Skip to content

Instantly share code, notes, and snippets.

@dpwiz
Last active January 30, 2016 07:12
Show Gist options
  • Save dpwiz/aa2aa12660fbde037aa3 to your computer and use it in GitHub Desktop.
Save dpwiz/aa2aa12660fbde037aa3 to your computer and use it in GitHub Desktop.
nginx multihost http2 config with a+ rating
server {
listen 80;
server_name hostname.tld *.hostname.tld;
location / {
return 301 https://$host$request_uri;
}
location /.well-known/acme-challenge {
root /ext/www/public_html/le-challenge;
}
}
server {
listen 443 ssl http2;
server_name hostname.tld *.hostname.tld;
ssl_certificate /etc/letsencrypt/live/hostname.tld/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/hostname.tld/privkey.pem;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:30m;
ssl_session_timeout 5m;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options SAMEORIGIN;
charset utf-8;
gzip on;
location / {
root /ext/www/public_html/$host;
index index.html index.htm;
}
location /favicon.ico {
empty_gif;
}
location /.well-known/acme-challenge {
root /ext/www/public_html/le-challenge;
}
#error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# access_log /var/log/nginx/log/aenor.access.log main;
}
HOSTS=$(echo *hostname.tld | sed -e 's/ /,/g')
WEBROOT=/opt/www/public_html/le-challenge
LETSENCRYPT=~/.local/share/letsencrypt/bin/letsencrypt
$LETSENCRYPT certonly --renew-by-default -a webroot --webroot-path $WEBROOT -tv -d $HOSTS
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment