-
-
Save sbaerlocher/8f8e4f6519f40daeeb95 to your computer and use it in GitHub Desktop.
Nginx configuration for a web site with an SSL certificate for an A + rating offer SSLLabs.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Port 80 | |
| server { | |
| #This port is overheard | |
| listen 80; | |
| #The host name | |
| server_name example.com; | |
| #Redirect to https | |
| rewrite ^(.*)$ https://example.com$1 permanent; | |
| } | |
| #Port 443 | |
| server { | |
| #This port is overheard | |
| listen 443; | |
| #The host name | |
| server_name example.com; | |
| #Iframe for banning page | |
| add_header X-Frame-Options DENY; | |
| #Is controllable for the next 365 days only via https | |
| add_header Strict-Transport-Security max-age=31536000; | |
| #Path for files | |
| root /var/www/example.com; | |
| #Access Logs | |
| access_log /var/log/nginx/example.com.access_log; | |
| #Error Logs | |
| error_log /var/log/nginx/example.com.error_log; | |
| #PHP Skript | |
| location ~ \.php$ { | |
| try_files $uri =404; | |
| fastcgi_split_path_info ^(.+\.php)(/.+)$; | |
| fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |
| fastcgi_intercept_errors on; | |
| include fastcgi.conf; | |
| fastcgi_pass php; | |
| } | |
| ssl on; | |
| ssl_certificate /etc/ssl/nginx/example.com/example.com.pem; | |
| ssl_certificate_key /etc/ssl/nginx/example.com/example.com.key; | |
| # Protect against the BEAST attack by preferring RC4-SHA when using SSLv3 and TLS protocols. | |
| # Note that TLSv1.1 and TLSv1.2 are immune to the beast attack but only work with OpenSSL v1.0.1 and higher and has limited client support. | |
| # Ciphers set to best allow protection from Beast, while providing forwarding secrecy, as defined by Mozilla - https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx | |
| ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
| ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; | |
| ssl_prefer_server_ciphers on; | |
| # Optimize SSL by caching session parameters for 10 minutes. This cuts down on the number of expensive SSL handshakes. | |
| # The handshake is the most CPU-intensive operation, and by default it is re-negotiated on every new/parallel connection. | |
| # By enabling a cache (of type "shared between all Nginx workers"), we tell the client to re-use the already negotiated state. | |
| # Further optimization can be achieved by raising keepalive_timeout, but that shouldn't be done unless you serve primarily HTTPS. | |
| ssl_session_cache shared:SSL:10m; # a 1mb cache can hold about 4000 sessions, so we can hold 40000 sessions | |
| ssl_session_timeout 10m; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment