Default nginx page and 404 Not Found nginx/1.10.3 (Ubuntu)

Hi,

Im stuck at this domain/ip displays default nginx page while internal links displays 404 Not Found.

I have reinstalled the diaspora for 5 times but its saying the same thing.

No error during installation this time. It precompiled without any errors and ran ./script/server without any errors.

I have cross check the nginx.conf many times

Please share your nginx config with us.

user www-data;
worker_processes auto;
pid /run/nginx.pid;

events {
	worker_connections 768;
	# multi_accept on;
}

http {

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;
	# server_tokens off;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings
	##

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
	ssl_prefer_server_ciphers on;

	##
	# Logging Settings
	##

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;
	gzip_disable "msie6";
	gzip_static on;

	# gzip_vary on;
	# gzip_proxied any;
	# gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
	
	server {
	    # If your host is not IPv6 ready use listen 80; here.
	    # Add ipv6only=off to your listen directive that has default_server.
	    # Or this one if this is your only vhost. Do not add it to both!
	  listen [::]:80;
	  server_name iitians.xyz www.iitians.xyz;
    
	  location / {
	    return 301 https://$server_name$request_uri;
	  }
	}

	# Redirect https://www.diaspora.example.org to https://diaspora.example.org
	server {
	  listen [::]:443 ssl;  # Same rules as for listen [::]:80 apply.

	  server_name www.iitians.xyz;
    
	  location / {
	    return 301 https://iitians.xyz$request_uri;
	  }

	    # SSL setup

	    # This file should also include any necessary intermediate certificates.
	    # For example for StartSSL that would be https://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca.pem
	    # For Let's Encrypt use /etc/letsencrypt/live/diaspora.example.org/fullchain.pem
	    # and /etc/letsencrypt/diaspora.example.org/privkey.pem
	  ssl_certificate /etc/letsencrypt/live/iitians.xyz/fullchain.pem;
	  ssl_certificate_key /etc/letsencrypt/live/iitians.xyz/privkey.pem;

	    # Taken from https://wiki.mozilla.org/Security/Server_Side_TLS
	    # You might want to make these global

	    # generate with openssl dhparam 2048 > /path/to/dhparam.pem
	  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
      ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK';
      ssl_session_timeout 5m;
	  ssl_prefer_server_ciphers on;
	  ssl_session_cache shared:SSL:50m;
    }

	# Actual proxy

	server {
	  listen [::]:443 ssl; # Same rules as for listen [::]:80 apply.
	  server_name iitians.xyz;
	  root /home/diaspora/diaspora/public;

	    # Configure maximum picture size
	    # Note that Diaspora has a client side check set at 4M
	  client_max_body_size 5M;
	  client_body_buffer_size 256K;

	    # SSL setup

	    # This file should also include any necessary intermediate certificates.
	    # For example for StartSSL that would be https://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca.pem
	    # For Let's Encrypt use /etc/letsencrypt/live/diaspora.example.org/fullchain.pem
	    # and /etc/letsencrypt/diaspora.example.org/privkey.pem
	  ssl_certificate /etc/letsencrypt/live/iitians.xyz/fullchain.pem;
	  ssl_certificate_key /etc/letsencrypt/live/iitians.xyz/privkey.pem;

	    # Taken from https://wiki.mozilla.org/Security/Server_Side_TLS
	    # You might want to make these global

	    # generate with openssl dhparam 2048 > /path/to/dhparam.pem
	  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

	  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	  ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK';
	  ssl_session_timeout 5m;
	  ssl_prefer_server_ciphers on;
	  ssl_session_cache shared:SSL:50m;

	    # Proxy if requested file not found
	  try_files $uri @diaspora;

	  location /assets/ {
	    expires max;
	    add_header Cache-Control public;
	  }

	    # Camo support
	    #location /camo/ {
	    #  proxy_redirect off;
	    #  proxy_pass http://camo/;
	    #  break;
	    #}

	  location @diaspora {
	    proxy_set_header X-Real-IP $remote_addr;
	    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	    proxy_set_header X-Forwarded-Proto https;
	    proxy_set_header Host $http_host;
	    proxy_redirect off;

	    proxy_pass http://diaspora_server;
	  }
	}

	  # Proxy destination
	  # Add as many server directives as you want
	  # Also takes a socket, like unix:/path/to/some/socket.sock
	upstream diaspora_server {
	  server unix:/home/diaspora/diaspora/tmp/diaspora.sock;
	}

	  # Camo support
	  #upstream camo {
	  #  server 127.0.0.1:8081;
	  #}

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
}


#mail {
#	# See sample authentication script at:
#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
# 
#	# auth_http localhost/auth.php;
#	# pop3_capabilities "TOP" "USER";
#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
# 
#	server {
#		listen     localhost:110;
#		protocol   pop3;
#		proxy      on;
#	}
# 
#	server {
#		listen     localhost:143;
#		protocol   imap;
#		proxy      on;
#	}
#}

Are there any files that match /etc/nginx/conf.d/*.conf or /etc/nginx/sites-enabled/*? If so, what’s their contents?

Did you restart/reload nginx after writing the config?

/etc/nginx/conf.d is empty

/etc/nginx/sites-enabled is

    ##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# http://wiki.nginx.org/Pitfalls
# http://wiki.nginx.org/QuickStart
# http://wiki.nginx.org/Configuration
#
# Generally, you will want to move this file somewhere, and start with a clean
# file but keep this around for reference. Or just disable in sites-enabled.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

# Default server configuration
#
server {
	listen 80 default_server;
	listen [::]:80 default_server;

	# SSL configuration
	#
	# listen 443 ssl default_server;
	# listen [::]:443 ssl default_server;
	#
	# Note: You should disable gzip for SSL traffic.
	# See: https://bugs.debian.org/773332
	#
	# Read up on ssl_ciphers to ensure a secure configuration.
	# See: https://bugs.debian.org/765782
	#
	# Self signed certs generated by the ssl-cert package
	# Don't use them in a production server!
	#
	# include snippets/snakeoil.conf;

	root /var/www/html;

	# Add index.php to the list if you are using PHP
	index index.html index.htm index.nginx-debian.html;

	server_name _;

	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ =404;
	}

	# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
	#
	#location ~ \.php$ {
	#	include snippets/fastcgi-php.conf;
	#
	#	# With php7.0-cgi alone:
	#	fastcgi_pass 127.0.0.1:9000;
	#	# With php7.0-fpm:
	#	fastcgi_pass unix:/run/php/php7.0-fpm.sock;
	#}

	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	#location ~ /\.ht {
	#	deny all;
	#}
}


# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
#	listen 80;
#	listen [::]:80;
#
#	server_name example.com;
#
#	root /var/www/example.com;
#	index index.html;
#
#	location / {
#		try_files $uri $uri/ =404;
#	}
#}

server {

	# SSL configuration
	#
	# listen 443 ssl default_server;
	# listen [::]:443 ssl default_server;
	#
	# Note: You should disable gzip for SSL traffic.
	# See: https://bugs.debian.org/773332
	#
	# Read up on ssl_ciphers to ensure a secure configuration.
	# See: https://bugs.debian.org/765782
	#
	# Self signed certs generated by the ssl-cert package
	# Don't use them in a production server!
	#
	# include snippets/snakeoil.conf;

	root /var/www/html;

	# Add index.php to the list if you are using PHP
	index index.html index.htm index.nginx-debian.html;
    server_name www.iitians.xyz iitians.xyz; # managed by Certbot


	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ =404;
	}

	# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
	#
	#location ~ \.php$ {
	#	include snippets/fastcgi-php.conf;
	#
	#	# With php7.0-cgi alone:
	#	fastcgi_pass 127.0.0.1:9000;
	#	# With php7.0-fpm:
	#	fastcgi_pass unix:/run/php/php7.0-fpm.sock;
	#}

	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	#location ~ /\.ht {
	#	deny all;
	#}


    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/iitians.xyz/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/iitians.xyz/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot



}
server {
    if ($host = www.iitians.xyz) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = iitians.xyz) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


	listen 80 ;
	listen [::]:80 ;
    server_name www.iitians.xyz iitians.xyz;
    return 404; # managed by Certbot




}

After changing nginx.conf i ran
sudo systemctl reload nginx
systemctl status nginx

again now i ran

Well, first: your default server may override your diaspora configs. In nginx.conf, it’s a wise idea to put all your diaspora config after the two include statements, or even better, write all your diaspora nginx configs into a file that gets included, for example /etc/nginx/conf.d/diaspora.conf to make it easier to maintain.

You told certbot to create nginx configs for you, which conflict with what you are trying to do. You didn’t show the file names, but remove the files inside /etc/nginx/sites-enabled that contain the last two server blocks, or to be more precise: the file containing the line server_name www.iitians.xyz iitians.xyz; # managed by Certbot as well as the file that contains those redirects on the bottom. That’s all covered by your diaspora-specific configuration.


For future reference, please use three backticks to properly format your pastes, like so:

32

Otherwise, it’s a mess.

Done & reloaded, restarted nginx but

# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# http://wiki.nginx.org/Pitfalls
# http://wiki.nginx.org/QuickStart
# http://wiki.nginx.org/Configuration
#
# Generally, you will want to move this file somewhere, and start with a clean
# file but keep this around for reference. Or just disable in sites-enabled.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

# Default server configuration
#
server {
	listen 80 default_server;
	listen [::]:80 default_server;

	# SSL configuration
	#
	# listen 443 ssl default_server;
	# listen [::]:443 ssl default_server;
	#
	# Note: You should disable gzip for SSL traffic.
	# See: https://bugs.debian.org/773332
	#
	# Read up on ssl_ciphers to ensure a secure configuration.
	# See: https://bugs.debian.org/765782
	#
	# Self signed certs generated by the ssl-cert package
	# Don't use them in a production server!
	#
	# include snippets/snakeoil.conf;

	root /var/www/html;

	# Add index.php to the list if you are using PHP
	index index.html index.htm index.nginx-debian.html;

	server_name _;

	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ =404;
	}

	# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
	#
	#location ~ \.php$ {
	#	include snippets/fastcgi-php.conf;
	#
	#	# With php7.0-cgi alone:
	#	fastcgi_pass 127.0.0.1:9000;
	#	# With php7.0-fpm:
	#	fastcgi_pass unix:/run/php/php7.0-fpm.sock;
	#}

	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	#location ~ /\.ht {
	#	deny all;
	#}
}


# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
#	listen 80;
#	listen [::]:80;
#
#	server_name example.com;
#
#	root /var/www/example.com;
#	index index.html;
#
#	location / {
#		try_files $uri $uri/ =404;
#	}
#}

server {

	# SSL configuration
	#
	# listen 443 ssl default_server;
	# listen [::]:443 ssl default_server;
	#
	# Note: You should disable gzip for SSL traffic.
	# See: https://bugs.debian.org/773332
	#
	# Read up on ssl_ciphers to ensure a secure configuration.
	# See: https://bugs.debian.org/765782
	#
	# Self signed certs generated by the ssl-cert package
	# Don't use them in a production server!
	#
	# include snippets/snakeoil.conf;

	root /var/www/html;

	# Add index.php to the list if you are using PHP
	index index.html index.htm index.nginx-debian.html;


	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ =404;
	}

	# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
	#
	#location ~ \.php$ {
	#	include snippets/fastcgi-php.conf;
	#
	#	# With php7.0-cgi alone:
	#	fastcgi_pass 127.0.0.1:9000;
	#	# With php7.0-fpm:
	#	fastcgi_pass unix:/run/php/php7.0-fpm.sock;
	#}

	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	#location ~ /\.ht {
	#	deny all;
	#}


    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/iitians.xyz/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/iitians.xyz/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot



}
server {
    if ($host = www.iitians.xyz) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = iitians.xyz) {
        return 301 https://$host$request_uri;
    } # managed by Certbot




}

But what? You pasted the same config again - including the pieces I asked you to remove.

Can u post the edited /etc/nginx/sites-enabled

That is a directory, not a file. And you did not include the file names, so I literally can’t tell you what files to remove because I don’t know their names.

Sorry, my bad its /etc/nginx/sites-enabled/default
/etc/nginx/nginx.conf

And you are sure that’s the only file in that directory?

yea, and /etc/nginx/sites-enabled/default is a directory which downloads /etc/nginx/sites-available/default file

34%20PM

Then open that file and remove everything after, and including

# Virtual Host configuration for example.com

Done but site cant be reached

# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# http://wiki.nginx.org/Pitfalls
# http://wiki.nginx.org/QuickStart
# http://wiki.nginx.org/Configuration
#
# Generally, you will want to move this file somewhere, and start with a clean
# file but keep this around for reference. Or just disable in sites-enabled.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

# Default server configuration
#
server {
	listen 80 default_server;
	listen [::]:80 default_server;

	# SSL configuration
	#
	# listen 443 ssl default_server;
	# listen [::]:443 ssl default_server;
	#
	# Note: You should disable gzip for SSL traffic.
	# See: https://bugs.debian.org/773332
	#
	# Read up on ssl_ciphers to ensure a secure configuration.
	# See: https://bugs.debian.org/765782
	#
	# Self signed certs generated by the ssl-cert package
	# Don't use them in a production server!
	#
	# include snippets/snakeoil.conf;

	root /var/www/html;

	# Add index.php to the list if you are using PHP
	index index.html index.htm index.nginx-debian.html;

	server_name _;

	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ =404;
	}

	# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
	#
	#location ~ \.php$ {
	#	include snippets/fastcgi-php.conf;
	#
	#	# With php7.0-cgi alone:
	#	fastcgi_pass 127.0.0.1:9000;
	#	# With php7.0-fpm:
	#	fastcgi_pass unix:/run/php/php7.0-fpm.sock;
	#}

	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	#location ~ /\.ht {
	#	deny all;
	#}
}

Please share the outputs of nginx -t and nginx -v.

