Containerised NGINX config for HTTPS with HTTP/2 with Let's Encrypt certificates. https://tomlankhorst.nl/secure-nginx-docker-container-with-lets-encrypt/
# Used on nginx/1.15.5 | |
# https://tomlankhorst.nl/secure-nginx-docker-container-with-lets-encrypt/ | |
# | |
# see: https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.15.5a&openssl=1.0.1e&hsts=yes&profile=modern | |
# Oldest compatible clients: Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8 | |
server { | |
listen 80 default_server; | |
root /application/public/; | |
# allow access to /.well-known through HTTP | |
location /.well-known { | |
try_files $uri $uri/ =404; | |
} | |
# redirect all other requests to HTTPS | |
location / { | |
return 301 https://$host$request_uri; | |
} | |
} | |
server { | |
# Listen to HTTPS on 443 and allow HTTP/2 | |
listen 443 ssl http2 default; | |
# Path to the chain and privkey (Let's Encrypt) | |
ssl_certificate /certs/fullchain.pem; | |
ssl_certificate_key /certs/privkey.pem; | |
# Improve HTTPS performance with session resumption | |
ssl_session_timeout 1d; | |
ssl_session_cache shared:SSL:50m; | |
ssl_session_tickets off; | |
# Enable server-side protection against BEAST attacks | |
ssl_protocols TLSv1.2; | |
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; | |
ssl_prefer_server_ciphers on; | |
# Diffie-Hellman parameter for DHE ciphersuites | |
# $ openssl dhparam -out dhparam.pem 4096 | |
ssl_dhparam /certs/dhparam.pem; | |
# Enable OCSP stapling (http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox) | |
# uses Google DNS servers | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
ssl_trusted_certificate /certs/fullchain.pem; | |
resolver 8.8.8.8 8.8.4.4 valid=300s; | |
resolver_timeout 5s; | |
# Logging in a container | |
access_log /dev/stdout; | |
error_log stderr error; | |
error_log /dev/stdout info; | |
root /application/public/; | |
index index.html index.htm; | |
charset utf-8; | |
# TODO: Compression, interpreters, websocket proxies, logging, XSS headers, ... | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment