## Normal HTTP host server { listen 0.0.0.0:80; listen [::]:80 default_server; server_name _; server_tokens off; ## Redirects all traffic to the HTTPS host root /nowhere; ## root doesn't have to be a valid path since we are redirecting rewrite ^ https://$host$request_uri? permanent; } upstream fastcgi_backend { server unix:/tmp/fastcgi.socket; keepalive 32; } ## HTTPS host server { listen 0.0.0.0:443 ssl spdy; listen [::]:443 ssl spdy default_server; server_tokens off; root /usr/share/nginx/html; ## Increase this if you want to upload large attachments client_max_body_size 100m; ## Strong SSL Security ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html ssl on; ssl_certificate {{SSL_CERTIFICATE_PATH}}; ssl_certificate_key {{SSL_KEY_PATH}}; ssl_verify_client {{SSL_VERIFY_CLIENT}}; ssl_client_certificate {{CA_CERTIFICATES_PATH}}; ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_session_cache builtin:1000 shared:SSL:10m; ssl_prefer_server_ciphers on; add_header Strict-Transport-Security max-age={{ONLYOFFICE_HTTPS_HSTS_MAXAGE}}; # add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL. ## Replace with your ssl_trusted_certificate. For more info see: ## - https://medium.com/devops-programming/4445f4862461 ## - https://www.ruby-forum.com/topic/4419319 ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx # ssl_stapling on; # ssl_stapling_verify on; # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt; # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired # resolver_timeout 10s; ## [Optional] Generate a stronger DHE parameter: ## cd /etc/ssl/certs ## sudo openssl dhparam -out dhparam.pem 4096 ## ssl_dhparam {{SSL_DHPARAM_PATH}}; gzip on; gzip_types text/plain text/xml text/css text/csv application/xml application/javascript application/x-javascript application/json application/octet-stream application/pdf application/rtf application/msword application/vnd.ms-excel application/vnd.ms-powerpoint; #application/vnd.oasis.opendocument.text #application/vnd.oasis.opendocument.spreadsheet #application/vnd.oasis.opendocument.presentation #application/vnd.openxmlformats-officedocument.wordprocessingml.document #application/vnd.openxmlformats-officedocument.spreadsheetml.sheet #application/vnd.openxmlformats-officedocument.presentationml.presentation; location / { root /var/www/onlyoffice/documentserver/DocService/; index index.html index.htm default.aspx Default.aspx; fastcgi_index Default.aspx; fastcgi_keep_conn on; fastcgi_pass fastcgi_backend; include /var/www/onlyoffice/documentserver/fastcgi_params; } location ~ \/OfficeWeb\/(?!sdk\/Fonts\/) { root /var/www/onlyoffice/documentserver/DocService; } location /coauthoring/ { proxy_pass http://localhost:8000/; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } location /spellchecker/ { proxy_pass http://localhost:8080/; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } }