nginx configuration for HTTPS

blog.nytsoi.net

server {
        listen 80;
        listen    [::]:80;
        server_name blog.nytsoi.net;
        location / {
                rewrite ^ https://$server_name$request_uri permanent;
        }
}



server {
        listen 443 ssl;
        listen   [::]:443 ssl;

        root /var/www/blog/apps/mebe_web/priv;

        # Make site accessible from subdomain
        server_name blog.nytsoi.net;
        autoindex on;

        access_log /var/log/nginx/blog.access.log;
        error_log /var/log/nginx/blog.error.log;

        # HTTPS
        ssl_certificate certs/blog.nytsoi.net.chained.crt;
        ssl_certificate_key certs/blog.nytsoi.net.key;

        include generic/sites-general.conf;
        include generic/sites-https.conf;

        location / {
                proxy_pass http://localhost:1337;
        }
}

nginx.conf

user http;
worker_processes  8;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    tcp_nopush      on;
    tcp_nodelay     on;

    # AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    # (allow long domain names in configuration)
    server_names_hash_bucket_size 512;

    client_max_body_size 20m;
    client_body_buffer_size 128k;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    gzip  on;

    # Additional types to gzip, text/html is always gzipped
    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

    charset utf-8;

    ssl_session_cache    shared:SSL:10m;
    ssl_session_timeout  10m;

    include conf.d/*.conf;
    include sites-enabled/*;
}

sites-https.conf

# Generic HTTPS settings that need to go in the server section

add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

# Forbid HTTPS sites from being shown in a frame
add_header X-Frame-Options "DENY";

tls-security.conf

# Settings for better HTTPS / WSS security

# Disable SSLv3 to protect from POODLE
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;


# Update regularly!
# Safe cipher suite list from https://weakdh.org/sysadmin.html
# Also enables the use of our own DH group

ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

ssl_prefer_server_ciphers on;
ssl_dhparam 'dhparams.pem';