## fill in the DOMAIN_NAME ## fill in the PREFIX_BTCPAY_PORT # If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the # scheme used to connect to this server map $http_x_forwarded_proto $proxy_x_forwarded_proto { default $http_x_forwarded_proto; '' $scheme; } # If we receive X-Forwarded-Port, pass it through; otherwise, pass along the # server port the client connected to map $http_x_forwarded_port $proxy_x_forwarded_port { default $http_x_forwarded_port; '' $server_port; } # If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any # Connection header that may have been passed to this server map $http_upgrade $proxy_connection { default upgrade; '' close; } # Apply fix for very long server names #server_names_hash_bucket_size 128; # Prevent Nginx Information Disclosure #server_tokens off; # Default dhparam # Set appropriate X-Forwarded-Ssl header map $scheme $proxy_x_forwarded_ssl { default off; https on; } #gzip on; gzip_min_length 1000; gzip_types image/svg+xml text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; log_format vhost '$host $remote_addr - $remote_user [$time_local ] ' '"$request" $status $body_bytes_sent ' '"$http_referer""$http_user_agent"'; access_log off; # HTTP 1.1 support proxy_http_version 1.1; proxy_buffering off; proxy_set_header Host $http_host; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $proxy_connection; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl; proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port; proxy_buffer_size 128k; proxy_buffers 4 256k; proxy_busy_buffers_size 256k; client_header_buffer_size 500k; large_client_header_buffers 4 500k; # Mitigate httpoxy attack (see README for details) proxy_set_header Proxy ""; server { listen 80 http2; listen 443 ssl http2; server_name pay.diynodes.com; # add_header 'Access-Control-Allow-Origin' '*'; ssl_certificate /etc/letsencrypt/live/$DOMAIN_NAME/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/$DOMAIN_NAME/privkey.pem; ssl_session_timeout 1d; ssl_session_cache shared:SSL: 50m; ssl_session_tickets off; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; ssl_prefer_server_ciphers on; ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/letsencrypt/live/$DOMAIN_NAME/chain.pem; location / { # add_header 'Access-Control-Allow-Origin' '*'; proxy_pass $PREFIX_BTCPAY_PORT; # For websockets #proxy_set_header Upgrade $http_upgrade; #proxy_set_header Connection $http_connection; proxy_redirect off; proxy_set_header X-Forwarded-Host $http_host; proxy_set_header Host $http_host; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $proxy_connection; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl; proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port; client_max_body_size 100M; #proxy_set_header Host $http_host; #proxy_set_header X-Real-IP $remote_addr; #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #proxy_set_header X-Forwarded-Proto https; #proxy_read_timeout 600; #proxy_connect_timeout 600; #proxy_send_timeout 600; } #location = /.well-known/nostr.json { # return 301 https: //nostr.diynodes.com$request_uri; # } location /.well-known/nostr.json { add_header 'Access-Control-Allow-Origin' '*'; alias /var/www/html/.well-known/nostr.json; } # location /.well-known/lnurlp/openoms { # add_header 'Access-Control-Allow-Origin' '*'; # proxy_pass https: //100.106.178.118:23001; #proxy_redirect off; #proxy_set_header Host $http_host; #proxy_set_header X-Real-IP $remote_addr; #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #proxy_set_header X-Forwarded-Proto https; # #proxy_read_timeout 600; #proxy_connect_timeout 600; #proxy_send_timeout 600; # ## remove if not needed ## proxy_set_header X-Forwarded-Host $server_name; # } # # location /BTC/UILNURL/pay/i { add_header 'Access-Control-Allow-Origin' '*'; proxy_pass $PREFIX_BTCPAY_PORT; proxy_redirect off; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_read_timeout 600; proxy_connect_timeout 600; proxy_send_timeout 600; # remove if not needed # proxy_set_header X-Forwarded-Host $server_name; } }