Containerised NGINX config for HTTPS with HTTP/2 with Let's Encrypt certificates. https://tomlankhorst.nl/secure-nginx-docker-container-with-lets-encrypt/
| # Used on nginx/1.15.5 | |
| # https://tomlankhorst.nl/secure-nginx-docker-container-with-lets-encrypt/ | |
| # | |
| # see: https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.15.5a&openssl=1.0.1e&hsts=yes&profile=modern | |
| # Oldest compatible clients: Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8 | |
| server { | |
| listen 80 default_server; | |
| root /application/public/; | |
| # allow access to /.well-known through HTTP | |
| location /.well-known { | |
| try_files $uri $uri/ =404; | |
| } | |
| # redirect all other requests to HTTPS | |
| location / { | |
| return 301 https://$host$request_uri; | |
| } | |
| } | |
| server { | |
| # Listen to HTTPS on 443 and allow HTTP/2 | |
| listen 443 ssl http2 default; | |
| # Path to the chain and privkey (Let's Encrypt) | |
| ssl_certificate /certs/fullchain.pem; | |
| ssl_certificate_key /certs/privkey.pem; | |
| # Improve HTTPS performance with session resumption | |
| ssl_session_timeout 1d; | |
| ssl_session_cache shared:SSL:50m; | |
| ssl_session_tickets off; | |
| # Enable server-side protection against BEAST attacks | |
| ssl_protocols TLSv1.2; | |
| ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; | |
| ssl_prefer_server_ciphers on; | |
| # Diffie-Hellman parameter for DHE ciphersuites | |
| # $ openssl dhparam -out dhparam.pem 4096 | |
| ssl_dhparam /certs/dhparam.pem; | |
| # Enable OCSP stapling (http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox) | |
| # uses Google DNS servers | |
| ssl_stapling on; | |
| ssl_stapling_verify on; | |
| ssl_trusted_certificate /certs/fullchain.pem; | |
| resolver 8.8.8.8 8.8.4.4 valid=300s; | |
| resolver_timeout 5s; | |
| # Logging in a container | |
| access_log /dev/stdout; | |
| error_log stderr error; | |
| error_log /dev/stdout info; | |
| root /application/public/; | |
| index index.html index.htm; | |
| charset utf-8; | |
| # TODO: Compression, interpreters, websocket proxies, logging, XSS headers, ... | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment