mikecb/nginx.conf

## nginx.conf
user www-data;
worker_processes 	4;
worker_priority		15;
pid /var/run/nginx.pid;
events  {
	worker_connections	512;
}
http {
	default_type		application/octet-stream;
	include 		/etc/nginx/mime.types;
	keepalive_timeout	70;
	sendfile		on;
	tcp_nopush		on;
	tcp_nodelay		on;
	server_tokens		off;
	server_names_hash_bucket_size	128;
	types_hash_max_size		2048;

	add_header X-Frame-Options 	SAMEORIGIN;
	add_header X-Content-Type-Options	nosniff;
	add_header X-XSS-Protection	"1; mode=block";
	add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://apis.google.com; img-src 'self' https://ssl.google-analytics.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://themes.googleusercontent.com https://fonts.googleapis.com; object-src 'none'";

	gzip				on;
	gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;


 	## http .:. redirect to https
  	server {
		listen	    [::]:80 ipv6only=on;
		listen      80;
      		root        /var/www/mikecb.cc;
      		return 301 https://$host$uri;
  	}

 	## https .:. (www.)example.com
  	server {
		add_header  Strict-Transport-Security "max-age=63072000; includeSubdomains";
		add_header Alternate-Protocol  443:npn-spdy/3.1;
     		index       index.html;
      		listen      [::]:443 default_server ssl spdy ipv6only=on;
		listen	    443 ssl spdy;
      		root        /var/www/mikecb.cc;
     		server_name mikecb.cc www.mikecb.cc;

		location / {
                        include /etc/nginx/mime.types;
        	}

    		# SSL certs
      		ssl on;
		ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA;
        	ssl_prefer_server_ciphers on;
        	ssl_protocols TLSv1.2;
	        ssl_session_timeout 5m;
      		ssl_session_cache builtin:1000 shared:SSL:10m;
      		ssl_certificate /etc/nginx/ssl/mikecb.cc.crt;
      		ssl_certificate_key /home/mike/mikecb.cc.key;
      		ssl_trusted_certificate	/etc/nginx/ssl/ca.all.pem;
		ssl_dhparam /etc/nginx/ssl/dhparam.pem;
		ssl_ecdh_curve secp521r1;

		##OCSP Stapling
		resolver 8.8.4.4;
		ssl_stapling on;
		ssl_stapling_verify on;
	}
}
	user www-data;
	worker_processes 4;
	worker_priority 15;
	pid /var/run/nginx.pid;
	events {
	worker_connections 512;
	}
	http {
	default_type application/octet-stream;
	include /etc/nginx/mime.types;
	keepalive_timeout 70;
	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	server_tokens off;
	server_names_hash_bucket_size 128;
	types_hash_max_size 2048;

	add_header X-Frame-Options SAMEORIGIN;
	add_header X-Content-Type-Options nosniff;
	add_header X-XSS-Protection "1; mode=block";
	add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://apis.google.com; img-src 'self' https://ssl.google-analytics.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://themes.googleusercontent.com https://fonts.googleapis.com; object-src 'none'";

	gzip on;
	gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;


	## http .:. redirect to https
	server {
	listen [::]:80 ipv6only=on;
	listen 80;
	root /var/www/mikecb.cc;
	return 301 https://$host$uri;
	}

	## https .:. (www.)example.com
	server {
	add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
	add_header Alternate-Protocol 443:npn-spdy/3.1;
	index index.html;
	listen [::]:443 default_server ssl spdy ipv6only=on;
	listen 443 ssl spdy;
	root /var/www/mikecb.cc;
	server_name mikecb.cc www.mikecb.cc;

	location / {
	include /etc/nginx/mime.types;
	}

	# SSL certs
	ssl on;
	ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA;
	ssl_prefer_server_ciphers on;
	ssl_protocols TLSv1.2;
	ssl_session_timeout 5m;
	ssl_session_cache builtin:1000 shared:SSL:10m;
	ssl_certificate /etc/nginx/ssl/mikecb.cc.crt;
	ssl_certificate_key /home/mike/mikecb.cc.key;
	ssl_trusted_certificate /etc/nginx/ssl/ca.all.pem;
	ssl_dhparam /etc/nginx/ssl/dhparam.pem;
	ssl_ecdh_curve secp521r1;

	##OCSP Stapling
	resolver 8.8.4.4;
	ssl_stapling on;
	ssl_stapling_verify on;
	}
	}