Created
October 29, 2015 17:20
-
-
Save Nicd/c173516715110937fc00 to your computer and use it in GitHub Desktop.
nginx configuration for HTTPS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
server { | |
listen 80; | |
listen [::]:80; | |
server_name blog.nytsoi.net; | |
location / { | |
rewrite ^ https://$server_name$request_uri permanent; | |
} | |
} | |
server { | |
listen 443 ssl; | |
listen [::]:443 ssl; | |
root /var/www/blog/apps/mebe_web/priv; | |
# Make site accessible from subdomain | |
server_name blog.nytsoi.net; | |
autoindex on; | |
access_log /var/log/nginx/blog.access.log; | |
error_log /var/log/nginx/blog.error.log; | |
# HTTPS | |
ssl_certificate certs/blog.nytsoi.net.chained.crt; | |
ssl_certificate_key certs/blog.nytsoi.net.key; | |
include generic/sites-general.conf; | |
include generic/sites-https.conf; | |
location / { | |
proxy_pass http://localhost:1337; | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
user http; | |
worker_processes 8; | |
#error_log logs/error.log; | |
#error_log logs/error.log notice; | |
#error_log logs/error.log info; | |
#pid logs/nginx.pid; | |
events { | |
worker_connections 1024; | |
} | |
http { | |
include mime.types; | |
default_type application/octet-stream; | |
#log_format main '$remote_addr - $remote_user [$time_local] "$request" ' | |
# '$status $body_bytes_sent "$http_referer" ' | |
# '"$http_user_agent" "$http_x_forwarded_for"'; | |
#access_log logs/access.log main; | |
sendfile on; | |
tcp_nopush on; | |
tcp_nodelay on; | |
# AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | |
# (allow long domain names in configuration) | |
server_names_hash_bucket_size 512; | |
client_max_body_size 20m; | |
client_body_buffer_size 128k; | |
#keepalive_timeout 0; | |
keepalive_timeout 65; | |
gzip on; | |
# Additional types to gzip, text/html is always gzipped | |
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; | |
charset utf-8; | |
ssl_session_cache shared:SSL:10m; | |
ssl_session_timeout 10m; | |
include conf.d/*.conf; | |
include sites-enabled/*; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Generic HTTPS settings that need to go in the server section | |
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; | |
# Forbid HTTPS sites from being shown in a frame | |
add_header X-Frame-Options "DENY"; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Settings for better HTTPS / WSS security | |
# Disable SSLv3 to protect from POODLE | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
# Update regularly! | |
# Safe cipher suite list from https://weakdh.org/sysadmin.html | |
# Also enables the use of our own DH group | |
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; | |
ssl_prefer_server_ciphers on; | |
ssl_dhparam 'dhparams.pem'; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment