Last active
April 13, 2016 02:51
-
-
Save warrenca/34ac38575251ee2211c7 to your computer and use it in GitHub Desktop.
Nginx configuration for web socket server and api web server on top of HTTPS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# HTTP protocol | |
server { | |
underscores_in_headers on; | |
listen 80; | |
server_name yourwebsite.com; | |
return 301 https://$server_name$request_uri; | |
} | |
# HTTPS server | |
server { | |
listen 443 ssl; | |
server_name yourwebsite.com; | |
root html; | |
index index.html index.htm; | |
underscores_in_headers on; | |
ssl on; | |
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate | |
ssl_certificate /etc/letsencrypt/live/yourwebsite.com/fullchain.pem; | |
ssl_certificate_key /etc/letsencrypt/live/yourwebsite.com/privkey.pem; | |
ssl_session_timeout 1d; | |
#ssl_session_tickets off; | |
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits | |
# Generate DHParam | |
# openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048 | |
ssl_dhparam /etc/nginx/ssl/dhparam.pem; | |
# modern configuration. tweak to your needs. | |
# SSL PCI Compliance | |
ssl_session_cache shared:SSL:10m; | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
ssl_prefer_server_ciphers on; | |
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; | |
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) | |
add_header Strict-Transport-Security max-age=15768000; | |
# OCSP Stapling --- | |
# fetch OCSP records from URL in ssl_certificate and cache them | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
location /api { | |
# API server IP and port | |
proxy_pass http://127.0.0.1:5000; | |
proxy_http_version 1.1; | |
proxy_set_header Upgrade $http_upgrade; | |
proxy_set_header Connection 'upgrade'; | |
proxy_set_header Host $host; | |
proxy_cache_bypass $http_upgrade; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
} | |
location / { | |
try_files $uri $uri/ =404; | |
} | |
} | |
# Web Socket server | |
server { | |
# Public web socket port, if nginx and socket server is in different server | |
# we can use 1337 | |
listen 41337 ssl; | |
server_name api.yourwebsite.com; | |
root html; | |
index index.html index.htm; | |
underscores_in_headers on; | |
ssl on; | |
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate | |
ssl_certificate /etc/letsencrypt/live/yourwebsite.com/fullchain.pem; | |
ssl_certificate_key /etc/letsencrypt/live/yourwebsite.com/privkey.pem; | |
ssl_session_timeout 1d; | |
#ssl_session_tickets off; | |
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits | |
ssl_dhparam /etc/letsencrypt/live/yourwebsite.com/dhparam.pem; | |
# modern configuration. tweak to your needs. | |
# SSL PCI Compliance | |
ssl_session_cache shared:SSL:10m; | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
ssl_prefer_server_ciphers on; | |
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; | |
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) | |
add_header Strict-Transport-Security max-age=15768000; | |
# OCSP Stapling --- | |
# fetch OCSP records from URL in ssl_certificate and cache them | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
location / { | |
# Socket server IP and port | |
proxy_pass http://127.0.0.1:1337/; | |
proxy_http_version 1.1; | |
proxy_set_header Upgrade $http_upgrade; | |
proxy_set_header Connection 'upgrade'; | |
proxy_set_header Host $host; | |
proxy_cache_bypass $http_upgrade; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
} | |
} | |
# https://mozilla.github.io/server-side-tls/ssl-config-generator/ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment