Created
February 7, 2021 19:58
-
-
Save ryancdotorg/2e4934e15d583d9eca4f33a1cc1e4732 to your computer and use it in GitHub Desktop.
An opinionated nginx default server configuration block
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# An opinionated nginx default server configuration block | |
# Author: Ryan Castellucci https://rya.nc/ @ryancdotorg | |
# Revision: 2021-02-07 | |
server { | |
listen 80 default_server; | |
listen [::]:80 default_server; | |
server_name _; | |
# Send ACME (LetsEncrypt) requests to a special directory | |
location /.well-known/acme-challenge/ { root /var/www/acme; } | |
location / { | |
# Redirect valid looking domains to HTTPS (stripping www if present) | |
if ($host ~ "^(www\.)?(?<domain>.+\.[a-z][a-z0-9-]*[a-z0-9])$") { | |
return 301 https://$domain$request_uri; | |
} | |
# Anything else (e.g. an IP address) gets "Bad Request". | |
return 400; | |
} | |
} | |
server { | |
listen 443 ssl http2 default_server; | |
listen [::]:443 ssl http2 default_server; | |
server_name _; | |
# Generate RSA certificate and key with the following command: | |
# | |
# openssl req -new -newkey rsa:2048 \ | |
# -nodes -x509 -batch -subj / \ | |
# -keyout /etc/nginx/snakeoil.pem \ | |
# -out /etc/nginx/snakeoil.pem | |
# | |
# Do *not* use a default cert generated by your distro, it | |
# may leak information such as your hostname or IP address. | |
ssl_certificate snakeoil.pem; | |
ssl_certificate_key snakeoil.pem; | |
# Avoid error messages in log | |
ssl_stapling off; | |
# Prevents TLSv1 to TLSv1.2 from seeing the cert due to lack of | |
# matching cipher suites. | |
ssl_ciphers aNULL; | |
# SNI has been well supported since 2015. Anything not using it and/or | |
# not sending us a configured hostname is probably up to no good. | |
return 400; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment