1 files changed, 57 insertions, 0 deletions

diff --git a/roles/ssh-nginx-multiplex/templates/nginx.conf.j2 b/roles/ssh-nginx-multiplex/templates/nginx.conf.j2
new file mode 100644
index 0000000..a735338
--- /dev/null
+++ b/roles/ssh-nginx-multiplex/templates/nginx.conf.j2
@@ -0,0 +1,57 @@
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    keepalive_timeout 65;
+    types_hash_max_size 2048;
+
+    server_tokens off;
+
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    access_log /var/log/nginx/access.log;
+    error_log /var/log/nginx/error.log warn;
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers on;
+
+    add_header X-Content-Type-Options nosniff;
+    add_header X-Frame-Options DENY;
+    add_header X-XSS-Protection "1; mode=block";
+
+    server {
+        listen 127.0.0.1:{{ internal_nginx_port }} ssl default_server;
+        server_name _;
+    
+        root /var/www/html;
+        index index.html;
+    
+        ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
+        ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
+    
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_prefer_server_ciphers on;
+    
+        add_header X-Content-Type-Options nosniff;
+        add_header X-Frame-Options DENY;
+        add_header X-XSS-Protection "1; mode=block";
+    
+        location / {
+            try_files $uri $uri/ =404;
+        }
+    
+        location ~ /\.(?!well-known) {
+            deny all;
+        }
+    }
+}