From 340ad5c3176a5ce75f344b2573010192058b4e2b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christer=20War=C3=A9n?= <cwchristerw@gmail.com>
Date: Thu, 11 Sep 2025 13:03:33 +0300
Subject: [PATCH] Update Nginx configuration

---
 files/nginx/conf/000-default.conf  |  10 ---
 files/nginx/conf/001-services.conf | 129 +++++++++++++++++++++++++++++
 2 files changed, 129 insertions(+), 10 deletions(-)
 create mode 100644 files/nginx/conf/001-services.conf

diff --git a/files/nginx/conf/000-default.conf b/files/nginx/conf/000-default.conf
index 4184c8b..86fe828 100644
--- a/files/nginx/conf/000-default.conf
+++ b/files/nginx/conf/000-default.conf
@@ -21,11 +21,6 @@ server {
 
         return 301 https://$host$request_uri;
     }
-
-    if ($request_method !~ ^(GET|HEAD|POST)$ )
-    {
-       return 405;
-    }
 }
 
 server {
@@ -62,9 +57,4 @@ server {
         root   /usr/share/nginx/html;
         index  index.html index.htm;
     }
-
-    if ($request_method !~ ^(GET|HEAD|POST)$ )
-    {
-       return 405;
-    }
 }
diff --git a/files/nginx/conf/001-services.conf b/files/nginx/conf/001-services.conf
new file mode 100644
index 0000000..5fa6977
--- /dev/null
+++ b/files/nginx/conf/001-services.conf
@@ -0,0 +1,129 @@
+server {
+
+    listen  443 ssl;
+    listen  [::]:443 ssl;
+
+    server_name status.tjas;
+
+    http2 on;
+
+    ssl_certificate /etc/nginx/certs/fullchain.pem;
+    ssl_certificate_key /etc/nginx/certs/privkey.pem;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ecdh_curve X25519:prime256v1:secp384r1;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
+    ssl_prefer_server_ciphers off;
+    ssl_session_cache shared:SSL:20m;
+    ssl_session_timeout 180m;
+
+    ssl_trusted_certificate /etc/nginx/certs/chain.pem;
+
+    expires off;
+    etag off;
+    if_modified_since off;
+
+    gzip on;
+    gzip_min_length 1000;
+    gzip_proxied any;
+    gzip_types *;
+    gunzip on;
+
+    location / {
+        proxy_pass http://127.0.0.1:3001;
+        proxy_set_header Host $http_host;
+        proxy_intercept_errors: on;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_redirect off;
+    }
+}
+
+server {
+
+    listen  443 ssl;
+    listen  [::]:443 ssl;
+
+    server_name sso.tjas;
+
+    http2 on;
+
+    ssl_certificate /etc/nginx/certs/fullchain.pem;
+    ssl_certificate_key /etc/nginx/certs/privkey.pem;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ecdh_curve X25519:prime256v1:secp384r1;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
+    ssl_prefer_server_ciphers off;
+    ssl_session_cache shared:SSL:20m;
+    ssl_session_timeout 180m;
+
+    ssl_trusted_certificate /etc/nginx/certs/chain.pem;
+
+    expires off;
+    etag off;
+    if_modified_since off;
+
+    gzip on;
+    gzip_min_length 1000;
+    gzip_proxied any;
+    gzip_types *;
+    gunzip on;
+
+    location / {
+        proxy_pass http://127.0.0.1:3001;
+        proxy_set_header Host $http_host;
+        proxy_intercept_errors: on;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_redirect off;
+    }
+}
+
+server {
+
+    listen  443 ssl;
+    listen  [::]:443 ssl;
+
+    server_name cloud.tjas;
+
+    http2 on;
+
+    ssl_certificate /etc/nginx/certs/fullchain.pem;
+    ssl_certificate_key /etc/nginx/certs/privkey.pem;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ecdh_curve X25519:prime256v1:secp384r1;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
+    ssl_prefer_server_ciphers off;
+    ssl_session_cache shared:SSL:20m;
+    ssl_session_timeout 180m;
+
+    ssl_trusted_certificate /etc/nginx/certs/chain.pem;
+
+    expires off;
+    etag off;
+    if_modified_since off;
+
+    gzip on;
+    gzip_min_length 1000;
+    gzip_proxied any;
+    gzip_types *;
+    gunzip on;
+
+    location / {
+        proxy_pass http://127.0.0.1:3001;
+        proxy_set_header Host $http_host;
+        proxy_intercept_errors: on;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_redirect off;
+    }
+}
+