Website server block

How to setup a server block for your website

Server block configuration

/etc/nginx/sites-available/lnxsrv.org.conf

server {
    listen 443 ssl;
    http2  on;
    
#   listen [::]:443 ssl http2;

    server_name lnxsrv.org;

    rewrite     https://$host$request_uri?  permanent;

    error_log   /var/log/nginx/lnxsrv.org.error.log;
    access_log  /var/log/nginx/lnxsrv.org.access.log;

    # How long Nginx is waiting between the writes of the client body
    # client_body_timeout 10s;
    # How long Nginx is waiting between the writes of client header
    # client_header_timeout 10s;

        location / {
            root   /srv/http/lnxsrv.org;
            index  index.html index.htm;
	    # limit_req zone=one burst=60 nodelay;
        }

        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   /usr/share/nginx/html;
        }

    # These are the paths to your generated Let's Encrypt SSL certificates.
    ssl_certificate /etc/letsencrypt/live/lnxsrv.org/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/lnxsrv.org/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_session_cache   shared:SSL:60m;
    
    # Cache-control Directive Header
    #add_header Surrogate-Control "public, no-transform, no-cache, max-age=86400";
    expires 1d;    
    add_header Cache-Control "public, no-transform";

    # Anti-MIME-Sniffing header
    add_header X-Content-Type-Options nosniff;

    # Content Security Policy (CSP) Header
    # add_header Content-Security-Policy "default-src 'self';" always;

    # Anti-ClickJacking Header
    add_header  X-Frame-Options "SAMEORIGIN" always;

    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000" always;

    # verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /etc/letsencrypt/live/lnxsrv.org/chain.pem; # managed by Certbot
    
    # OCSP stapling   
    ssl_stapling on; # managed by Certbot
    ssl_stapling_verify on; # managed by Certbot
}

server {
    if ($host = lnxsrv.org) {
    return 301 https://$host$request_uri;
    } # managed by Certbot
    listen       80;
#   listen  [::]:80;
    server_name  lnxsrv.org;
    return 404; # managed by Certbot
}

Create symlink to enable the site

ln -s /etc/nginx/sites-available/lnxsrv.org.conf /etc/nginx/sites-enabled/lnxsrv.org.conf

Check nginx configuration file syntax

nginx -t

Restart service

systemctl restart nginx.service

Unlink the active symlink to disable the site

unlink /etc/nginx/sites-enabled/lnxsrv.org.conf