Merge pull request #213 from crazy-max/fix-nginx

nginx: fix http2 directive
anonaddy · Jul 22, 2023 · 6ef0c01 · 6ef0c01
2 parents f43fcf3 + 0536f0e
commit 6ef0c01
Show file tree

Hide file tree

Showing 2 changed files with 57 additions and 58 deletions.
diff --git a/examples/nginx/nginx/templates/default.conf.template b/examples/nginx/nginx/templates/default.conf.template
@@ -7,58 +7,57 @@ server {
 }
 
 server {
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
-    server_name example.com;   
-    server_tokens off;
-
-    add_header X-Frame-Options "SAMEORIGIN";
-    add_header X-XSS-Protection "1; mode=block";
-    add_header X-Content-Type-Options "nosniff";
-    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
-    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'none'";
-    add_header Referrer-Policy "origin-when-cross-origin";
-    add_header Expect-CT "enforce, max-age=604800";
-
-    charset utf-8;
-
-    ssl_certificate           /etc/letsencrypt/live/example.com/fullchain.pem;
-    ssl_certificate_key       /etc/letsencrypt/live/example.com/privkey.pem;
-    ssl_trusted_certificate 	/etc/letsencrypt/live/example.com/chain.pem;
-
-    ssl_prefer_server_ciphers   on;
-    ssl_session_timeout         5m;
-    ssl_protocols               TLSv1.2 TLSv1.3;
-    ssl_stapling                on;
-    ssl_stapling_verify         on;
-    ssl_ciphers                 "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
-    ssl_ecdh_curve              secp384r1;
-    ssl_session_cache           shared:SSL:20m;
-    ssl_session_tickets         off;
-    ssl_dhparam                 /etc/ssl/dhparam.pem;
-
-    location = /robots.txt {
-  	  add_header  Content-Type  text/plain;
-  	  return 200 "User-agent: *\nDisallow: /\n";
-    }
-
-    location /rspamd {
-    	proxy_pass http://anonaddy:11334;
-
-    	proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-    }
-
-    location / {
-        proxy_pass http://anonaddy:8000;
-
-        proxy_redirect off;
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_read_timeout 90s;
-     }
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  http2 on;
+  server_name example.com;
+  server_tokens off;
+
+  add_header X-Frame-Options "SAMEORIGIN";
+  add_header X-XSS-Protection "1; mode=block";
+  add_header X-Content-Type-Options "nosniff";
+  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+  add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'none'";
+  add_header Referrer-Policy "origin-when-cross-origin";
+  add_header Expect-CT "enforce, max-age=604800";
+
+  charset utf-8;
+
+  ssl_certificate           /etc/letsencrypt/live/example.com/fullchain.pem;
+  ssl_certificate_key       /etc/letsencrypt/live/example.com/privkey.pem;
+  ssl_trusted_certificate   /etc/letsencrypt/live/example.com/chain.pem;
+
+  ssl_prefer_server_ciphers   on;
+  ssl_session_timeout         5m;
+  ssl_protocols               TLSv1.2 TLSv1.3;
+  ssl_stapling                on;
+  ssl_stapling_verify         on;
+  ssl_ciphers                 "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
+  ssl_ecdh_curve              secp384r1;
+  ssl_session_cache           shared:SSL:20m;
+  ssl_session_tickets         off;
+  ssl_dhparam                 /etc/ssl/dhparam.pem;
+
+  location = /robots.txt {
+    add_header  Content-Type  text/plain;
+    return 200 "User-agent: *\nDisallow: /\n";
+  }
+
+  location /rspamd {
+    proxy_pass http://anonaddy:11334;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+  }
+
+  location / {
+    proxy_pass http://anonaddy:8000;
+    proxy_redirect off;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_read_timeout 90s;
+  }
 }
diff --git a/examples/nginx/nginx/templates/mta-sts.conf.template b/examples/nginx/nginx/templates/mta-sts.conf.template
@@ -26,9 +26,9 @@ server {
 
   location @mta-sts {
     return 200 "version: STSv1
-mode: enforce
-max_age: 86400
-mx: example.com
-mx: example.com\n";
+    mode: enforce
+    max_age: 86400
+    mx: example.com
+    mx: example.com\n";
   }
 }