server { # Webserver configuration server_name openproject.pyuxiang.com; listen 443 ssl http2; # Client mTLS configuration (optional) ssl_client_certificate certificates/client-ca.pem; ssl_verify_client optional; if ($ssl_client_verify != SUCCESS) { return 301 https://pyuxiang.com; } # Server TLS configuration ssl_certificate certificates/server-chain.pem; ssl_certificate_key certificates/server-key.pem; ssl_session_cache shared:le_nginx_SSL:10m; ssl_session_timeout 1d; # TLS security options, from ssl_dhparam includes/dhparam.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305"; ssl_prefer_server_ciphers off; # Force HSTS add_header Strict-Transport-Security "max-age=63072000" always; # Hide server version server_tokens off; more_clear_headers Server; # Disable compression to mitigate BREACH gzip off; # Phishing protection add_header Referrer-Policy "no-referrer-when-downgrade" always; add_header X-Content-Type-Options nosniff always; add_header X-Frame-Options DENY always; add_header X-XSS-Protection "1; mode=block" always; add_header Cache-Control "no-transform"; # Proxy passing to Openproject HTTP backend root /opt/openproject/public; location ^~ / { proxy_pass http://127.0.0.1:6690; # use the OpenProject port proxy_pass_request_headers on; proxy_set_header Host $host; proxy_set_header X-Forwarded-Host $host:$server_port; proxy_set_header X-Forwarded-Server $host:$server_port; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 1200s; client_max_body_size 10M; } # Disable logging for generic stuff location = /favicon.ico { log_not_found off; access_log off; } location = /robots.txt { log_not_found off; access_log off; } # Block access to all hidden files location ~* /\. { deny all; } }