Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Nginx SSL/TLS + LetsEncrypt Configuration For "A+" Qualys SSL Labs Rating
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name mysite.com www.mysite.com;
rewrite ^ https://$host$request_uri? permanent;
}
server {
listen 443 ssl default_server http2;
listen [::]:443 ssl default_server http2;
server_name mysite.com www.mysite.com;
ssl_certificate /etc/letsencrypt/live/mysite.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mysite.com/privkey.pem;
# Generated with:
# openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 4096
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1 TLSv1;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
ssl_session_cache shared:TLS:2m;
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1; # 1dot1dot1dot1.cloudflare-dns.com
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;
root /home/www;
index index.php index.html;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.2-fpm.sock;
}
location ~ /\.ht {
deny all;
}
error_page 401 403 404 /;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.