mrsombre/_readme.md

## _readme.md

      
    Raw
  

              _readme.md
            
          
    default domain

server {
  listen  80 default_server;

  access_log  /var/log/nginx/default__access.log  main;
  error_log   /var/log/nginx/default__error.log   error;

  client_max_body_size  512k;

  location / {
    return 444;
  }
}


vhost
listen   443 ssl;
include  ssl/<domain.com>/cert.conf;

# letsencrypt
include ssl/le.conf;

dh param
openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096

some info
https://gist.github.com/plentz/6737338

  
## cert.conf

# SSL config
include  ssl/ssl.conf;

ssl_certificate      /etc/letsencrypt/live/<domain.com>/fullchain.pem;
ssl_certificate_key  /etc/letsencrypt/live/<domain.com>/privkey.pem;

## cli.ini

authenticator = webroot
webroot-path = /var/www/letsencrypt
post-hook = service nginx reload
text = True

## le.conf

#############################################################################
# Configuration file for Let's Encrypt ACME Challenge location
#############################################################################
#
# This config enables to access /.well-known/acme-challenge/xxxxxxxxxxx
# on all our sites (HTTP), including all subdomains.
# This is required by ACME Challenge (webroot authentication).
# You can check that this location is working by placing ping.txt here:
# /var/www/letsencrypt/.well-known/acme-challenge/ping.txt
# And pointing your browser to:
# http://xxx.domain.tld/.well-known/acme-challenge/ping.txt
#
# Sources:
# https://community.letsencrypt.org/t/howto-easy-cert-generation-and-renewal-with-nginx/3491
#
#############################################################################

# Rule for legitimate ACME Challenge requests (like /.well-known/acme-challenge/xxxxxxxxx)
# We use ^~ here, so that we don't check other regexes (for speed-up). We actually MUST cancel
# other regex checks, because in our other config files have regex rule that denies access to files with dotted names.
location ^~ /.well-known/acme-challenge/ {
  default_type  "text/plain";
  root  /var/www/letsencrypt;
}

# Hide /acme-challenge subdirectory and return 404 on all requests.
# It is somewhat more secure than letting Nginx return 403.
# Ending slash is important!
location = /.well-known/acme-challenge/ {
  return 404;
}

## ssl.conf
# Protect against the BEAST and POODLE attacks by not using SSLv3 at all. If you need to support older browsers (IE6) you may need to add
# SSLv3 to the list of protocols below.
ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;

# Ciphers set to best allow protection from Beast, while providing forwarding secrecy, as defined by Mozilla (Intermediate Set) - https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
ssl_ciphers  ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
ssl_prefer_server_ciphers  on;

# Optimize SSL by caching session parameters for 10 minutes. This cuts down on the number of expensive SSL handshakes.
# The handshake is the most CPU-intensive operation, and by default it is re-negotiated on every new/parallel connection.
# By enabling a cache (of type "shared between all Nginx workers"), we tell the client to re-use the already negotiated state.
# Further optimization can be achieved by raising keepalive_timeout, but that shouldn't be done unless you serve primarily HTTPS.
ssl_session_cache    shared:SSL:8m; # a 1mb cache can hold about 4000 sessions, so we can hold 40000 sessions
ssl_session_timeout  6h;

# SSL buffer size was added in 1.5.9
ssl_buffer_size  1400; # 1400 bytes to fit in one MTU

# Session tickets appeared in version 1.5.9
#
# nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and
# when a restart is performed the previous key is lost, which resets all previous
# sessions. The fix for this is to setup a manual rotation mechanism:
# http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
#
# Note that you'll have to define and rotate the keys securely by yourself. In absence
# of such infrastructure, consider turning off session tickets:
ssl_session_tickets  off;

# Use a higher keepalive timeout to reduce the need for repeated handshakes
keepalive_timeout  300s; # up from 75 secs default

# HSTS (HTTP Strict Transport Security)
# This header tells browsers to cache the certificate for a year and to connect exclusively via HTTPS.
#add_header Strict-Transport-Security "max-age=31536000" always;
# This version tells browsers to treat all subdomains the same as this site and to load exclusively over HTTPS
#add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# This version tells browsers to treat all subdomains the same as this site and to load exclusively over HTTPS
# Recommend is also to use preload service
#add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

# This default SSL certificate will be served whenever the client lacks support for SNI (Server Name Indication).
# Make it a symlink to the most important certificate you have, so that users of IE 8 and below on WinXP can see your main site without SSL errors.
#ssl_certificate      /etc/nginx/default_ssl.crt;
#ssl_certificate_key  /etc/nginx/default_ssl.key;

