Adding some basic configuration for Nginx as a reverse proxy

For now the readme walks the user through how to generate any keys that may be required for self signing, more documentation to come in following patches on origin/nginx

nginx-conf/freechat.conf

@@ -0,0 +1,18 @@
+server {
+	# Freechat servers should not bother adding support for unencrypted trafic
+	listen 443 ssl; # default_server;
+	listen [::]:443 ssl; # default_server;
+
+	# Uncomment this line if you are self signing your certs
+	#include snippets/self-signed.conf;
+
+	# General SSL/TLS settings for nginx
+	include snippets/ssl-params.conf;
+
+	server_name _;
+
+	location / {
+		proxy_pass http://0.0.0.0:4536;
+	}
+}
+

nginx-conf/readme.md

@@ -0,0 +1,3 @@
+# Configs for Nginx Reverse Proxy
+
+The above are ultra minimal configs for setting up nginx.

nginx-conf/self-signed.conf

@@ -0,0 +1,4 @@
+# This should only be used if you are planning on self signing
+
+ssl_certificate /etc/ssl/certs/freechat.crt;
+ssl_certificate_key /etc/ssl/private/freechat.key;

nginx-conf/ssl-params.conf

@@ -0,0 +1,20 @@
+ssl_protocols TLSv1 TLSV1.1 TLSv1.2;
+ssl_prefer_server_ciphers on;
+ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+ssl_ecdh_curve secp384r1;
+ssl_session_cache shared:SSL:10m;
+ssl_session_tickets off;
+ssl_stapling on;
+ssl_stapling_verify on;
+resolver 8.8.8.8 8.8.4.4 valid=300s;
+resolver_timeout 5s;
+# Disable preloading HSTS for now.  You can use the commented out header line that includes
+# the "preload" directive if you understand the implications.
+#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
+add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
+add_header X-Frame-Options DENY;
+add_header X-Content-Type-Options nosniff;
+
+# literal misspelling
+ssl_dhparam /etc/ssl/certs/nginx-dev.pem;
+