e0en/common_ssl_setting.conf

## common_ssl_setting.conf
ssl_certificate /etc/letsencrypt/live/foo.com/fullchain.pem;
ssl_certificate_key     /etc/letsencrypt/live/foo.com/privkey.pem;

ssl_session_cache       shared:SSL:10m;
ssl_session_timeout     5m;

# Enable server-side protection against BEAST attacks
ssl_prefer_server_ciphers       on;
ssl_ciphers     ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;

# Disable SSLv3
ssl_protocols   TLSv1 TLSv1.1 TLSv1.2;

# Diffie-Hellman parameter for DHE ciphersuites
# $ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
ssl_dhparam     /etc/ssl/certs/dhparam.pem;

# Enable HSTS (https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security)
set $CSP_HEADER "";
set $CSP_HEADER "${CSP_HEADER}frame-ancestors 'none'";
set $CSP_HEADER "${CSP_HEADER}; default-src 'none'";
set $CSP_HEADER "${CSP_HEADER}; object-src 'self'";
set $CSP_HEADER "${CSP_HEADER}; script-src 'self'";
set $CSP_HEADER "${CSP_HEADER}; style-src 'self'";
set $CSP_HEADER "${CSP_HEADER}; base-uri 'self'";
set $CSP_HEADER "${CSP_HEADER}; form-action 'self'";

add_header      Content-Security-Policy $CSP_HEADER;
add_header      Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header      X-Frame-Options "frame-ancestors";

ssl_stapling    on;
ssl_stapling_verify     on;
ssl_trusted_certificate /etc/letsencrypt/live/foo.com/fullchain.pem;
resolver 8.8.8.8 8.8.4.4 1.1.1.1 valid=300s;
resolver_timeout 5s;

## nginx.conf
server_tokens off;

add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";

# redirect all http traffic to https
server {
  listen 80 default;
  listen [::]:80 default;

  server_name _;
  server_tokens off;

  return 302 https://$host$request_uri;
}

# server block for for a.foo.com for an app running on localhost:8001
server {
  listen  443 ssl;
  server_name     a.foo.com;
  access_log      /var/log/nginx/access.log;

  include common_ssl_setting.conf;

  location / {
    proxy_pass http://127.0.0.1:8001;
    proxy_redirect http:// $scheme://;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  }
}

# server block for for b.foo.com for an app running on localhost:8002
server {
  listen  443 ssl;
  server_name     b.my_domain.com;
  access_log      /var/log/nginx/access.log;

  include common_ssl_setting.conf;

  location / {
    proxy_pass http://127.0.0.1:8002;
    proxy_redirect http:// $scheme://;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  }
}
	ssl_certificate /etc/letsencrypt/live/foo.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/foo.com/privkey.pem;

	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 5m;

	# Enable server-side protection against BEAST attacks
	ssl_prefer_server_ciphers on;
	ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;

	# Disable SSLv3
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

	# Diffie-Hellman parameter for DHE ciphersuites
	# $ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
	ssl_dhparam /etc/ssl/certs/dhparam.pem;

	# Enable HSTS (https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security)
	set $CSP_HEADER "";
	set $CSP_HEADER "${CSP_HEADER}frame-ancestors 'none'";
	set $CSP_HEADER "${CSP_HEADER}; default-src 'none'";
	set $CSP_HEADER "${CSP_HEADER}; object-src 'self'";
	set $CSP_HEADER "${CSP_HEADER}; script-src 'self'";
	set $CSP_HEADER "${CSP_HEADER}; style-src 'self'";
	set $CSP_HEADER "${CSP_HEADER}; base-uri 'self'";
	set $CSP_HEADER "${CSP_HEADER}; form-action 'self'";

	add_header Content-Security-Policy $CSP_HEADER;
	add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
	add_header X-Frame-Options "frame-ancestors";

	ssl_stapling on;
	ssl_stapling_verify on;
	ssl_trusted_certificate /etc/letsencrypt/live/foo.com/fullchain.pem;
	resolver 8.8.8.8 8.8.4.4 1.1.1.1 valid=300s;
	resolver_timeout 5s;
	server_tokens off;

	add_header X-Frame-Options SAMEORIGIN;
	add_header X-Content-Type-Options nosniff;
	add_header X-XSS-Protection "1; mode=block";

	# redirect all http traffic to https
	server {
	listen 80 default;
	listen [::]:80 default;

	server_name _;
	server_tokens off;

	return 302 https://$host$request_uri;
	}

	# server block for for a.foo.com for an app running on localhost:8001
	server {
	listen 443 ssl;
	server_name a.foo.com;
	access_log /var/log/nginx/access.log;

	include common_ssl_setting.conf;

	location / {
	proxy_pass http://127.0.0.1:8001;
	proxy_redirect http:// $scheme://;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	}
	}

	# server block for for b.foo.com for an app running on localhost:8002
	server {
	listen 443 ssl;
	server_name b.my_domain.com;
	access_log /var/log/nginx/access.log;

	include common_ssl_setting.conf;

	location / {
	proxy_pass http://127.0.0.1:8002;
	proxy_redirect http:// $scheme://;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	}
	}