worker_processes 1; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; gzip on; server { listen 80; server_name ; return 302 https://$request_uri; } server { listen 443 ssl http2; server_name ; ssl on; ssl_certificate /usr/local/etc/nginx/ssl/.crt; ssl_certificate_key /usr/local/etc/nginx/ssl/.key; ssl_trusted_certificate /usr/local/etc/nginx/ssl/.int.ca; # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) add_header Strict-Transport-Security max-age=15768000; # OCSP Stapling --- # fetch OCSP records from URL in ssl_certificate and cache them ssl_stapling on; ssl_stapling_verify off; # modern configuration. tweak to your needs. ssl_protocols TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; ssl_prefer_server_ciphers on; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; add_header Strict-Transport-Security max-age=63072000; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/local/www/nginx-dist; } access_log /var/log/nginx/backuppc.access.log; error_log /var/log/nginx/backuppc.error.log; location / { auth_basic "Backup"; auth_basic_user_file /usr/local/etc/nginx/backuppc.users; root /usr/local/www; return 302 http:///cgi-bin/BackupPC_Admin; index BackupPC.html; } location /backuppc { alias /usr/local/www/backuppc; index BackupPC.html; } #location ~\.cgi$ { location ~ ^/cgi-bin/BackupPC_Admin(/|$) { auth_basic "Backup"; auth_basic_user_file /usr/local/etc/nginx/backuppc.users; gzip off; include /usr/local/etc/nginx/fastcgi_params; fastcgi_pass unix:/var/run/fcgiwrap/fcgiwrap.socket; fastcgi_param REMOTE_ADDR $remote_addr; fastcgi_param REMOTE_USER $remote_user; fastcgi_param SCRIPT_FILENAME /usr/local/www/cgi-bin/BackupPC_Admin; } location ~ /\.ht { deny all; } } }