Skip to content

Instantly share code, notes, and snippets.

@tomlankhorst

tomlankhorst/nginx.conf

Last active Dec 4, 2018
Star
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
Containerised NGINX config for HTTPS with HTTP/2 with Let's Encrypt certificates. https://tomlankhorst.nl/secure-nginx-docker-container-with-lets-encrypt/
Raw
nginx.conf
# Used on nginx/1.15.5
# https://tomlankhorst.nl/secure-nginx-docker-container-with-lets-encrypt/
#
# see: https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.15.5a&openssl=1.0.1e&hsts=yes&profile=modern
# Oldest compatible clients: Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8
server {
listen 80 default_server;
root /application/public/;
# allow access to /.well-known through HTTP
location /.well-known {
try_files $uri $uri/ =404;
}
# redirect all other requests to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
server {
# Listen to HTTPS on 443 and allow HTTP/2
listen 443 ssl http2 default;
# Path to the chain and privkey (Let's Encrypt)
ssl_certificate /certs/fullchain.pem;
ssl_certificate_key /certs/privkey.pem;
# Improve HTTPS performance with session resumption
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Enable server-side protection against BEAST attacks
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
# Diffie-Hellman parameter for DHE ciphersuites
# $ openssl dhparam -out dhparam.pem 4096
ssl_dhparam /certs/dhparam.pem;
# Enable OCSP stapling (http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox)
# uses Google DNS servers
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /certs/fullchain.pem;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Logging in a container
access_log /dev/stdout;
error_log stderr error;
error_log /dev/stdout info;
root /application/public/;
index index.html index.htm;
charset utf-8;
# TODO: Compression, interpreters, websocket proxies, logging, XSS headers, ...
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.