Last active
September 14, 2020 19:20
-
-
Save jkcgs/188ddc2531496b0f9b339c716479f1a2 to your computer and use it in GitHub Desktop.
nginx ssl rules TLSv1.2, gives A+ on qualys ssl test
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
upstream backend { | |
server unix:///tmp/backend.sock; | |
} | |
server { | |
listen 80; | |
listen 443 ssl http2; | |
server_name example.com; | |
include ssl_rules; | |
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; | |
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; | |
location /static/ { | |
alias /home/web/static/; | |
gzip on; | |
} | |
location ~ /.well-known/ { | |
root /var/www/letsencrypt; | |
} | |
error_page 500 502 503 504 /50x.html; | |
location = /50x.html { | |
root /usr/share/nginx/html; | |
} | |
location ~ /\.ht { | |
deny all; | |
} | |
location / { | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header Host $http_host; | |
proxy_redirect off; | |
uwsgi_pass backendd; | |
include uwsgi_params; | |
} | |
# Example for http proxy, no need for upstream block | |
#location / { | |
# proxy_pass http://127.0.0.1:8989; | |
# proxy_set_header X-Real-IP $remote_addr; | |
# proxy_set_header Host $host; | |
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
# proxy_set_header X-Forwarded-Proto $scheme; | |
# proxy_redirect off; | |
# proxy_buffering off; | |
#} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ssl_protocols TLSv1.2; | |
ssl_ciphers "ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA"; | |
ssl_ecdh_curve secp384r1; | |
ssl_session_cache shared:le_nginx_SSL:1m; | |
ssl_buffer_size 8k; | |
ssl_prefer_server_ciphers on; | |
ssl_session_cache shared:TLS:2m; | |
ssl_session_timeout 10m; | |
ssl_session_tickets off; | |
# Run the following command and move the file to the path in the value here | |
# openssl dhparam -out dhparam.pem 4096 | |
ssl_dhparam /etc/ssl/dhparam.pem; | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
resolver 1.1.1.1 1.0.0.1 valid=300s; | |
resolver_timeout 5s; | |
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always; | |
add_header X-Frame-Options DENY; | |
add_header X-Content-Type-Options nosniff; | |
add_header X-XSS-Protection "1; mode=block"; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment