VestaCP: Phoenix Nginx SSL Conf
# Getting Started.
# 1. Enter visual mode V, then use s/myapp/domain/g to replace all myapp to domain.
# 2. Change upstream port to PORT ENV variable defined in /etc/init.d/myapp
# hide server information
http {
server_tokens off;
}
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name myapp.com www.myapp.com;
return 301 https://$server_name$request_uri;
}
# Getting Started.
# 1. Enter visual mode V, then use s/myapp.com/domain.com/g to replace all myapp to domain.
# 2. Change upstream port to PORT ENV variable defined in /etc/init.d/myapp
upstream myapp {
server localhost:34567;
}
# hide server information
http {
server_tokens off;
}
# the main server directive for ssl connections
# where we also use http2 (see asset delivery)
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name myapp.com www.myapp.com;
# paths to certificate and key provided by Let's Encrypt
#ssl_certificate /etc/letsencrypt/live/myapp.com/fullchain.pem;
#ssl_certificate_key /etc/letsencrypt/live/myapp.com/privkey.pem;
ssl_certificate /home/admin/conf/web/myapp.com.pem;
ssl_certificate /home/admin/conf/web/myapp.com.key;
# SSL settings that currently offer good results in the SSL check
# and have a reasonable backwards-compatibility, taken from
# - https://cipherli.st/
# - https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# security enhancements
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
# Let's Encrypt keeps its files here
location ~ /.well-known {
root /home/admin/conf/web/myapp.com/public_html;
allow all;
}
# besides referencing the extracted upstream this stays the same
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://myapp;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# asset delivery using NGINX
location ~* ^.+\.(css|cur|gif|gz|ico|jpg|jpeg|js|png|svg|woff|woff2|mp3|mp4)$ {
root /home/admin/myapp/priv/static;
etag off;
expires max;
add_header Cache-Control public;
}
# php support for Vesta
location ~ [^/]\.php(/|$) {
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_pass 127.0.0.1:9002;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
}
}
error_page 403 /error/404.html;
error_page 404 /error/404.html;
error_page 500 502 503 504 /error/50x.html;
location /error/ {
alias /home/admin/web/myapp.com/document_errors/;
}
location ~* "/\.(htaccess|htpasswd)$" {
deny all;
return 404;
}
location /vstats/ {
alias /home/admin/web/myapp.com/stats/;
include /home/admin/web/myapp.com/stats/auth.conf*;
}
include /etc/nginx/conf.d/phpmyadmin.inc*;
include /etc/nginx/conf.d/phppgadmin.inc*;
include /etc/nginx/conf.d/webmail.inc*;
}
#Configuration file for a phoenix app running on a subdirectory.
upstream myapp {
server localhost:34567;
}
# hide server information
http {
server_tokens off;
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name myapp.com www.myapp.com;
root /home/admin/web/myapp.com/public_html;
index index.html;
location / {
try_files $uri $uri/ =404;
}
location /subdirectory {
# pass the requests on to our proxy
try_files $uri @proxy;
}
location @proxy {
include proxy_params;
proxy_redirect off;
proxy_pass http://myapp_phoenix;
}
}
#Configuration file for a phoenix app running on a subdirectory.
upstream myapp {
server localhost:37340;
}
# hide server information
http {
server_tokens off;
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name myapp.com www.myapp.com;
root /home/admin/web/myapp.com/public_html;
index index.html;
# paths to certificate and key provided by Let's Encrypt
#ssl_certificate /etc/letsencrypt/live/myapp.com/fullchain.pem;
#ssl_certificate_key /etc/letsencrypt/live/myapp.com/privkey.pem;
ssl_certificate /home/admin/conf/web/myapp.com.pem;
ssl_certificate /home/admin/conf/web/myapp.com.key;
# SSL settings that currently offer good results in the SSL check
# and have a reasonable backwards-compatibility, taken from
# - https://cipherli.st/
# - https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# security enhancements
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
location / {
# pass the requests on to our proxy
try_files $uri @proxy;
# asset delivery using NGINX
location ~* ^.+\.(css|cur|gif|gz|ico|jpg|jpeg|js|png|svg|woff|woff2|mp3|mp4)$ {
root /home/admin/myapp/priv/static;
etag off;
expires max;
add_header Cache-Control public;
}
# php delivery support
location ~ [^/]\.php(/|$) {
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_pass 127.0.0.1:9002;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
}
}
location @proxy {
include proxy_params;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://myapp;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
# Let's Encrypt keeps its files here
location ~ /.well-known {
root /home/admin/web/myapp.com/public_html;
allow all;
}
include /etc/nginx/conf.d/phpmyadmin.inc*;
include /etc/nginx/conf.d/phppgadmin.inc*;
include /etc/nginx/conf.d/webmail.inc*;
}