zabbix-docker/Dockerfiles/web-nginx-mysql/ubuntu/conf/etc/zabbix/nginx_ssl.conf

110 lines
3.3 KiB
Plaintext

server {
listen 8443 ssl http2;
listen [::]:8443 ssl http2;
server_name zabbix;
server_name_in_redirect off;
index {HTTP_INDEX_FILE};
access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log error;
set $webroot '/usr/share/zabbix';
root $webroot;
large_client_header_buffers 8 8k;
client_max_body_size 10M;
ssl_certificate /etc/ssl/nginx/ssl.crt;
ssl_certificate_key /etc/ssl/nginx/ssl.key;
ssl_dhparam /etc/ssl/nginx/dhparam.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report";
location = /favicon.ico {
log_not_found off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
# caching of files
location ~* \.ico$ {
expires 1y;
}
location ~* \.(js|css|png|jpg|jpeg|gif|xml|txt)$ {
expires 14d;
}
location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/|vendor\/) {
deny all;
return 404;
}
location ~ ^/(status|ping)$ {
access_log off;
fastcgi_pass unix:/tmp/php-fpm.sock;
fastcgi_param SCRIPT_FILENAME $webroot$fastcgi_script_name;
include fastcgi_params;
}
location / {
try_files $uri $uri/ =404;
}
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
fastcgi_pass unix:/tmp/php-fpm.sock;
fastcgi_index {HTTP_INDEX_FILE};
fastcgi_param DOCUMENT_ROOT $webroot;
fastcgi_param SCRIPT_FILENAME $webroot$fastcgi_script_name;
fastcgi_param PATH_TRANSLATED $webroot$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
include fastcgi_params;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_intercept_errors on;
fastcgi_ignore_client_abort off;
fastcgi_connect_timeout 60;
fastcgi_send_timeout 180;
fastcgi_read_timeout {FCGI_READ_TIMEOUT};
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
}
}