Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
An opinionated nginx default server configuration block
# An opinionated nginx default server configuration block
# Author: Ryan Castellucci https://rya.nc/ @ryancdotorg
# Revision: 2021-02-07
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
# Send ACME (LetsEncrypt) requests to a special directory
location /.well-known/acme-challenge/ { root /var/www/acme; }
location / {
# Redirect valid looking domains to HTTPS (stripping www if present)
if ($host ~ "^(www\.)?(?<domain>.+\.[a-z][a-z0-9-]*[a-z0-9])$") {
return 301 https://$domain$request_uri;
}
# Anything else (e.g. an IP address) gets "Bad Request".
return 400;
}
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name _;
# Generate RSA certificate and key with the following command:
#
# openssl req -new -newkey rsa:2048 \
# -nodes -x509 -batch -subj / \
# -keyout /etc/nginx/snakeoil.pem \
# -out /etc/nginx/snakeoil.pem
#
# Do *not* use a default cert generated by your distro, it
# may leak information such as your hostname or IP address.
ssl_certificate snakeoil.pem;
ssl_certificate_key snakeoil.pem;
# Avoid error messages in log
ssl_stapling off;
# Prevents TLSv1 to TLSv1.2 from seeing the cert due to lack of
# matching cipher suites.
ssl_ciphers aNULL;
# SNI has been well supported since 2015. Anything not using it and/or
# not sending us a configured hostname is probably up to no good.
return 400;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment