Last active
October 6, 2021 12:58
-
-
Save headmin/c21f27124be383bc9296e8be468d7db6 to your computer and use it in GitHub Desktop.
Nginx starter configuration (not for PROD)- assumed `/etc/nginx/certs` dir is present to work with certificates
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
server { | |
# Listen on port 443 for HTTPS connections | |
listen 443; | |
# Turn TLS/SSL on | |
ssl on; | |
# Name of the server/website | |
server_name example.com; | |
# See https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_server_name | |
proxy_ssl_server_name on; | |
# This is the server SSL certificate | |
ssl_certificate /etc/nginx/certs/example.com.pem; | |
# This is the server certificate key | |
ssl_certificate_key /etc/nginx/certs/example.com.key; | |
# Important: | |
# This is the CA cert against which the client/user will be validated | |
# In our case since the Server and the Client certificate is | |
# generated from the same CA, we use the ca.crt | |
# But in actual production, the Client certificate might be | |
# created from a different CA | |
ssl_client_certificate /etc/nginx/certs/root.pem; | |
# Enables mutual TLS/two way certificate authetication to verify the client | |
ssl_verify_client on; | |
# Number of intermediate certificates to verify. Good explanation of | |
# certificate chaining can be found at | |
# https://cheapsslsecurity.com/p/what-is-ssl-certificate-chain/ | |
ssl_verify_depth 2; | |
# Any error during the connection can be found on the following path | |
error_log /var/log/nginx/error.log debug; | |
ssl_prefer_server_ciphers on; | |
ssl_protocols TLSv1.2 TLSv1.3; | |
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES2; | |
keepalive_timeout 10; | |
ssl_session_timeout 5m; | |
# Matches the "root" of the website | |
# If TLS handshake is successful, the request is routed to this block | |
location / { | |
# path from which the website is served from | |
root /usr/share/nginx/content; | |
# index file name | |
index index.html index.htm; | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment