Voici notre nginx final, Ã l’interieur des bornes serveur nous pouvons voir dans le premier listen 80 et dans le deuxieme listen 443. Le bloc serveur avec le port 80 redirige vers le port 443.
log_format geoproxy
'[$time_local] $remote_addr '
'$realip_remote_addr $remote_user '
'$proxy_protocol_server_addr $proxy_protocol_server_port '
'$request_method $server_protocol '
'$scheme $server_name $uri $status '
'$request_time $body_bytes_sent '
'$geoip_city_country_code3 $geoip_region '
'"$geoip_city" $http_x_forwarded_for '
'$upstream_status $upstream_response_time '
'"$http_referer" "$http_user_agent"';
limit_conn_zone $binary_remote_addr zone=addr:10m;
limit_conn_status 429;
limit_req_zone $binary_remote_addr zone=one:10m rate=3r/s;
limit_req_status 429;
# Redirection du port 80 sur le port 443
server {
listen 80;
server_name 192.168.3.2;
return 301 https://$host$request_uri;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
}
server {
listen 443 ssl;
server_name 192.168.3.2;
ssl_certificate /etc/ssl/nginx.crt;
ssl_certificate_key /etc/ssl/nginx.key;
ssl_client_certificate /etc/ssl/ca.crt;
ssl_verify_client optional;
ssl_verify_depth 1;
limit_conn addr 10;
limit_conn_log_level warn;
limit_req zone=one burst=5 delay=30;
location / {
if ($ssl_client_verify != SUCCESS) {
return 403;
}
try_files $uri $uri/ =404;
root /var/www/html/pageweb/;
index index.html;
}
location /blog/ {
proxy_pass http://127.0.0.1:8000/;
proxy_set_header X-Forwarded-For $remote_addr;
}
keepalive_timeout 10;
ssl_session_timeout 5m;
# ONLY GET POST PUT
add_header Allow "GET, POST, PUT" always;
if ( $request_method !~ ^(GET|POST|PUT)$ )
{
return 405;
}
# EMPRUNTE NUMERIQUE
server_tokens off;
more_set_headers 'Server: its a secret';
more_clear_headers Server;
error_page 403 /403.html;
location = /403.html {
root /var/www/html/pageweb/;
internal;
}
error_page 404 /404.html;
location = /404.html {
root /var/www/html/pageweb/;
internal;
}
error_page 405 /405.html;
location = /405.html {
root /var/www/html/pageweb/;
internal;
}
error_page 429 /429.html;
location = /429.html {
root /var/www/html/pageweb/;
internal;
}
# SECURITE
ssl_protocols TLSv1.2;
ssl_session_cache shared:SSL:10m;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/dhparam.pem;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:!ECDHE-PSK-AES256-CBC-SHA384:!ECDHE-PSK-AES256-CBC-SHA:!SRP-RSA-AES-256-CBC-SHA:!SRP-AES-256-CBC-SHA:!RSA-PSK-AES256-CBC-SHA384:!DHE-PSK-AES256-CBC-SHA384:!RSA-PSK-AES256-CBC-SHA:!DHE-PSK-AES256-CBC-SHA:!AES256-SHA:!PSK-AES256-CBC-SHA384:!PSK-AES256-CBC-SHA:!ECDHE-PSK-AES128-CBC-SHA256:!ECDHE-PSK-AES128-CBC-SHA:!SRP-RSA-AES-128-CBC-SHA:!SRP-AES-128-CBC-SHA:!RSA-PSK-AES128-CBC-SHA256:!DHE-PSK-AES128-CBC-SHA256:!RSA-PSK-AES128-CBC-SHA:!DHE-PSK-AES128-CBC-SHA:!AES128-SHA:!PSK-AES128-CBC-SHA256:!PSK-AES128-CBC-SHA:!TLS_AES_256_GCM_SHA384:!TLS_CHACHA20_POLY1305_SHA256:!TLS_AES_128_GCM_SHA256";
ssl_stapling on;
ssl_stapling_verify on;
add_header X-Content-Type-Options nosniff always;
add_header X-Frame-Options SAMEORIGIN always;
add_header X-XSS-Protection "1; mode=block always";
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains" always ;
add_header Content-Security-Policy
"default-src 'self'
http://localhost:8000/wp-includes/blocks/navigation/style.min.css?ver=5.9.3
http://localhost:8000/wp-content/themes/twentytwentytwo/style.css?ver=1.1
http://localhost:8000/wp-content/themes/twentytwentytwo/assets/images/flight-path-on-transparent-d.png
http://localhost:8000/wp-includes/blocks/navigation/view.min.js?ver=3776ea67846b3bb10fe8f7cdd486b0ba
;";
# LOGS
gzip off;
access_log /var/www/html/access.log geoproxy;
error_log /var/www/html/error.log notice;
}