Last active
March 4, 2017 04:24
-
-
Save nakaz/c06c4d39e234b1d5eb2e092b32adfb4a to your computer and use it in GitHub Desktop.
Nginx, LetsEncrypt, CertBot basic configuration/setup (OPTIONAL: nginx mainline with http2)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# as super user after pointing domain to server. ref: https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04 | |
cd /usr/local/sbin | |
wget https://dl.eff.org/certbot-auto | |
chmod a+x /usr/local/sbin/certbot-auto | |
certbot-auto certonly -a webroot --webroot-path=/usr/share/nginx/html -d [[site.com]] -d www.[[site.com]] | |
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 | |
# as root, edit the nginx config for the site you just set up | |
vim /etc/nginx/conf.d/[[site.com]].conf | |
# when editing the file, just follow all the directions to comment and uncomment TLS-related config | |
service nginx restart | |
# set up auto-cert-renewal | |
crontab -e | |
## within the crontab | |
30 2 * * 1 /usr/local/sbin/certbot-auto renew >> /var/log/le-renew.log | |
35 2 * * 1 /etc/init.d/nginx reload |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Install nginx mainline for http2 features. ref: http://nginx.org/en/linux_packages.html | |
wget http://nginx.org/keys/nginx_signing.key | |
apt-key add nginx_signing.key | |
touch /etc/apt/sources.list.d/nginx.list | |
echo deb http://nginx.org/packages/mainline/ubuntu/ xenial nginx >> /etc/apt/sources.list.d/nginx.list | |
echo deb-src http://nginx.org/packages/mainline/ubuntu/ xenial nginx >> /etc/apt/sources.list.d/nginx.list | |
apt-get install software-properties-common -y | |
apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xcbcb082a1bb943db | |
apt-get update | |
apt-get install nginx | |
# set box time | |
timedatectl set-timezone [[timezone]] | |
# Update worker process if needed | |
vim /etc/nginx/nginx.conf | |
# user deploy www-data; | |
# worker_processes 2; | |
sudo service nginx restart |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# DO NOT COPY/PASTE | |
# This gist is for reference | |
# Redirect all http requests from 80 into https in 443. ref: http://serverfault.com/questions/67316/in-nginx-how-can-i-rewrite-all-http-requests-to-https-while-maintaining-sub-dom/401632#401632 | |
server { | |
listen 80; | |
server_name my.domain.com; | |
return 301 https://$server_name$request_uri; | |
} | |
server { | |
listen 443 ssl; | |
server_name my.domain.com; | |
# add Strict-Transport-Security to prevent man in the middle attacks | |
add_header Strict-Transport-Security "max-age=31536000"; | |
# rest of the goods | |
} | |
server { | |
listen 80 default_server; # comment out after TLS setup | |
listen [::]:80 default_server; # comment out after TLS setup | |
# listen 443 ssl; # uncomment after TLS setup | |
server_name [[site.com]] www.[[site.com]]; | |
# uncomment the lines below after TLS setup | |
# ssl_certificate /etc/letsencrypt/live/[[site.com]]/fullchain.pem; | |
# ssl_certificate_key /etc/letsencrypt/live/[[site.com]]/privkey.pem; | |
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
# ssl_prefer_server_ciphers on; | |
# ssl_dhparam /etc/ssl/certs/dhparam.pem; | |
# ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; | |
# ssl_session_timeout 1d; | |
# ssl_session_cache shared:SSL:50m; | |
# ssl_stapling on; | |
# ssl_stapling_verify on; | |
# add_header Strict-Transport-Security max-age=15768000; | |
# root /var/www/path/to/site.com; | |
root /usr/share/nginx/html; | |
index index.html index.htm; | |
location / { | |
# whatever you need to do here | |
# proxy_pass | |
} | |
gzip on; | |
gzip_disable "msie6"; | |
gzip_vary on; | |
gzip_proxied any; | |
gzip_comp_level 6; | |
gzip_buffers 16 8k; | |
gzip_http_version 1.1; | |
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xm l+rss text/javascript; | |
#error_page 404 /404.html; | |
# redirect server error pages to the static page /50x.html | |
# | |
error_page 500 502 503 504 /50x.html; | |
location = /50x.html { | |
root /usr/share/nginx/html; | |
} | |
location ~ /.well-known { | |
allow all; | |
} | |
location ~ /\.ht { | |
deny all; | |
} | |
location = /favicon.ico { log_not_found off; access_log off; } | |
location = /robots.txt { log_not_found off; access_log off; allow all; } | |
location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ { | |
expires max; | |
log_not_found off; | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment