Skip to content

Instantly share code, notes, and snippets.

@terrywang
Created July 28, 2022 23:28
Show Gist options
  • Save terrywang/7084ca08c9abee1a073e02eb4ea4a710 to your computer and use it in GitHub Desktop.
Save terrywang/7084ca08c9abee1a073e02eb4ea4a710 to your computer and use it in GitHub Desktop.
Nginx config for log.terry.im
server {
listen 80;
# listen [::]:80 default ipv6only=on;
server_name log.terry.im;
# redirect all HTTP requests to HTTPS with a 301 Moved Permanently response
location / {
return 301 https://$host$request_uri;
}
}
server {
# listen 443 ssl;
listen 443 ssl http2;
server_name log.terry.im;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /path/to/lego/.lego/certificates/terry.im.crt;
ssl_certificate_key /path/to/lego/.lego/certificates/terry.im.key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m; # 10m about 40k sessions
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 4096 bits
# openssl dhparam -out /path/to/dhparams_4096.pem 4096
ssl_dhparam /etc/ssl/private/dhparams_4096.pem;
# modern configuration, tweak to your needs
# ssl_protocols TLSv1.2 TLSv1.3;
ssl_protocols TLSv1.3;
# ssl_ecdh_curve X25519:P-256:P-384:P-224:P-521;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
# ssl_ciphers '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]:ECDHE+AES128:RSA+AES128:ECDHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES';
ssl_prefer_server_ciphers on;
# intermediate configuration, tweak to your needs
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
# add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload;";
add_header Strict-Transport-Security "max-age=63072000; always;";
# OCSP Stapling
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /path/to/lego/.lego/certificates/terry.im.crt;
# resolver <IP DNS resolver> valid=300s;
# resolver_timeout 5s;
resolver 8.8.8.8 1.1.1.1 valid=30s ipv6=off;
resolver_timeout 5s;
root /var/www/terry.im/log;
index index.php index.html index.htm;
# rewrite ^(.*)$ $scheme://www.terry.im$1;
access_log /var/log/nginx/log.terry.im-access.log;
error_log /var/log/nginx/log.terry.im-error.log;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to index.html
try_files $uri $uri/ /index.html;
}
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ^~ /.well-known/ {
allow all;
}
location ~ /\. {
deny all;
}
location ~* (?:\.(?:bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist)|~)$ {
deny all;
}
# Browser cache
location ~* ^.+\.(css|js|jpg|jpeg|gif|png|ico|gz|svg|svgz|ttf|otf|woff|eot|mp4|ogg|ogv|webm)$ {
expires 30d;
log_not_found off;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment