Created
December 4, 2019 00:57
-
-
Save vbguard/e4dc2d1fd7796efe201d75315b42595e to your computer and use it in GitHub Desktop.
example domain nginx.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## | |
# Put this file in /etc/nginx/conf.d folder and make sure | |
# you have a line 'include /etc/nginx/conf.d/*.conf;' | |
# in your main nginx configuration file | |
## | |
## | |
# Redirect to the same URL with https:// | |
## | |
server { | |
listen 80; | |
# Type your domain name below | |
server_name example.com; | |
return 301 https://$server_name$request_uri; | |
} | |
## | |
# HTTPS configurations | |
## | |
server { | |
listen 443 ssl; | |
# Type your domain name below | |
server_name example.com; | |
# Configure the Certificate and Key you got from your CA (e.g. Lets Encrypt) | |
ssl_certificate /path/to/certificate.crt; | |
ssl_certificate_key /path/to/server.key; | |
ssl_session_timeout 1d; | |
ssl_session_cache shared:SSL:50m; | |
ssl_session_tickets off; | |
# Only use TLS v1.2 as Transport Security Protocol | |
ssl_protocols TLSv1.2; | |
# Only use ciphersuites that are considered modern and secure by Mozilla | |
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; | |
# Do not let attackers downgrade the ciphersuites in Client Hello | |
# Always use server-side offered ciphersuites | |
ssl_prefer_server_ciphers on; | |
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) | |
add_header Strict-Transport-Security max-age=15768000; | |
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits | |
# Uncomment if you want to use your own Diffie-Hellman parameter, which can be generated with: openssl ecparam -genkey -out dhparam.pem -name prime256v1 | |
# See https://wiki.mozilla.org/Security/Server_Side_TLS#DHE_handshake_and_dhparam | |
# ssl_dhparam /path/to/dhparam.pem; | |
## OCSP Configuration START | |
# If you want to provide OCSP Stapling, you can uncomment the following lines | |
# See https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx for more infos about OCSP and its use case | |
# fetch OCSP records from URL in ssl_certificate and cache them | |
#ssl_stapling on; | |
#ssl_stapling_verify on; | |
# verify chain of trust of OCSP response using Root CA and Intermediate certs (you will get this file from your CA) | |
#ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates; | |
## OCSP Configuration END | |
# To let nginx use its own DNS Resolver | |
# resolver <IP DNS resolver>; | |
# Always serve index.html for any request | |
location / { | |
# Set path | |
root /var/www/; | |
try_files $uri /index.html; | |
} | |
# Do not cache sw.js, required for offline-first updates. | |
location /sw.js { | |
add_header Cache-Control "no-cache"; | |
proxy_cache_bypass $http_pragma; | |
proxy_cache_revalidate on; | |
expires off; | |
access_log off; | |
} | |
## | |
# If you want to use Node/Rails/etc. API server | |
# on the same port (443) config Nginx as a reverse proxy. | |
# For security reasons use a firewall like ufw in Ubuntu | |
# and deny port 3000/tcp. | |
## | |
# location /api/ { | |
# | |
# proxy_pass http://localhost:3000; | |
# proxy_http_version 1.1; | |
# proxy_set_header X-Forwarded-Proto https; | |
# proxy_set_header Upgrade $http_upgrade; | |
# proxy_set_header Connection 'upgrade'; | |
# proxy_set_header Host $host; | |
# proxy_cache_bypass $http_upgrade; | |
# | |
# } | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment