Skip to content

Instantly share code, notes, and snippets.

Forked from nrollr/nginx.conf
Created Aug 19, 2020
What would you like to do?
NGINX config for SSL with Let's Encrypt certs
# UPDATED 17 February 2019
# Redirect all HTTP traffic to HTTPS
server {
listen 80;
listen [::]:80;
return 301 https://$host$request_uri;
# SSL configuration
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/;
ssl_certificate_key /etc/letsencrypt/live/;
# Improve HTTPS performance with session resumption
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# Enable server-side protection against BEAST attacks
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
# RFC-7919 recommended:
ssl_dhparam /etc/ssl/ffdhe4096.pem;
ssl_ecdh_curve secp521r1:secp384r1;
# Aditional Security Headers
# ref:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
# ref:
add_header X-Frame-Options DENY always;
# ref:
add_header X-Content-Type-Options nosniff always;
# ref:
add_header X-Xss-Protection "1; mode=block" always;
# Enable OCSP stapling
# ref.
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/;
resolver [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; # Cloudflare
resolver_timeout 5s;
# Required for LE certificate enrollment using certbot
location '/.well-known/acme-challenge' {
default_type "text/plain";
root /var/www/html;
location / {
root /var/www/html;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment