Last active
June 7, 2017 12:35
-
-
Save richpeck/a592f41c0ddbe108b3ae757b28aac0bd to your computer and use it in GitHub Desktop.
NGinx SSL Setup
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# /etc/nginx/sites-enabled/default | |
########################################## | |
########################################## | |
## General Server Setup ## | |
########################################## | |
########################################## | |
## General ## | |
## Ref: https://gist.github.com/plentz/6737338 ## | |
# don't send the nginx version number in error pages and Server header | |
server_tokens off; | |
# config to don't allow the browser to render the page inside an frame or iframe | |
# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking | |
# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri | |
# https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options | |
add_header X-Frame-Options SAMEORIGIN; | |
# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header, | |
# to disable content-type sniffing on some browsers. | |
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers | |
# currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx | |
# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx | |
# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020 | |
add_header X-Content-Type-Options nosniff; | |
# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. | |
# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for | |
# this particular website if it was disabled by the user. | |
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers | |
add_header X-XSS-Protection "1; mode=block"; | |
# with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy), | |
# you can tell the browser that it can only download content from the domains you explicitly allow | |
# http://www.html5rocks.com/en/tutorials/security/content-security-policy/ | |
# https://www.owasp.org/index.php/Content_Security_Policy | |
# I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval' | |
# directives for css and js(if you have inline css or js, you will need to keep it too). | |
# more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful | |
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'"; | |
# remove headers | |
more_clear_headers Server X-Powered-By X-Runtime; | |
########################################## | |
########################################## | |
## Individual sites in respective files ## | |
########################################## | |
########################################## |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# /etc/nginx/sites-enabled/site1.com | |
########################################## | |
########################################## | |
## Server Setup For Site1.com ## | |
########################################## | |
########################################## | |
## Server options stored in nginx.conf ## | |
########################################## | |
########################################## | |
## Apex to SSL::WWW ## | |
## Redirects from site1.com -> https://www.site1.com (not necessary if you don't mind having multi access) ## | |
server { | |
listen 80; | |
listen [::]:80; | |
listen 443; | |
listen [::]:443; | |
## Details ## | |
server_name site1.com 13.12.11.10 [[ip_address]]; | |
## SSL ## | |
include /app/ssl/ssl.conf; | |
## Certs ## | |
ssl_certificate /var/ssl/site1/cert_chain.crt; | |
ssl_certificate_key /var/ssl/site1/site1.com.key; | |
## Action ## | |
return 301 https://www.$host$request_uri; | |
} | |
################### | |
## HTTPS ## | |
## Only assign default to the virtual server you want No-SNI browsers to access ## | |
server { | |
listen 443 default; | |
listen [::]:443 default; | |
## Details ## | |
## Only accept WWW ## | |
server_name www.site1.com; | |
## Root ## | |
## You can put index.html in the below folder ## | |
root /var/www/site1.com; | |
## SSL ## | |
include /app/ssl/ssl.conf; | |
## Certs ## | |
ssl_certificate /var/ssl/site1/cert_chain.crt; | |
ssl_certificate_key /var/ssl/site1/site1.com.key; | |
## Options ## | |
location = /favicon.ico { | |
access_log off; | |
log_not_found off; | |
} | |
} | |
########################################## | |
########################################## |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# /etc/nginx/sites-enabled/site2.com | |
########################################## | |
########################################## | |
## Server Setup For Site2.com ## | |
########################################## | |
########################################## | |
## Server options stored in nginx.conf ## | |
########################################## | |
########################################## | |
## Apex to SSL::WWW ## | |
## Redirects from site2.com -> https://www.site1.com (not necessary if you don't mind having multi access) ## | |
server { | |
listen 80; | |
listen [::]:80; | |
listen 443; | |
listen [::]:443; | |
## Details ## | |
server_name site2.com; | |
## SSL ## | |
include /app/ssl/ssl.conf; | |
## Certs ## | |
ssl_certificate /var/ssl/site2/cert_chain.crt; | |
ssl_certificate_key /var/ssl/site2/site2.com.key; | |
## Action ## | |
return 301 https://www.$host$request_uri; | |
} | |
################### | |
## HTTPS ## | |
server { | |
listen 443; | |
listen [::]:443; | |
## Details ## | |
## Only accept WWW ## | |
server_name www.site1.com; | |
## Root ## | |
## You can put index.html in the below folder ## | |
root /var/www/site2.com; | |
## SSL ## | |
include /var/ssl/ssl.conf; | |
## Certs ## | |
ssl_certificate /var/ssl/site2/cert_chain.crt; | |
ssl_certificate_key /var/ssl/site2/site2.com.key; | |
## Options ## | |
location = /favicon.ico { | |
access_log off; | |
log_not_found off; | |
} | |
} | |
########################################## | |
########################################## |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# /var/ssl/ssl.conf | |
## Used in multiple SSL server blocks ## | |
################################################### | |
# enable session resumption to improve https performance | |
# http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html | |
ssl_session_cache shared:SSL:50m; | |
ssl_session_timeout 5m; | |
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits | |
ssl_dhparam /etc/nginx/cert/dhparam.pem; | |
# enables server-side protection from BEAST attacks | |
# http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html | |
ssl_prefer_server_ciphers on; | |
# disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0 | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
# ciphers chosen for forward secrecy and compatibility | |
# http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html | |
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; | |
# enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner) | |
# http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ | |
resolver 8.8.8.8; | |
ssl_stapling on; | |
# config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security | |
# to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping | |
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; | |
################################################### |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment