Last active
May 15, 2017 12:37
-
-
Save danalloway/396383351261ca7a9ea1 to your computer and use it in GitHub Desktop.
Force full, secure SSL configuration on an NGINX site.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# capture HTTP requests to example.com and www.example.com | |
# and permanently redirect them to the HTTPS version of the site | |
# | |
server { | |
listen 80; # IPv4 | |
listen [::]:80; # IPv6 | |
server_name example.com www.example.com; | |
return 301 https://www.example.com$request_uri; | |
} | |
# capture HTTPS requests without the WWW and permanently redirect them | |
# | |
server { | |
listen 443; # IPv4 | |
listen [::]:443; # IPv6 | |
server_name example.com; | |
return 301 https://www.example.com$request_uri; | |
} | |
# | |
# the default server | |
# | |
server { | |
listen 443 default_server; # IPv4 | |
listen [::]:443; # IPv6 | |
# SSL Configuration | |
# | |
ssl on; | |
ssl_certificate_key /etc/nginx/ssl/example.key; | |
ssl_certificate /etc/nginx/ssl/example.crt; | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; | |
ssl_prefer_server_ciphers on; | |
ssl_session_cache shared:SSL:10m; | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
resolver 8.8.8.8 8.8.4.4 valid=300s; | |
resolver_timeout 5s; | |
# this file needs to be generated using the following command | |
# `openssl dhparam -out /etc/nginx/ssl/dh_param.pem 4096` | |
# | |
ssl_dhparam /etc/nginx/ssl/dh_param.pem; | |
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; | |
add_header X-Frame-Options "DENY"; | |
add_header X-Content-Type-Options nosniff; | |
# Basic Server Configuration | |
# | |
server_name www.example.com; | |
root /var/www/example/public; | |
index index.php; | |
# Logging | |
# | |
access_log /var/log/nginx/example_access.log; | |
error_log /var/log/nginx/example_error.log; | |
location / { | |
# static files will be served directly | |
location ~* ^.+\.(?:css|cur|js|jpg|jpeg|gif|htc|ico|png|html|xml)$ { | |
access_log off; | |
expires 30d; | |
} | |
# prevent hidden files from being served | |
location ~ /\. { | |
access_log off; | |
log_not_found off; | |
deny all; | |
} | |
# first try to serve the file directly | |
# then try passing it to PHP for processing | |
try_files $uri @php; | |
} | |
# | |
# All PHP requests are forced through index.php behind the scenes. | |
# | |
# This is acomplished using a number of fastcgi parameters, | |
# the benefit in doing it this way is not having to use any rewrites. | |
# | |
# A request for => /foo/bar?baz=1 | |
# would result in => /index.php?_url=/foo/bar&baz=1 | |
# | |
# Just keep in mind that this makes index.php the only directly | |
# accesible PHP file in your application installation. | |
# | |
# Also, make sure you have your PHP-FPM configured to listen via unix | |
# socket at /var/run/php5-fpm.sock | |
# | |
# (this is typically done via the /etc/php5/fpm/pool.d/www.conf file). | |
# | |
location @php { | |
include fastcgi_params; | |
fastcgi_param QUERY_STRING _url=$uri&$args; | |
fastcgi_param SCRIPT_NAME /index.php; | |
fastcgi_param SCRIPT_FILENAME $document_root/index.php; | |
fastcgi_intercept_errors on; | |
fastcgi_read_timeout 14400; | |
fastcgi_index index.php; | |
fastcgi_pass unix:/var/run/php5-fpm.sock; | |
} | |
# 404 requests to any other PHP files | |
location ~* ^.+\.php$ { | |
return 404; | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment