vbguard/nginx.conf

## nginx.conf
##
# Put this file in /etc/nginx/conf.d folder and make sure
# you have a line 'include /etc/nginx/conf.d/*.conf;'
# in your main nginx configuration file
##

##
# Redirect to the same URL with https://
##

server {

  listen 80;

# Type your domain name below
  server_name example.com;

  return 301 https://$server_name$request_uri;

}

##
# HTTPS configurations
##

server {

  listen 443 ssl;

# Type your domain name below
  server_name example.com;

# Configure the Certificate and Key you got from your CA (e.g. Lets Encrypt)
  ssl_certificate     /path/to/certificate.crt;
  ssl_certificate_key /path/to/server.key;

  ssl_session_timeout 1d;
  ssl_session_cache shared:SSL:50m;
  ssl_session_tickets off;

# Only use TLS v1.2 as Transport Security Protocol
  ssl_protocols TLSv1.2;

# Only use ciphersuites that are considered modern and secure by Mozilla
  ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';

# Do not let attackers downgrade the ciphersuites in Client Hello
# Always use server-side offered ciphersuites
  ssl_prefer_server_ciphers on;

# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
  add_header Strict-Transport-Security max-age=15768000;

# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
# Uncomment if you want to use your own Diffie-Hellman parameter, which can be generated with: openssl ecparam -genkey -out dhparam.pem -name prime256v1
# See https://wiki.mozilla.org/Security/Server_Side_TLS#DHE_handshake_and_dhparam
# ssl_dhparam /path/to/dhparam.pem;


## OCSP Configuration START
# If you want to provide OCSP Stapling, you can uncomment the following lines
# See https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx for more infos about OCSP and its use case
# fetch OCSP records from URL in ssl_certificate and cache them

#ssl_stapling on;
#ssl_stapling_verify on;

# verify chain of trust of OCSP response using Root CA and Intermediate certs (you will get this file from your CA)
#ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;

## OCSP Configuration END

# To let nginx use its own DNS Resolver
# resolver <IP DNS resolver>;


# Always serve index.html for any request
  location / {
    # Set path
    root /var/www/;
    try_files $uri /index.html;
  }

# Do not cache sw.js, required for offline-first updates.
  location /sw.js {
      add_header Cache-Control "no-cache";
      proxy_cache_bypass $http_pragma;
      proxy_cache_revalidate on;
      expires off;
      access_log off;
  }

##
# If you want to use Node/Rails/etc. API server
# on the same port (443) config Nginx as a reverse proxy.
# For security reasons use a firewall like ufw in Ubuntu
# and deny port 3000/tcp.
##

# location /api/ {
#
#   proxy_pass http://localhost:3000;
#   proxy_http_version 1.1;
#   proxy_set_header X-Forwarded-Proto https;
#   proxy_set_header Upgrade $http_upgrade;
#   proxy_set_header Connection 'upgrade';
#   proxy_set_header Host $host;
#   proxy_cache_bypass $http_upgrade;
#
# }

}
	##
	# Put this file in /etc/nginx/conf.d folder and make sure
	# you have a line 'include /etc/nginx/conf.d/*.conf;'
	# in your main nginx configuration file
	##

	##
	# Redirect to the same URL with https://
	##

	server {

	listen 80;

	# Type your domain name below
	server_name example.com;

	return 301 https://$server_name$request_uri;

	}

	##
	# HTTPS configurations
	##

	server {

	listen 443 ssl;

	# Type your domain name below
	server_name example.com;

	# Configure the Certificate and Key you got from your CA (e.g. Lets Encrypt)
	ssl_certificate /path/to/certificate.crt;
	ssl_certificate_key /path/to/server.key;

	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:50m;
	ssl_session_tickets off;

	# Only use TLS v1.2 as Transport Security Protocol
	ssl_protocols TLSv1.2;

	# Only use ciphersuites that are considered modern and secure by Mozilla
	ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';

	# Do not let attackers downgrade the ciphersuites in Client Hello
	# Always use server-side offered ciphersuites
	ssl_prefer_server_ciphers on;

	# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
	add_header Strict-Transport-Security max-age=15768000;

	# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
	# Uncomment if you want to use your own Diffie-Hellman parameter, which can be generated with: openssl ecparam -genkey -out dhparam.pem -name prime256v1
	# See https://wiki.mozilla.org/Security/Server_Side_TLS#DHE_handshake_and_dhparam
	# ssl_dhparam /path/to/dhparam.pem;


	## OCSP Configuration START
	# If you want to provide OCSP Stapling, you can uncomment the following lines
	# See https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx for more infos about OCSP and its use case
	# fetch OCSP records from URL in ssl_certificate and cache them

	#ssl_stapling on;
	#ssl_stapling_verify on;

	# verify chain of trust of OCSP response using Root CA and Intermediate certs (you will get this file from your CA)
	#ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;

	## OCSP Configuration END

	# To let nginx use its own DNS Resolver
	# resolver <IP DNS resolver>;


	# Always serve index.html for any request
	location / {
	# Set path
	root /var/www/;
	try_files $uri /index.html;
	}

	# Do not cache sw.js, required for offline-first updates.
	location /sw.js {
	add_header Cache-Control "no-cache";
	proxy_cache_bypass $http_pragma;
	proxy_cache_revalidate on;
	expires off;
	access_log off;
	}

	##
	# If you want to use Node/Rails/etc. API server
	# on the same port (443) config Nginx as a reverse proxy.
	# For security reasons use a firewall like ufw in Ubuntu
	# and deny port 3000/tcp.
	##

	# location /api/ {
	#
	# proxy_pass http://localhost:3000;
	# proxy_http_version 1.1;
	# proxy_set_header X-Forwarded-Proto https;
	# proxy_set_header Upgrade $http_upgrade;
	# proxy_set_header Connection 'upgrade';
	# proxy_set_header Host $host;
	# proxy_cache_bypass $http_upgrade;
	#
	# }

	}