To the extent possible under law, Petko Bordjukov has waived all copyright and related or neighboring rights to this nginx ssl configuration.
This work is published from: Bulgaria.
Last active
October 5, 2016 22:38
-
-
Save ignisf/b7dd99f175d4c531e3883c99e8da103a to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # /etc/nginx/snippets/example-ssl.conf | |
| ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # Server certificate + CA Certificate | |
| ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # Private key | |
| ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem; # CA Certificate |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # /etc/nginx/sites-available/example.com.conf | |
| upstream puma_example_production { | |
| server unix:/home/example/production/tmp/puma.sock fail_timeout=0; | |
| } | |
| server { | |
| listen 80; | |
| listen [::]:80; | |
| listen 443 http2 ssl; | |
| listen [::]:443 http2 ssl; | |
| include snippets/example-ssl.conf; | |
| client_max_body_size 4G; | |
| keepalive_timeout 10; | |
| error_page 500 502 504 /500.html; | |
| error_page 503 @503; | |
| server_name example.com; | |
| root /home/example/production/current/public; | |
| try_files $uri/index.html $uri @puma_example_production; | |
| location @puma_example_production { | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| proxy_set_header Host $http_host; | |
| proxy_set_header X-Forwarded-Proto $scheme; | |
| proxy_redirect off; | |
| proxy_pass http://puma_example_production; | |
| gzip on; | |
| } | |
| location ^~ /assets/ { | |
| gzip_static on; | |
| expires max; | |
| add_header Cache-Control public; | |
| add_header Access-Control-Allow-Origin https://example.com; | |
| } | |
| # refile attachments cache | |
| location ^~ /attachments/ { | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| proxy_set_header Host $http_host; | |
| proxy_set_header X-Forwarded-Proto $scheme; | |
| proxy_redirect off; | |
| proxy_pass http://puma_example_production; | |
| proxy_cache ATTACHMENTS; | |
| proxy_cache_valid 200 1y; | |
| expires max; | |
| add_header Cache-Control public; | |
| } | |
| location = /50x.html { | |
| root html; | |
| } | |
| location = /404.html { | |
| root html; | |
| } | |
| location @503 { | |
| error_page 405 = /system/maintenance.html; | |
| if (-f $document_root/system/maintenance.html) { | |
| rewrite ^(.*)$ /system/maintenance.html break; | |
| } | |
| rewrite ^(.*)$ /503.html break; | |
| } | |
| if (-f $document_root/system/maintenance.html) { | |
| return 503; | |
| } | |
| } | |
| server { | |
| listen 80; | |
| listen [::]:80; | |
| listen 443 http2 ssl; | |
| listen [::]:443 http2 ssl; | |
| server_name www.example.com 198.51.100.1; | |
| return 301 https://example.com$request_uri; | |
| include snippets/example-ssl.conf; | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| user www-data; | |
| worker_processes auto; | |
| pid /run/nginx.pid; | |
| events { | |
| worker_connections 768; | |
| # multi_accept on; | |
| } | |
| http { | |
| ## | |
| # Basic Settings | |
| ## | |
| sendfile on; | |
| tcp_nopush on; | |
| tcp_nodelay on; | |
| keepalive_timeout 65; | |
| types_hash_max_size 2048; | |
| # server_tokens off; | |
| # server_names_hash_bucket_size 64; | |
| # server_name_in_redirect off; | |
| include /etc/nginx/mime.types; | |
| default_type application/octet-stream; | |
| ## | |
| # SSL Settings | |
| ## | |
| ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE | |
| ssl_prefer_server_ciphers on; | |
| ## | |
| # Logging Settings | |
| ## | |
| access_log /var/log/nginx/access.log; | |
| error_log /var/log/nginx/error.log; | |
| ## | |
| # Gzip Settings | |
| ## | |
| gzip on; | |
| gzip_disable "msie6"; | |
| # gzip_vary on; | |
| # gzip_proxied any; | |
| # gzip_comp_level 6; | |
| # gzip_buffers 16 8k; | |
| # gzip_http_version 1.1; | |
| # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; | |
| ## | |
| # Virtual Host Configs | |
| ## | |
| include /etc/nginx/conf.d/*.conf; | |
| include /etc/nginx/sites-enabled/*; | |
| } | |
| #mail { | |
| # # See sample authentication script at: | |
| # # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript | |
| # | |
| # # auth_http localhost/auth.php; | |
| # # pop3_capabilities "TOP" "USER"; | |
| # # imap_capabilities "IMAP4rev1" "UIDPLUS"; | |
| # | |
| # server { | |
| # listen localhost:110; | |
| # protocol pop3; | |
| # proxy on; | |
| # } | |
| # | |
| # server { | |
| # listen localhost:143; | |
| # protocol imap; | |
| # proxy on; | |
| # } | |
| #} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # /etc/nginx/conf.d/ssl.conf | |
| ssl_dhparam /etc/ssl/dhparam.pem; # openssl dhparam 4096 -out dhparam.pem -outform pem | |
| ssl_ciphers "EECDH+aRSA+AESGCM:EDH+aRSA+AESGCM:ECDH+aRSA+AES:EDH+aRSA+AES:kRSA+aRSA+AESGCM:kRSA+aRSA+AES:kRSA+aRSA+3DES"; | |
| ssl_ecdh_curve secp384r1; | |
| ssl_stapling on; | |
| ssl_stapling_verify on; | |
| ssl_session_cache shared:SSL:10m; | |
| ssl_session_timeout 10m; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment