tangrufus/cat.sh

## cat.sh
$ sudo cat your_domain.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt
$ sudo chmod 600 /etc/nginx/ssl

## csr.txt
Country Name (2 letter code) [AU]: GB
State or Province Name (full name) [Some-State]: Yorks
Locality Name (eg, city) []: York
Organization Name (eg, company) [Internet Widgits Pty Ltd]: MyCompany Ltd
Organizational Unit Name (eg, section) []: IT
Common Name (eg, YOUR name) []: your-domain.com
Email Address []:
A challenge password []:
An optional company name []:

## openssl.sh
$ sudo mkdir /etc/nginx/ssl/
$ sudo cd /etc/nginx/ssl/
$ sudo openssl req -nodes -newkey rsa:2048 -keyout your_domain.key -out your_domain.csr

## your-domain.conf
server {
# Configure the domain that will run WordPress
listen 443 ssl spdy;
listen [::]:443 ssl spdy;
server_name your-domain.com;

# WordPress needs to be in the webroot of /src/www/ in this case
root /src/www/your-domain.com/htdocs;

# Turn on SSL
ssl on;
ssl_certificate /etc/nginx/ssl/ssl-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/your-domain.key;

# Protocols
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_buffer_size 8k;
ssl_session_cache builtin:1000 shared:SSL:20m;
ssl_session_timeout 20m;

# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 10s;

# Headers
# This forces every request after this one to be over HTTPS
add_header Strict-Transport-Security &amp;amp;quot;max-age=31536000; includeSubDomains&amp;amp;quot;;
# SPDY
add_header Alternate-Protocol 443:npn-spdy/3;

# pass PHP scripts to Fastcgi listening on Unix socket
# Do not process them if inside WP uploads directory
# If using Multisite or a custom uploads directory,
# please set the */uploads/* directory in the regex below
location ~* (^(?!(?:(?!(php|inc)).)*/uploads/).*?(php)) {
try_files $uri = 404;
fastcgi_split_path_info ^(.+.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_intercept_errors on;
fastcgi_ignore_client_abort off;
fastcgi_connect_timeout 60;
fastcgi_send_timeout 180;
fastcgi_read_timeout 180;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
}
}

# Redirect all http queries to non-www https
server {
listen 80;
listen [::]:80;
server_name your-domain.com www.your-domain.com;
return 301 https://your-domain.com$request_uri;
}
	$ sudo cat your_domain.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt
	$ sudo chmod 600 /etc/nginx/ssl
	Country Name (2 letter code) [AU]: GB
	State or Province Name (full name) [Some-State]: Yorks
	Locality Name (eg, city) []: York
	Organization Name (eg, company) [Internet Widgits Pty Ltd]: MyCompany Ltd
	Organizational Unit Name (eg, section) []: IT
	Common Name (eg, YOUR name) []: your-domain.com
	Email Address []:
	A challenge password []:
	An optional company name []:
	$ sudo mkdir /etc/nginx/ssl/
	$ sudo cd /etc/nginx/ssl/
	$ sudo openssl req -nodes -newkey rsa:2048 -keyout your_domain.key -out your_domain.csr
	server {
	# Configure the domain that will run WordPress
	listen 443 ssl spdy;
	listen [::]:443 ssl spdy;
	server_name your-domain.com;

	# WordPress needs to be in the webroot of /src/www/ in this case
	root /src/www/your-domain.com/htdocs;

	# Turn on SSL
	ssl on;
	ssl_certificate /etc/nginx/ssl/ssl-bundle.crt;
	ssl_certificate_key /etc/nginx/ssl/your-domain.key;

	# Protocols
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;
	ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
	ssl_buffer_size 8k;
	ssl_session_cache builtin:1000 shared:SSL:20m;
	ssl_session_timeout 20m;

	# OCSP Stapling
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 8.8.8.8 8.8.4.4 valid=300s;
	resolver_timeout 10s;

	# Headers
	# This forces every request after this one to be over HTTPS
	add_header Strict-Transport-Security &amp;quot;max-age=31536000; includeSubDomains&amp;quot;;
	# SPDY
	add_header Alternate-Protocol 443:npn-spdy/3;

	# pass PHP scripts to Fastcgi listening on Unix socket
	# Do not process them if inside WP uploads directory
	# If using Multisite or a custom uploads directory,
	# please set the /uploads/ directory in the regex below
	location ~* (^(?!(?:(?!(php\|inc)).)/uploads/).?(php)) {
	try_files $uri = 404;
	fastcgi_split_path_info ^(.+.php)(/.+)$;
	fastcgi_pass unix:/var/run/php5-fpm.sock;
	fastcgi_index index.php;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	include fastcgi_params;
	fastcgi_intercept_errors on;
	fastcgi_ignore_client_abort off;
	fastcgi_connect_timeout 60;
	fastcgi_send_timeout 180;
	fastcgi_read_timeout 180;
	fastcgi_buffer_size 128k;
	fastcgi_buffers 4 256k;
	fastcgi_busy_buffers_size 256k;
	fastcgi_temp_file_write_size 256k;
	}
	}

	# Redirect all http queries to non-www https
	server {
	listen 80;
	listen [::]:80;
	server_name your-domain.com www.your-domain.com;
	return 301 https://your-domain.com$request_uri;
	}