# Specifies a file with DH parameters for DHE ciphers.
ssl_dhparam  ssl/dhparam.pem;

	# SSL config
	include ssl/ssl.conf;

	ssl_certificate /etc/letsencrypt/live/<domain.com>/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/<domain.com>/privkey.pem;

	authenticator = webroot
	webroot-path = /var/www/letsencrypt
	post-hook = service nginx reload
	text = True

	#############################################################################
	# Configuration file for Let's Encrypt ACME Challenge location
	#############################################################################
	#
	# This config enables to access /.well-known/acme-challenge/xxxxxxxxxxx
	# on all our sites (HTTP), including all subdomains.
	# This is required by ACME Challenge (webroot authentication).
	# You can check that this location is working by placing ping.txt here:
	# /var/www/letsencrypt/.well-known/acme-challenge/ping.txt
	# And pointing your browser to:
	# http://xxx.domain.tld/.well-known/acme-challenge/ping.txt
	#
	# Sources:
	# https://community.letsencrypt.org/t/howto-easy-cert-generation-and-renewal-with-nginx/3491
	#
	#############################################################################

	# Rule for legitimate ACME Challenge requests (like /.well-known/acme-challenge/xxxxxxxxx)
	# We use ^~ here, so that we don't check other regexes (for speed-up). We actually MUST cancel
	# other regex checks, because in our other config files have regex rule that denies access to files with dotted names.
	location ^~ /.well-known/acme-challenge/ {
	default_type "text/plain";
	root /var/www/letsencrypt;
	}

	# Hide /acme-challenge subdirectory and return 404 on all requests.
	# It is somewhat more secure than letting Nginx return 403.
	# Ending slash is important!
	location = /.well-known/acme-challenge/ {
	return 404;
	}
	# Protect against the BEAST and POODLE attacks by not using SSLv3 at all. If you need to support older browsers (IE6) you may need to add
	# SSLv3 to the list of protocols below.
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

	# Ciphers set to best allow protection from Beast, while providing forwarding secrecy, as defined by Mozilla (Intermediate Set) - https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
	ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
	ssl_prefer_server_ciphers on;

	# Optimize SSL by caching session parameters for 10 minutes. This cuts down on the number of expensive SSL handshakes.
	# The handshake is the most CPU-intensive operation, and by default it is re-negotiated on every new/parallel connection.
	# By enabling a cache (of type "shared between all Nginx workers"), we tell the client to re-use the already negotiated state.
	# Further optimization can be achieved by raising keepalive_timeout, but that shouldn't be done unless you serve primarily HTTPS.
	ssl_session_cache shared:SSL:8m; # a 1mb cache can hold about 4000 sessions, so we can hold 40000 sessions
	ssl_session_timeout 6h;

	# SSL buffer size was added in 1.5.9
	ssl_buffer_size 1400; # 1400 bytes to fit in one MTU

	# Session tickets appeared in version 1.5.9
	#
	# nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and
	# when a restart is performed the previous key is lost, which resets all previous
	# sessions. The fix for this is to setup a manual rotation mechanism:
	# http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
	#
	# Note that you'll have to define and rotate the keys securely by yourself. In absence
	# of such infrastructure, consider turning off session tickets:
	ssl_session_tickets off;

	# Use a higher keepalive timeout to reduce the need for repeated handshakes
	keepalive_timeout 300s; # up from 75 secs default

	# HSTS (HTTP Strict Transport Security)
	# This header tells browsers to cache the certificate for a year and to connect exclusively via HTTPS.
	#add_header Strict-Transport-Security "max-age=31536000" always;
	# This version tells browsers to treat all subdomains the same as this site and to load exclusively over HTTPS
	#add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
	# This version tells browsers to treat all subdomains the same as this site and to load exclusively over HTTPS
	# Recommend is also to use preload service
	#add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

	# This default SSL certificate will be served whenever the client lacks support for SNI (Server Name Indication).
	# Make it a symlink to the most important certificate you have, so that users of IE 8 and below on WinXP can see your main site without SSL errors.
	#ssl_certificate /etc/nginx/default_ssl.crt;
	#ssl_certificate_key /etc/nginx/default_ssl.key;

	# Specifies a file with DH parameters for DHE ciphers.
	ssl_dhparam ssl/dhparam.pem;