-
-
Save andrefsp/5198848 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## At the http level | |
| map $http_cookie $is_secure { | |
| default 0; | |
| ~SESS 1; # there's a session cookie (use SSL - authenticated user) | |
| } | |
| map $is_secure $not_secure { | |
| 1 0; | |
| 0 1; | |
| } | |
| ## In the non-SSL host | |
| server { | |
| listen [::]:443 ssl; | |
| server_name ssl.example.com; | |
| limit_conn arbeit 32; | |
| if ($is_secure) { | |
| return 302 https://ssl.example.com$request_uri; | |
| } | |
| ## Access and error logs. | |
| access_log /var/log/nginx/example.com_access.log; | |
| error_log /var/log/nginx/example.com_error.log; | |
| ## Keep alive timeout set to a greater value for SSL/TLS. | |
| keepalive_timeout 10 10; | |
| root /var/www/sites/example.com; | |
| index index.php; | |
| ## If you're using a Nginx version greater or equal to 1.1.4 then | |
| ## you can use keep alive connections to the upstream be it | |
| ## FastCGI or Apache. If that's not the case comment out the line below. | |
| fastcgi_keep_conn on; # keep alive to the FCGI upstream | |
| #... more stuff ... | |
| } # HTTP server | |
| ## In the SSL host | |
| server { | |
| listen [::]:443 ssl; | |
| server_name ssl.example.com; | |
| limit_conn arbeit 32; | |
| if ($not_secure) { | |
| return 302 http://example.com$request_uri; | |
| } | |
| ## Get the 497 error (HTTP request on a HTTPS host). | |
| error_page 497 =302 https://ssl.example.com$request_uri; | |
| ## Access and error logs. | |
| access_log /var/log/nginx/ssl.example.com_access.log; | |
| error_log /var/log/nginx/ssl.example.com_error.log; | |
| ## Keep alive timeout set to a greater value for SSL/TLS. | |
| keepalive_timeout 75 75; | |
| ## See the keepalive_timeout directive in nginx.conf. | |
| ## Server certificate and key. | |
| ssl_certificate /etc/ssl/certs/example-cert.pem; | |
| ssl_certificate_key /etc/ssl/private/example.key; | |
| ## Strict Transport Security header for enhanced security. See | |
| ## http://www.chromium.org/sts. I've set it to 2 hours; set it to | |
| ## whichever age you want. | |
| add_header Strict-Transport-Security "max-age=7200"; | |
| root /var/www/sites/example.com; | |
| index index.php; | |
| ## If you're using a Nginx version greater or equal to 1.1.4 then | |
| ## you can use keep alive connections to the upstream be it | |
| ## FastCGI or Apache. If that's not the case comment out the line below. | |
| fastcgi_keep_conn on; # keep alive to the FCGI upstream | |
| #... more stuff ... | |
| } # HTTPS server |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment