Skip to content

Instantly share code, notes, and snippets.

@aymericb
Last active February 20, 2017 20:18
Show Gist options
  • Save aymericb/b1a6e889fcca07058bc7 to your computer and use it in GitHub Desktop.
Save aymericb/b1a6e889fcca07058bc7 to your computer and use it in GitHub Desktop.
NGINX with Let's Encrypt configuration
#!/bin/sh
/srv/letsencrypt/letsencrypt-auto certonly --webroot -w /srv/blog.barthe.ph/www -d blog.barthe.ph --renew-by-default --agree-tos
service nginx reload
# Redirect other domains to blog.barthe.ph
server {
server_name www.blog.barthe.ph barthe.ph www.barthe.ph;
return 302 https://blog.barthe.ph;
}
# Redirect HTTP -> HTTPS
server {
server_name blog.barthe.ph;
listen 80;
# Exception needed for ACME / Let's Encrypt certificate update
location /.well-known/ {
root /srv/blog.barthe.ph/www;
try_files $uri $uri/ =404;
}
location / {
return 301 https://$server_name$request_uri;
}
}
# Serve HTTPS
server {
server_name blog.barthe.ph;
listen 443 ssl;
# Basic TLS setup
ssl_certificate /etc/letsencrypt/live/blog.barthe.ph/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/blog.barthe.ph/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# Stronger Diffie-Hellman key for forward secrecy
ssl_dhparam /etc/ssl/private/dhparams_4096.pem;
# Optimizations
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 20m;
# Cipher suite
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA384:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:AES256-SHA256:AES128-GCM-SHA256:AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:ECDH-ECDSA-AES256-SHA:ECDH-RSA-AES256-SHA:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES256-SHA:AES128-SHA';
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/blog.barthe.ph/fullchain.pem;
# HSTS (1 yr)
add_header Strict-Transport-Security max-age=31536000;
# Static file setup
root /srv/blog.barthe.ph/www;
index index.html index.htm;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to index.html
try_files $uri $uri/ /index.html;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment