47 lines
1.9 KiB
Django/Jinja
47 lines
1.9 KiB
Django/Jinja
server {
|
|
listen 80;
|
|
server_name {{ server_name }};
|
|
return 301 https://$server_name$request_uri;
|
|
}
|
|
|
|
server {
|
|
listen 443 ssl http2;
|
|
listen 8448 ssl http2; # for federation (skip if pointing SRV or .well-known to port 443)
|
|
gzip off;
|
|
server_name {{ server_name }};
|
|
|
|
ssl_certificate "/etc/letsencrypt/live/{{ server_name }}/fullchain.pem";
|
|
ssl_certificate_key "/etc/letsencrypt/live/{{ server_name }}/privkey.pem";
|
|
ssl_session_cache shared:NGX_SSL_CACHE:10m;
|
|
ssl_session_timeout 12h;
|
|
ssl_protocols TLSv1.3 TLSv1.2;
|
|
ssl_ciphers "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256";
|
|
ssl_dhparam "/etc/letsencrypt/live/{{ server_name }}/dhparam2048.pem";
|
|
ssl_ecdh_curve X25519:secp521r1:secp384r1:prime256v1;
|
|
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains" always;
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
|
|
location / {
|
|
return 301 https://element.{{ server_name }};
|
|
}
|
|
|
|
location /_matrix {
|
|
proxy_pass http://127.0.0.1:8008;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
}
|
|
|
|
# This can be skipped if you're using port 8448 on {{ server_name }} for federation:
|
|
location /.well-known/matrix/server {
|
|
return 200 '{ "m.server": "{{ server_name }}:8448" }';
|
|
add_header content-type application/json;
|
|
}
|
|
|
|
location /.well-known/matrix/client {
|
|
return 200 '{ "m.homeserver": { "base_url": "https://{{ server_name }}" }, "im.vector.riot.jitsi": { "preferredDomain": "jitsi.riot.im" } }';
|
|
add_header access-control-allow-origin *;
|
|
add_header content-type application/json;
|
|
}
|
|
|
|
}
|