mariusrugan/000_default.conf

## 000_default.conf
server {
  listen 80 default_server;
  listen [::]:80 default_server;

  access_log off;
  log_not_found off;

  server_name _;
  return 444;
}

server {
  listen 443 default_server ssl http2;
  listen [::]:443 ipv6only=on ssl http2;

  #
  # nginx non-SNI request
  #
  # Just use a *valid* certificate (any) to serve on this default server
  # it won't matter the settings since it returns 444
  #
  ssl_certificate /etc/letsencrypt/live/XYZ/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/XYZ/privkey.pem;
  ssl_trusted_certificate /etc/letsencrypt/live/XYZ/fullchain.pem;

  include snippets/ssl.conf;

  access_log off;
  log_not_found off;

  server_name _;
  return 444;
}

## 001_example_com.conf
server {
  listen 80;
  listen [::]:80;
  server_name example.com www.example.com;

  include /etc/nginx/snippets/letsencrypt.conf;

  location / {
    return 301 https://example.com$request_uri;
  }
}

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;

  include snippets/headers.conf;

  ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
  ssl_trusted_certificate /etc/letsencrypt/live/example.com/fullchain.pem;

  include snippets/ssl.conf;

  server_name www.example.com;

  location / {
     return 301 https://example.com$request_uri;
  }
}

server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	include snippets/headers.conf;

  ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
  ssl_trusted_certificate /etc/letsencrypt/live/example.com/fullchain.pem;

	include snippets/ssl.conf;

	root /root/of/example_com;

	index index.html;

	server_name example.com;

	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ =404;
	}

	error_page 404 @404;
  location @404 {
    internal;
    if ($http_accept ~ json) {
            return 404 "{'error': 'Couldn't find it!'}";
    }
    rewrite ^(.*)$ /errors/404.html last;
    break;
  }
}

## snippets_headers.conf
add_header "Cache-Control" "max-age=0, no-cache, no-store, must-revalidate";
add_header "Pragma" "no-cache";
add_header "Expires" "-1";
add_header "X-Frame-Options" "DENY";
add_header "X-XSS-Protection" "1; mode=block";
add_header "X-Content-Type-Options" "nosniff";
add_header "X-Download-Options" "noopen";
add_header "X-Permitted-Cross-Domain-Policies" "master-only";

#Content-Security-Policy more detailed example
#add_header Content-Security-Policy "default-src 'none'; script-src 'self' https://ajax.googleapis.com https://www.google-analytics.com https://cdnjs.cloudflare.com 'unsafe-inline'; img-src 'self' https://www.google-analytics.com; connect-src 'self'; font-src 'self' https://fonts.googleapis.com https://fonts.gstatic.com 'unsafe-inline'; style-src 'self' https://fonts.googleapis.com/ 'unsafe-inline'";
add_header "X-Content-Security-Policy" "default-src 'self'";

add_header "Strict-Transport-Security" "max-age=31536000; includeSubDomains";

## snippets_letsencrypt.conf
location ^~ /.well-known/acme-challenge/ {
    default_type "text/plain";
    root /var/www/letsencrypt; #0755 / drwxr-xr-x
}

## snippets_ssl.conf
ssl on;

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

ssl_ecdh_curve secp384r1;

ssl_prefer_server_ciphers on;

ssl_stapling on;
ssl_stapling_verify on;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;

resolver 8.8.8.8 8.8.4.4 valid=86400s;
resolver_timeout 5s;
	server {
	listen 80 default_server;
	listen [::]:80 default_server;

	access_log off;
	log_not_found off;

	server_name _;
	return 444;
	}

	server {
	listen 443 default_server ssl http2;
	listen [::]:443 ipv6only=on ssl http2;

	#
	# nginx non-SNI request
	#
	# Just use a valid certificate (any) to serve on this default server
	# it won't matter the settings since it returns 444
	#
	ssl_certificate /etc/letsencrypt/live/XYZ/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/XYZ/privkey.pem;
	ssl_trusted_certificate /etc/letsencrypt/live/XYZ/fullchain.pem;

	include snippets/ssl.conf;

	access_log off;
	log_not_found off;

	server_name _;
	return 444;
	}
	server {
	listen 80;
	listen [::]:80;
	server_name example.com www.example.com;

	include /etc/nginx/snippets/letsencrypt.conf;

	location / {
	return 301 https://example.com$request_uri;
	}
	}

	server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	include snippets/headers.conf;

	ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
	ssl_trusted_certificate /etc/letsencrypt/live/example.com/fullchain.pem;

	include snippets/ssl.conf;

	server_name www.example.com;

	location / {
	return 301 https://example.com$request_uri;
	}
	}

	server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	include snippets/headers.conf;

	ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
	ssl_trusted_certificate /etc/letsencrypt/live/example.com/fullchain.pem;

	include snippets/ssl.conf;

	root /root/of/example_com;

	index index.html;

	server_name example.com;

	location / {
	# First attempt to serve request as file, then
	# as directory, then fall back to displaying a 404.
	try_files $uri $uri/ =404;
	}

	error_page 404 @404;
	location @404 {
	internal;
	if ($http_accept ~ json) {
	return 404 "{'error': 'Couldn't find it!'}";
	}
	rewrite ^(.*)$ /errors/404.html last;
	break;
	}
	}
	add_header "Cache-Control" "max-age=0, no-cache, no-store, must-revalidate";
	add_header "Pragma" "no-cache";
	add_header "Expires" "-1";
	add_header "X-Frame-Options" "DENY";
	add_header "X-XSS-Protection" "1; mode=block";
	add_header "X-Content-Type-Options" "nosniff";
	add_header "X-Download-Options" "noopen";
	add_header "X-Permitted-Cross-Domain-Policies" "master-only";

	#Content-Security-Policy more detailed example
	#add_header Content-Security-Policy "default-src 'none'; script-src 'self' https://ajax.googleapis.com https://www.google-analytics.com https://cdnjs.cloudflare.com 'unsafe-inline'; img-src 'self' https://www.google-analytics.com; connect-src 'self'; font-src 'self' https://fonts.googleapis.com https://fonts.gstatic.com 'unsafe-inline'; style-src 'self' https://fonts.googleapis.com/ 'unsafe-inline'";
	add_header "X-Content-Security-Policy" "default-src 'self'";

	add_header "Strict-Transport-Security" "max-age=31536000; includeSubDomains";
	location ^~ /.well-known/acme-challenge/ {
	default_type "text/plain";
	root /var/www/letsencrypt; #0755 / drwxr-xr-x
	}
	ssl on;

	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:50m;
	ssl_session_tickets off;

	ssl_ecdh_curve secp384r1;

	ssl_prefer_server_ciphers on;

	ssl_stapling on;
	ssl_stapling_verify on;

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;

	resolver 8.8.8.8 8.8.4.4 valid=86400s;
	resolver_timeout 5s;