Instantly share code, notes, and snippets.

@4lun /domain.com
Last active Jul 31, 2018

Embed
What would you like to do?
NGINX config for using Let's Encrypt via the acme.sh client, assumes the existence of a `/var/www/.letsencrypt` directory and enforces HTTPS while allowing cert issue/renewal over HTTP
server {
listen 80;
server_name domain.com;
include letsencrypt_params;
}
server {
listen 443;
server_name domain.com;
include ssl_params;
ssl_certificate /root/.acme.sh/domain.com/domain.com.cer;
ssl_certificate_key /root/.acme.sh/domain.com/domain.com.key;
ssl_trusted_certificate /root/.acme.sh/domain.com/fullchain.cer;
location / {
//
}
}
# USAGE TEMPLATE (within server block):
# ------------------------------------------------------------------------------
# listen 80;
# server_name domain.com;
# include letsencrypt_params;
# ------------------------------------------------------------------------------
# Command to issue letsencrypt SSL certificates using acme.sh:
# acme.sh --issue -d domain.com -w /var/www/.letsencrypt
root /var/www/.letsencrypt/;
index index.html;
location / {
rewrite ^/(.*)$ https://$host$request_uri permanent;
}
location ^~ /.well-known/ {
try_files $uri $uri/ =404;
}
# USAGE TEMPLATE (within server block):
# ------------------------------------------------------------------------------
# include ssl_params;
# ssl_certificate /root/.acme.sh/domain.com/fullchain.cer;
# ssl_certificate_key /root/.acme.sh/domain.com/domain.com.key;
# ssl_trusted_certificate /root/.acme.sh/domain.com/fullchain.cer;
# ------------------------------------------------------------------------------
# Generate required dhparam.pem file with:
# openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
#
# SOURCE: https://gist.github.com/plentz/6737338
ssl on;
# enable session resumption to improve https performance
# http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# enables server-side protection from BEAST attacks
# http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
ssl_prefer_server_ciphers on;
# disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ciphers chosen for forward secrecy and compatibility
# http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
# enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner)
# http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
resolver 8.8.8.8;
ssl_stapling on;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment