Compare text

Find the difference between two text files
Real-time diff
Unified diff
Collapse lines
Highlight change
Syntax highlighting
Tools

Untitled Diff

Created Diff never expires
72 removals
94 lines
48 additions
60 lines
upstream backend {
# This block is useful for debugging TLS v1.3. Please feel free to remove this
server 10.10.10.2:8065;
# and use the `$ssl_early_data` variable exposed by nginx directly should you
keepalive 32;
# wish to do so.
map $ssl_early_data $tls1_3_early_data {
"~." $ssl_early_data;
default "";
}
}


proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=mattermost_cache:10m max_size=3g inactive=120m use_temp_path=off;
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=mattermost_cache:10m max_size=3g inactive=120m use_temp_path=off;


server {
server {
listen 80 default_server;
listen 443 ssl http2;
server_name mattermost.example.com;
return 301 https://$server_name$request_uri;
}


server {
[...] # other settings
listen 443 ssl http2;
server_name mattermost.example.com;


http2_push_preload on; # Enable HTTP/2 Server Push
proxy_http_version 1.1;


ssl on;
location ~ /mattermost/api/v[0-9]+/(users/)?websocket$ {
ssl_certificate /etc/letsencrypt/live/{domain-name}/fullchain.pem;
proxy_set_header Upgrade $http_upgrade;
ssl_certificate_key /etc/letsencrypt/live/{domain-name}/privkey.pem;
proxy_set_header Connection "upgrade";
ssl_session_timeout 1d;
client_max_body_size 50M;

proxy_set_header Host $http_host;
# Enable TLS versions (TLSv1.3 is required upcoming HTTP/3 QUIC).
proxy_set_header X-Real-IP $remote_addr;
ssl_protocols TLSv1.2 TLSv1.3;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Forwarded-Proto $scheme;
# Enable TLSv1.3's 0-RTT. Use $ssl_early_data when reverse proxying to
proxy_set_header X-Frame-Options SAMEORIGIN;
# prevent replay attacks.
proxy_buffers 256 16k;
#
proxy_buffer_size 16k;
# @see: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data
client_body_timeout 60;
ssl_early_data on;
send_timeout 300;

lingering_timeout 5;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
proxy_http_version 1.1;
ssl_prefer_server_ciphers on;
proxy_connect_timeout 90;
ssl_session_cache shared:SSL:50m;
proxy_send_timeout 300;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
proxy_read_timeout 90s;
add_header Strict-Transport-Security max-age=15768000;
proxy_pass http://172.17.0.1:8065;
# OCSP Stapling ---
}
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;

add_header X-Early-Data $tls1_3_early_data;


location ~ /api/v[0-9]+/(users/)?websocket$ {
location /mattermost {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
client_max_body_size 50M;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_buffers 256 16k;
proxy_buffer_size 16k;
client_body_timeout 60;
send_timeout 300;
lingering_timeout 5;
proxy_connect_timeout 90;
proxy_send_timeout 300;
proxy_read_timeout 90s;
proxy_http_version 1.1;
proxy_pass http://backend;
}


location / {
client_max_body_size 50M;
client_max_body_size 50M;
proxy_set_header Connection "";
proxy_set_header Connection "";
proxy_set_header Host $http_host;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_buffers 256 16k;
proxy_buffers 256 16k;
proxy_buffer_size 16k;
proxy_buffer_size 16k;
proxy_read_timeout 600s;
proxy_read_timeout 600s;
proxy_cache mattermost_cache;
proxy_cache mattermost_cache;
proxy_cache_revalidate on;
proxy_cache_revalidate on;
proxy_cache_min_uses 2;
proxy_cache_min_uses 2;
proxy_cache_use_stale timeout;
proxy_cache_use_stale timeout;
proxy_cache_lock on;
proxy_cache_lock on;
proxy_http_version 1.1;
proxy_http_version 1.1;
proxy_pass http://backend;
}
}


# This block is useful for debugging TLS v1.3. Please feel free to remove this
proxy_pass http://172.17.0.1:8065/mattermost;
# and use the `$ssl_early_data` variable exposed by NGINX directly should you
}
# wish to do so.
map $ssl_early_data $tls1_3_early_data {
"~." $ssl_early_data;
default "";
}
}
Saved diffs