Last active
March 4, 2024 15:39
-
-
Save colinmcintosh/25425fccbde0a5bdc9df1153bd94b665 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
worker_processes auto; | |
worker_rlimit_nofile 65535; | |
events { | |
multi_accept on; | |
worker_connections 65535; | |
} | |
http { | |
charset utf-8; | |
sendfile on; | |
tcp_nopush on; | |
tcp_nodelay on; | |
server_tokens off; | |
log_not_found off; | |
types_hash_max_size 2048; | |
client_max_body_size 16M; | |
# MIME | |
include mime.types; | |
default_type application/octet-stream; | |
# logging | |
access_log /var/log/nginx/access.log; | |
error_log /var/log/nginx/error.log warn; | |
# Remove Nginx version from server header | |
server_tokens off; | |
ssl_protocols TLSv1.2 TLSv1.3; | |
ssl_prefer_server_ciphers on; | |
ssl_dhparam /etc/nginx/dhparam.pem; # sudo openssl dhparam -out /etc/nginx/dhparam.pem 4096 | |
# Update ciphers from https://ssl-config.mozilla.org/#server=nginx | |
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; | |
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 | |
ssl_session_timeout 10m; | |
ssl_session_cache shared:SSL:10m; | |
ssl_session_tickets off; # Requires nginx >= 1.5.9 | |
ssl_stapling on; # Requires nginx >= 1.3.7 | |
ssl_stapling_verify on; # Requires nginx => 1.3.7 | |
resolver 1.1.1.1 8.8.8.8 valid=300s; | |
resolver_timeout 5s; | |
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; | |
add_header X-Frame-Options DENY; | |
add_header X-Content-Type-Options nosniff; | |
add_header X-XSS-Protection "1; mode=block"; | |
server { | |
server_name example.mydomain.com; | |
listen 80 default_server; | |
return 301 https://$host$request_uri; | |
} | |
server { | |
server_name example.mydomain.com; | |
ssl_certificate /etc/nginx/ssl/example.mydomain.com.fullchain.pem; | |
ssl_certificate_key /etc/nginx/ssl/example.mydomain.com.key.pem; | |
ssl_trusted_certificate /etc/nginx/ssl/example.mydomain.com.cert.pem; | |
listen 443 ssl http2; | |
location / { | |
proxy_pass https://localhost:8443/; | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment