Organized Nginx conf with added HTTPS version

etc/nginx/HTTPS_default.template.conf

@@ -0,0 +1,204 @@
+# Nginx configuration for HTTPS only
+
+server_tokens off;
+add_header X-XSS-Protection "1; mode=block";
+add_header X-Content-Type-Options nosniff;
+
+upstream dev_tomcat_1 {
+    server tomcat;
+}
+
+# HTTP
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+		gzip on;
+		gzip_static on;
+		gzip_vary on;
+		gzip_http_version 1.1;
+		gzip_min_length 700;
+		gzip_comp_level 6;
+    server_name ${NGINX_HOST};
+    error_log  /var/log/nginx/error.log;
+    access_log /var/log/nginx/access.log;
+    root /var/www/html/public;
+		index index.php index.html index.htm index.jsp;
+
+    # Redirect all requests to HTTPS on :443
+    location / {
+        rewrite ^ https://$host$request_uri? permanent;
+    }
+
+    ####### Proxies #######
+    # PHP proxy
+    location ~ \.php$ {
+        try_files $uri =404;
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_pass php:9000;
+        fastcgi_index index.php;
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_param PATH_INFO $fastcgi_path_info;
+    }
+
+    # Tomcat proxy
+    location ~ \.(do|jspa|obr|jsp) {
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Server $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_pass http://tomcat:8082;
+    }
+
+    ####### Protections and efficiencies #######
+    # Deny access to files beginning with .ht, such as .htaccess and .htpasswd
+    location ~ /\.ht {
+    		deny all;
+    }
+
+    # Block accidental directory listing
+    location / {
+        try_files $uri $uri/ =404;
+     }
+
+    # Instructs visitor browser to cache files for 1 month
+    location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
+        expires 1M;
+    }
+
+    # Deny access to version control system directories.
+    location ~ /\.svn|/\.git {
+        deny all;
+        internal;
+    }
+
+    # Certbot for HTTPS cert renewal
+    location ^~ /.well-known {
+        allow all;
+        root  /data/letsencrypt/;
+    }
+
+    ####### PHPBB Forum #######
+    # PHPBB forum
+		location /board {
+				index index.php index.html index.htm;
+        try_files $uri $uri/ @rewriteapp;
+    }
+
+    # PHPBB installer rewrite
+    location /install/ {
+        try_files $uri $uri/ @rewrite_installapp;
+		}
+
+    location @rewriteapp {
+    		rewrite ^(.*)$ /app.php/$1 last;
+    }
+
+    # Deny access to internal phpbb files.
+    location ~ /board(config\.php|common\.php|files|images/avatars/upload|includes|(?<!ext/)phpbb|store|vendor) {
+    		deny all;
+        internal;
+		}
+
+    location @rewrite_installapp {
+        rewrite ^(.*)$ /board/install/app.php/$1 last;
+    }
+}
+
+# HTTPS
+server {
+    listen      443           ssl http2;
+    listen [::]:443           ssl http2;
+    server_name               ${NGINX_HOST};
+    ssl                       on;
+    add_header                Strict-Transport-Security "max-age=31536000" always;
+    ssl_session_cache         shared:SSL:20m;
+    ssl_session_timeout       10m;
+    ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers               "ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!ADH:!AECDH:!MD5;";
+    ssl_stapling              on;
+    ssl_stapling_verify       on;
+    resolver                  8.8.8.8 1.1.1.1;
+    ssl_certificate           /etc/letsencrypt/live/openrsc.com/fullchain.pem;
+    ssl_certificate_key       /etc/letsencrypt/live/openrsc.com/privkey.pem;
+    ssl_trusted_certificate   /etc/letsencrypt/live/openrsc.com/chain.pem;
+    index index.php index.html index.jsp;
+    error_log  /var/log/nginx/error.log;
+    access_log /var/log/nginx/access.log;
+    root /var/www/html/public;
+
+    ####### Proxies #######
+    # PHP proxy
+    location ~ \.php$ {
+        try_files $uri =404;
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_pass php:9000;
+        fastcgi_index index.php;
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_param PATH_INFO $fastcgi_path_info;
+    }
+
+    # Tomcat proxy
+    location ~ \.(do|jspa|obr|jsp) {
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Server $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_pass http://tomcat:8082;
+    }
+
+    ####### Protections and efficiencies #######
+    # Deny access to files beginning with .ht, such as .htaccess and .htpasswd
+    location ~ /\.ht {
+    		deny all;
+    }
+
+    # Block accidental directory listing
+    location / {
+        try_files $uri $uri/ =404;
+     }
+
+    # Instructs visitor browser to cache files for 1 month
+    location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
+        expires 1M;
+    }
+
+    # Deny access to version control system directories.
+    location ~ /\.svn|/\.git {
+        deny all;
+        internal;
+    }
+
+    # Certbot for HTTPS cert renewal
+    location ^~ /.well-known {
+        allow all;
+        root  /data/letsencrypt/;
+    }
+
+    ####### PHPBB Forum #######
+    # PHPBB forum
+		location /board {
+				index index.php index.html index.htm;
+        try_files $uri $uri/ @rewriteapp;
+    }
+
+    # PHPBB installer rewrite
+    location /install/ {
+        try_files $uri $uri/ @rewrite_installapp;
+		}
+
+    location @rewriteapp {
+    		rewrite ^(.*)$ /app.php/$1 last;
+    }
+
+    # Deny access to internal phpbb files.
+    location ~ /board(config\.php|common\.php|files|images/avatars/upload|includes|(?<!ext/)phpbb|store|vendor) {
+    		deny all;
+        internal;
+		}
+
+    location @rewrite_installapp {
+        rewrite ^(.*)$ /board/install/app.php/$1 last;
+    }
+
+}