Instantly share code, notes, and snippets.

Embed
What would you like to do?
Nginx Hackday Porto Linux SSL for authenticated users
## At the http level
map $http_cookie $is_secure {
default 0;
~SESS 1; # there's a session cookie (use SSL - authenticated user)
}
map $is_secure $not_secure {
1 0;
0 1;
}
## In the non-SSL host
server {
listen [::]:443 ssl;
server_name ssl.example.com;
limit_conn arbeit 32;
if ($is_secure) {
return 302 https://ssl.example.com$request_uri;
}
## Access and error logs.
access_log /var/log/nginx/example.com_access.log;
error_log /var/log/nginx/example.com_error.log;
## Keep alive timeout set to a greater value for SSL/TLS.
keepalive_timeout 10 10;
root /var/www/sites/example.com;
index index.php;
## If you're using a Nginx version greater or equal to 1.1.4 then
## you can use keep alive connections to the upstream be it
## FastCGI or Apache. If that's not the case comment out the line below.
fastcgi_keep_conn on; # keep alive to the FCGI upstream
#... more stuff ...
} # HTTP server
## In the SSL host
server {
listen [::]:443 ssl;
server_name ssl.example.com;
limit_conn arbeit 32;
if ($not_secure) {
return 302 http://example.com$request_uri;
}
## Get the 497 error (HTTP request on a HTTPS host).
error_page 497 =302 https://ssl.example.com$request_uri;
## Access and error logs.
access_log /var/log/nginx/ssl.example.com_access.log;
error_log /var/log/nginx/ssl.example.com_error.log;
## Keep alive timeout set to a greater value for SSL/TLS.
keepalive_timeout 75 75;
## See the keepalive_timeout directive in nginx.conf.
## Server certificate and key.
ssl_certificate /etc/ssl/certs/example-cert.pem;
ssl_certificate_key /etc/ssl/private/example.key;
## Strict Transport Security header for enhanced security. See
## http://www.chromium.org/sts. I've set it to 2 hours; set it to
## whichever age you want.
add_header Strict-Transport-Security "max-age=7200";
root /var/www/sites/example.com;
index index.php;
## If you're using a Nginx version greater or equal to 1.1.4 then
## you can use keep alive connections to the upstream be it
## FastCGI or Apache. If that's not the case comment out the line below.
fastcgi_keep_conn on; # keep alive to the FCGI upstream
#... more stuff ...
} # HTTPS server
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment