alankis/lets_encrypt_ssl_config.conf

## lets_encrypt_ssl_config.conf
# This is neat and simple example of virtual host configuration
# Rails application with LetsEncryptSSL running on nginx and
# Passenger.

server {
  listen 80;
  server_name example.com www.example.com;
  return 301 https://$server_name$request_uri;
}

server {
  #Basic configuration
  listen 443 ssl;
  server_name example.com www.example.com;
  passenger_enabled on;
  passenger_app_env development;
  root /home/user/path_to_app_root/public;

  #Required for LetsEncryptSSL Certificate
  location ~ /.well-known {
    allow all;
   }


  #Include SSL config
  include snippets/ssl-example.com.conf;
  include snippets/ssl-params.conf;
}

# SSL configuration
# This file is under /etc/nginx/snippets/ssl-example.com.conf

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

# SSL Params
# This file is under /etc/nginx/snippets/ssl-params.conf
# You can find more information on bellow links

# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam /etc/ssl/certs/dhparam.pem;
	# This is neat and simple example of virtual host configuration
	# Rails application with LetsEncryptSSL running on nginx and
	# Passenger.

	server {
	listen 80;
	server_name example.com www.example.com;
	return 301 https://$server_name$request_uri;
	}

	server {
	#Basic configuration
	listen 443 ssl;
	server_name example.com www.example.com;
	passenger_enabled on;
	passenger_app_env development;
	root /home/user/path_to_app_root/public;

	#Required for LetsEncryptSSL Certificate
	location ~ /.well-known {
	allow all;
	}


	#Include SSL config
	include snippets/ssl-example.com.conf;
	include snippets/ssl-params.conf;
	}

	# SSL configuration
	# This file is under /etc/nginx/snippets/ssl-example.com.conf

	ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

	# SSL Params
	# This file is under /etc/nginx/snippets/ssl-params.conf
	# You can find more information on bellow links

	# from https://cipherli.st/
	# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;
	ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
	ssl_ecdh_curve secp384r1;
	ssl_session_cache shared:SSL:10m;
	ssl_session_tickets off;
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 8.8.8.8 8.8.4.4 valid=300s;
	resolver_timeout 5s;
	# Disable preloading HSTS for now. You can use the commented out header line that includes
	# the "preload" directive if you understand the implications.
	#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
	add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
	add_header X-Frame-Options DENY;
	add_header X-Content-Type-Options nosniff;

	ssl_dhparam /etc/ssl/certs/dhparam.pem;