jubel-han/nginx_with_ssl_best_practice

## nginx_with_ssl_best_practice
server {
	listen         443 ssl spdy;
	server_name    sslplayground.dev;
	root           /var/www/sslplayground;
	index          index.html;

	# Enable SSL
	ssl                    on;
	ssl_certificate        /etc/nginx/conf.d/server.crt;
	ssl_certificate_key    /etc/nginx/conf.d/server.key;

	# Pick the allowed protocols
	ssl_protocols                TLSv1 TLSv1.1 TLSv1.2;

	# Configure perfect forward secrecy
	ssl_prefer_server_ciphers    on;
	ssl_ciphers                  ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
	ssl_dhparam                  /etc/nginx/conf.d/dhparam.pem;

	# Set up a session cache for SSL resume
	ssl_session_cache      shared:SSL:10m;
	ssl_session_timeout    10m;

	# Do not overflow the SSL send buffer (causes extra round trips)
	ssl_buffer_size    8k;

	# Compress the SSL headers
	spdy_headers_comp    6;

	# Add SSL stapling
	ssl_stapling    on;
	resolver        8.8.8.8;

	# Announce the SPDY alternate protocal
	add_header    Alternate-Protocol 443:npn-spdy/3,443:npn-spdy/2;

	# Enable HTTP Strict Transport Security (HSTS)
	add_header    Strict-Transport-Security "max-age=31536000; includeSubdomains;";

	# The default location
	location / {}

	# Handle all static assets by serving the file directly. Add directives
	# to send expires headers.
	location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|ttf|eot)$ {
		expires 365d;
	}

	# Block protected files
	include "conf/block.conf";
}

# Redirect http to https
server {
	listen         80;
	server_name    sslplayground.dev;
	return         301 https://sslplayground.dev$request_uri;
}

# Redirect www to non-www
server {
	server_name    www.sslplayground.dev;
	return         301 https://sslplayground.dev$request_uri;
}
	server {
	listen 443 ssl spdy;
	server_name sslplayground.dev;
	root /var/www/sslplayground;
	index index.html;

	# Enable SSL
	ssl on;
	ssl_certificate /etc/nginx/conf.d/server.crt;
	ssl_certificate_key /etc/nginx/conf.d/server.key;

	# Pick the allowed protocols
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

	# Configure perfect forward secrecy
	ssl_prefer_server_ciphers on;
	ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
	ssl_dhparam /etc/nginx/conf.d/dhparam.pem;

	# Set up a session cache for SSL resume
	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 10m;

	# Do not overflow the SSL send buffer (causes extra round trips)
	ssl_buffer_size 8k;

	# Compress the SSL headers
	spdy_headers_comp 6;

	# Add SSL stapling
	ssl_stapling on;
	resolver 8.8.8.8;

	# Announce the SPDY alternate protocal
	add_header Alternate-Protocol 443:npn-spdy/3,443:npn-spdy/2;

	# Enable HTTP Strict Transport Security (HSTS)
	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

	# The default location
	location / {}

	# Handle all static assets by serving the file directly. Add directives
	# to send expires headers.
	location ~* \.(js\|css\|png\|jpg\|jpeg\|gif\|ico\|svg\|woff\|ttf\|eot)$ {
	expires 365d;
	}

	# Block protected files
	include "conf/block.conf";
	}

	# Redirect http to https
	server {
	listen 80;
	server_name sslplayground.dev;
	return 301 https://sslplayground.dev$request_uri;
	}

	# Redirect www to non-www
	server {
	server_name www.sslplayground.dev;
	return 301 https://sslplayground.dev$request_uri;
	}