Last active
December 19, 2015 06:29
-
-
Save mikecb/5911462 to your computer and use it in GitHub Desktop.
mikecb.cc nginx config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
user www-data; | |
worker_processes 4; | |
worker_priority 15; | |
pid /var/run/nginx.pid; | |
events { | |
worker_connections 512; | |
} | |
http { | |
default_type application/octet-stream; | |
include /etc/nginx/mime.types; | |
keepalive_timeout 70; | |
sendfile on; | |
tcp_nopush on; | |
tcp_nodelay on; | |
server_tokens off; | |
server_names_hash_bucket_size 128; | |
types_hash_max_size 2048; | |
add_header X-Frame-Options SAMEORIGIN; | |
add_header X-Content-Type-Options nosniff; | |
add_header X-XSS-Protection "1; mode=block"; | |
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://apis.google.com; img-src 'self' https://ssl.google-analytics.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://themes.googleusercontent.com https://fonts.googleapis.com; object-src 'none'"; | |
gzip on; | |
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; | |
## http .:. redirect to https | |
server { | |
listen [::]:80 ipv6only=on; | |
listen 80; | |
root /var/www/mikecb.cc; | |
return 301 https://$host$uri; | |
} | |
## https .:. (www.)example.com | |
server { | |
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; | |
add_header Alternate-Protocol 443:npn-spdy/3.1; | |
index index.html; | |
listen [::]:443 default_server ssl spdy ipv6only=on; | |
listen 443 ssl spdy; | |
root /var/www/mikecb.cc; | |
server_name mikecb.cc www.mikecb.cc; | |
location / { | |
include /etc/nginx/mime.types; | |
} | |
# SSL certs | |
ssl on; | |
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA; | |
ssl_prefer_server_ciphers on; | |
ssl_protocols TLSv1.2; | |
ssl_session_timeout 5m; | |
ssl_session_cache builtin:1000 shared:SSL:10m; | |
ssl_certificate /etc/nginx/ssl/mikecb.cc.crt; | |
ssl_certificate_key /home/mike/mikecb.cc.key; | |
ssl_trusted_certificate /etc/nginx/ssl/ca.all.pem; | |
ssl_dhparam /etc/nginx/ssl/dhparam.pem; | |
ssl_ecdh_curve secp521r1; | |
##OCSP Stapling | |
resolver 8.8.4.4; | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment