Nginx config for ItCase projects

acme.conf

# /etc/nginx/snippets/letsencrypt.conf

location /.well-known {
  root /var/www/html;
}

default.conf

# /etc/nginx/sites-enabled/default

server {
  listen      80 default_server;
  listen [::]:80 default_server ipv6only=on;
  
  server_name _;

  return 301 https://$host$request_uri;
}

example.conf

server {
  listen      443 ssl http2;
  listen [::]:443 ssl http2;

  server_name www.example.com;

  ssl_certificate     ssl/example/fullchain.pem;
  ssl_certificate_key ssl/example/key.pem;

  include enable/ssl.conf;

  access_log off;

  return 301 https://example.com$request_uri;
}

server {
  listen      443 ssl http2 default_server;
  listen [::]:443 ssl http2 default_server ipv6only=on;
  
  server_name .example.com;

  ssl_certificate     ssl/example/fullchain.pem;
  ssl_certificate_key ssl/example/key.pem;

  include enable/acme.conf;
  include enable/ssl.conf;
  
  # Disable images from http://
  add_header Content-Security-Policy "block-all-mixed-content";

  error_log /home/web/example/log/nginx.error.log;
  
  # Yandex Webvisor
  set $frame_options '';
  if ($http_referer !~ '^https?:\/\/([^\/]+\.)?(example\.com|webvisor\.com)\/'){
    set $frame_options 'SAMEORIGIN';
  }
  add_header X-Frame-Options $frame_options;

  set $root /home/web/example;
  set $src $root/src;

  root $src;

  location ~* ^/(static|media) {
    access_log off;
  }

  location ~* ^/(?!sitemap\.xml)[-\w]+\.(txt|xml|html)$ {
    root $src/media/uploads/seo;
    access_log off;
  }

  location ~ ^/(apple|browserconfig|favicon|mstile)(.*)\.(png|xml|ico)$ {
    root $src/static/img/favicon;
    access_log off;
  }

  location / {
    client_max_body_size  10m;

    include               uwsgi_params;

    uwsgi_pass            unix://$root/run/uwsgi_example.sock;
    uwsgi_read_timeout    300;
  }
}

ssl.conf

# /etc/nginx/snippets/ssl.conf

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

ssl_stapling on;
ssl_stapling_verify on;

resolver 8.8.8.8;

add_header Strict-Transport-Security "max-age=31536000";

Enable Forward Secrecy

openssl dhparam -out /etc/nginx/certs/dhparam.pem 2048
echo "ssl_dhparam /etc/nginx/certs/dhparam.pem;" >> /etc/nginx/conf.d/ssl_dhparam.conf

Install certificates to Nginx:

acme.sh --install-cert -d example \
--fullchain-file /etc/nginx/certs/example/fullchain.pem \
--key-file       /etc/nginx/certs/example/key.pem \
--reloadcmd      "service nginx force-reload"