header X-Frame-Options DENY;
+add_header X-Content-Type-Options nosniff;
+
+ssl_dhparam /etc/ssl/certs/dhparam.pem;
+
-- 
GitLab