2019/07/02 13:37:12 [warn] 13054#13054: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:1
2019/07/02 13:37:12 [emerg] 13054#13054: BIO_new_file("/etc/letsencrypt/live/iitians.xyz/fullchain.pem") failed (SSL: error:0200100D:system library:fopen:Permission denied:fopen('/etc/letsencrypt/live/iitians.xyz/fullchain.pem','r') error:2006D002:BIO routines:BIO_new_file:system lib)
nginx: configuration file /etc/nginx/nginx.conf test failed




nginx version: nginx/1.10.3 (Ubuntu)

And now, do that again as your root user or with sudo.

sudo

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

root

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Cool. Assuming diaspora is the only application on the server, do the following.

Remove /etc/nginx/sites-enabled/default completely. Replace your entire nginx.conf with the following

user www-data;
worker_processes auto;
pid /run/nginx.pid;

events {
  worker_connections 768;
  # multi_accept on;
}

http {

  ##
  # Basic Settings
  ##

  sendfile on;
  tcp_nopush on;
  tcp_nodelay on;
  keepalive_timeout 65;
  types_hash_max_size 2048;
  # server_tokens off;

  # server_names_hash_bucket_size 64;
  # server_name_in_redirect off;

  include /etc/nginx/mime.types;
  default_type application/octet-stream;

  ##
  # SSL Settings
  ##

  ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
  ssl_prefer_server_ciphers on;

  ##
  # Logging Settings
  ##

  access_log /var/log/nginx/access.log;
  error_log /var/log/nginx/error.log;

  ##
  # Gzip Settings
  ##

  gzip on;
  gzip_disable "msie6";
  gzip_static on;

  # gzip_vary on;
  # gzip_proxied any;
  # gzip_comp_level 6;
  # gzip_buffers 16 8k;
  # gzip_http_version 1.1;
  # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
  
  server {
    # If your host is not IPv6 ready use listen 80; here.
    # Add ipv6only=off to your listen directive that has default_server.
    # Or this one if this is your only vhost. Do not add it to both!
    listen [::]:80 default_server ipv6only=off;
    server_name iitians.xyz www.iitians.xyz;
    
    location / {
      return 301 https://$server_name$request_uri;
    }
  }

  # Redirect https://www.diaspora.example.org to https://diaspora.example.org
  server {
    listen [::]:443 ssl;  # Same rules as for listen [::]:80 apply.

    server_name www.iitians.xyz;
    
    location / {
      return 301 https://iitians.xyz$request_uri;
    }

    # SSL setup

    # This file should also include any necessary intermediate certificates.
    # For example for StartSSL that would be https://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca.pem
    # For Let's Encrypt use /etc/letsencrypt/live/diaspora.example.org/fullchain.pem
    # and /etc/letsencrypt/diaspora.example.org/privkey.pem
    ssl_certificate /etc/letsencrypt/live/iitians.xyz/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/iitians.xyz/privkey.pem;

    # Taken from https://wiki.mozilla.org/Security/Server_Side_TLS
    # You might want to make these global

    # generate with openssl dhparam 2048 > /path/to/dhparam.pem
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK';
    ssl_session_timeout 5m;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:50m;
  }

  # Actual proxy

  server {
    listen [::]:443 ssl default_server ipv6only=off; # Same rules as for listen [::]:80 apply.
    server_name iitians.xyz;
    root /home/diaspora/diaspora/public;

    # Configure maximum picture size
    # Note that Diaspora has a client side check set at 4M
    client_max_body_size 5M;
    client_body_buffer_size 256K;

    # SSL setup

    # This file should also include any necessary intermediate certificates.
    # For example for StartSSL that would be https://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca.pem
    # For Let's Encrypt use /etc/letsencrypt/live/diaspora.example.org/fullchain.pem
    # and /etc/letsencrypt/diaspora.example.org/privkey.pem
    ssl_certificate /etc/letsencrypt/live/iitians.xyz/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/iitians.xyz/privkey.pem;

    # Taken from https://wiki.mozilla.org/Security/Server_Side_TLS
    # You might want to make these global

    # generate with openssl dhparam 2048 > /path/to/dhparam.pem
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK';
    ssl_session_timeout 5m;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:50m;

    # Proxy if requested file not found
    try_files $uri @diaspora;

    location /assets/ {
      expires max;
      add_header Cache-Control public;
    }

    # Camo support
    #location /camo/ {
    #  proxy_redirect off;
    #  proxy_pass http://camo/;
    #  break;
    #}

    location @diaspora {
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto https;
      proxy_set_header Host $http_host;
      proxy_redirect off;

      proxy_pass http://diaspora_server;
    }
  }

  # Proxy destination
  # Add as many server directives as you want
  # Also takes a socket, like unix:/path/to/some/socket.sock
  upstream diaspora_server {
    server unix:/home/diaspora/diaspora/tmp/diaspora.sock;
  }

  # Camo support
  #upstream camo {
  #  server 127.0.0.1:8081;
  #}
}
1 Like