Skip to content

Instantly share code, notes, and snippets.

@4lun

4lun/domain.com

Last active November 20, 2020 20:06
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save 4lun/48350af081c83bf1a9399f27766e62c3 to your computer and use it in GitHub Desktop.
Save 4lun/48350af081c83bf1a9399f27766e62c3 to your computer and use it in GitHub Desktop.
Download ZIP
NGINX config for using Let's Encrypt via the acme.sh client, assumes the existence of a `/var/www/.letsencrypt` directory and enforces HTTPS while allowing cert issue/renewal over HTTP
Raw
domain.com
server {
listen 80;
server_name domain.com;
include letsencrypt_params;
}
server {
listen 443;
server_name domain.com;
include ssl_params;
ssl_certificate /root/.acme.sh/domain.com/domain.com.cer;
ssl_certificate_key /root/.acme.sh/domain.com/domain.com.key;
ssl_trusted_certificate /root/.acme.sh/domain.com/fullchain.cer;
location / {
//
}
}
Raw
letsencrypt_params
# USAGE TEMPLATE (within server block):
# ------------------------------------------------------------------------------
# listen 80;
# server_name domain.com;
# include letsencrypt_params;
# ------------------------------------------------------------------------------
# Command to issue letsencrypt SSL certificates using acme.sh:
# acme.sh --issue -d domain.com -w /var/www/.letsencrypt
root /var/www/.letsencrypt/;
index index.html;
location / {
rewrite ^/(.*)$ https://$host$request_uri permanent;
}
location ^~ /.well-known/ {
try_files $uri $uri/ =404;
}
Raw
ssl_params
# USAGE TEMPLATE (within server block):
# ------------------------------------------------------------------------------
# include ssl_params;
# ssl_certificate /root/.acme.sh/domain.com/fullchain.cer;
# ssl_certificate_key /root/.acme.sh/domain.com/domain.com.key;
# ssl_trusted_certificate /root/.acme.sh/domain.com/fullchain.cer;
# ------------------------------------------------------------------------------
# Generate required dhparam.pem file with:
# openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
#
# SOURCE: https://gist.github.com/plentz/6737338
ssl on;
# enable session resumption to improve https performance
# http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# enables server-side protection from BEAST attacks
# http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
ssl_prefer_server_ciphers on;
# disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ciphers chosen for forward secrecy and compatibility
# http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
# enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner)
# http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
resolver 8.8.8.8;
ssl_stapling on;
@ohkeenan
Copy link

ohkeenan commented Nov 20, 2020
edited

To anyone reading this, this is outdated and I'm not sure it was ever right for nginx because of the missing chain cert.

In domain.com file, change:

    ssl_certificate /root/.acme.sh/domain.com/domain.com.cer;
    ssl_certificate_key /root/.acme.sh/domain.com/domain.com.key;
    ssl_trusted_certificate /root/.acme.sh/domain.com/fullchain.cer;

to:

    ssl_certificate /root/.acme.sh/domain.com/fullchain.cer;
    ssl_certificate_key /root/.acme.sh/domain.com/domain.com.key;

Then in server config, make sure to change the listen directive to:

listen 443 ssl http2;
listen [::]:443 ssl http2;

And use latest Mozilla SSL generator ssl_config options. Currently:

ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
ssl_session_tickets off;

# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/nginx/ssl/dhparam.pem;

# enables server-side protection from BEAST attacks
# http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
# disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;

# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;

# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;

# enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner)
# http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001];

Giving me an A+ at Qualy's.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment