Skip to content

Instantly share code, notes, and snippets.

@jacobw56
Created April 24, 2018 13:12
Show Gist options
  • Save jacobw56/dd642e574257bfcc788bc0890b9aec29 to your computer and use it in GitHub Desktop.
Save jacobw56/dd642e574257bfcc788bc0890b9aec29 to your computer and use it in GitHub Desktop.
Working config for secure WebSockets & hosting my other sites
# Used this config to get a React FE (https)
# to speak with a Clojure BE (port 8001) over wss
# redirect all http requests to https
# and also listen on IPv6 addresses
server {
listen 80;
listen [::]:80;
server_name domain.com www.domain.com _;
return 301 https://domain.com$request_uri;
}
# redirect all http requests to https
# and also listen on IPv6 addresses
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.domain.com _;
return 301 https://domain.com$request_uri;
}
# the main server directive for ssl connections
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name domain.com;
root /var/www/html;
# SSL Stuff
ssl on;
# paths to certificate and key provided by Let's Encrypt
ssl_certificate /etc/.../fullchain.pem;
ssl_certificate_key /etc/.../privkey.pem;
# SSL settings that currently offer good results in the SSL check
# and have a reasonable backwards-compatibility, taken from
# - https://cipherli.st/
# - https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
ssl_dhparam /etc/.../dhparam.pem;
resolver 8.8.8.8 8.8.4.4 valid=600s;
resolver_timeout 5s;
# security enhancements
add_header Strict-Transport-Security "includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
location /socket {
proxy_pass http://localhost:8001;
proxy_redirect off;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade websocket;
proxy_set_header Connection upgrade;
proxy_read_timeout 86400;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment