LINUX, NGINX, SERVERBLOCKS, SERVER, HTTP, HTTPS, PROXY, SSL, CERTIFICATES, REVERSEPROXY

Useful Nginx Server Blocks

In the past weeks, I set up some different web servers with Nginx. Nginx is more lightweight and easier to handle than Apache2.

There are a lot of different uses for web servers. Some are reverse proxy, HTTPS, static sites, clouds, or PHP. In this article, I want to share my experiences with different server blocks for some of these cases. It’s basically more of a little wiki.

Redirect www to non-www Traffic

This solution works for any subdomain. You can also adjust the server_name to redirect from non-www to www traffic.

# redirect all www to non-www traffic
server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name www.example.com;

    ssl_certificate /path/to/certificate.pem;
    ssl_certificate_key /path/to/certificate.pem;

    return 301 https://example.com$request_uri;
}

Redirect Http to Https Traffic 

# redirect all http to https traffic
server {
    listen 80;
    listen [::]:80;

    # the underscore is a wildcard for every server name
    server_name _;

    return 301 https://$host$request_uri;
}

SSL Optimization

This server block is 90% based on this article about optimizing your HTTPS server block. It also explains what every line is doing.

ssl on;

ssl_session_cache shared:SSL:20m;
ssl_session_timeout 120m;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DHE+AES128:!ADH:!AECDH:!MD5;

ssl_dhparam /etc/nginx/cert/dhparam.pem;

ssl_stapling on;
ssl_stapling_verify on;

Serving Static Files with SSL 

server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;

    server_name example.com;

    # include SSL custom settings for more safety and faster loading
    # optional (see chapter 'SSL optimization')
    #include /path/to/ssl/optimization.conf;

    ssl_certificate /path/to/certificate.pem;
    ssl_certificate_key /path/to/certificate.pem;

    # path to root directory for your files
    root /var/www/homepage;

    # paths for custom index and error pages (optional)
    # error_page 404 404.html;
    # index index.html;

    # deny all requests for any access files
    location ~ /\.ht {
        deny all;
    }

    # try to serve files, otherwise show 404 page
    location / {
        try_files $uri $uri/ =404;
    }
}

Reverse Proxy for large File-Transfer

I struggled a lot when using a reverse proxy for large file transfers, for example when setting up a cloud (like NextCloud) behind a reverse proxy.
These are my recommended settings, which caused the least problems.

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name example.com;

    # include SSL custom settings for more safety and faster loading
    # optional (see chapter 'SSL optimization')
    #include /path/to/ssl/optimization.conf;

    ssl_certificate /path/to/certificate.pem;
    ssl_certificate_key /path/to/certificate.pem;

    # zero means unlimited. You can upload any file size you want
    client_max_body_size 0;
    underscores_in_headers on;

    location ~ {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        proxy_set_header Accept-Encoding "";
        proxy_set_header Proxy_Connection $http_connection;
        
        resolver 8.8.8.8;
        
        proxy_headers_hash_max_size 512;
        proxy_headers_hash_bucket_size 64;

        add_header Front-End-Https on;
        proxy_redirect off;
        proxy_buffering off;
        proxy_max_temp_file_size 0;

        proxy_pass http://domaintopass.com;
    }
}