Created
August 29, 2017 02:06
-
-
Save zetas/778f8db0845d383f492c2166254a8766 to your computer and use it in GitHub Desktop.
NGINX SSL Termination Config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# configuration file /etc/nginx/nginx.conf: | |
# Configuration File - Nginx Server Configs | |
# http://nginx.org/en/docs/dirindex.html | |
# Run as a unique, less privileged user for security reasons. | |
# Default: nobody nobody | |
user www-data www-data; | |
# Sets the worker threads to the number of CPU cores available in the system for best performance. | |
# Should be > the number of CPU cores. | |
# Maximum number of connections = worker_processes * worker_connections | |
# Default: 1 | |
worker_processes 20; | |
# Maximum number of open files per worker process. | |
# Should be > worker_connections. | |
# Default: no limit | |
worker_rlimit_nofile 8192; | |
events { | |
# If you need more connections than this, you start optimizing your OS. | |
# That's probably the point at which you hire people who are smarter than you as this is *a lot* of requests. | |
# Should be < worker_rlimit_nofile. | |
# Default: 512 | |
worker_connections 8000; | |
} | |
# Log errors and warnings to this file | |
# This is only used when you don't override it on a server{} level | |
# Default: logs/error.log error | |
error_log /var/log/nginx/error.log warn; | |
# The file storing the process ID of the main process | |
# Default: nginx.pid | |
pid /var/run/nginx.pid; | |
http { | |
# Hide nginx version information. | |
# Default: on | |
server_tokens off; | |
# Specify MIME types for files. | |
include mime.types; | |
# Default: text/plain | |
default_type application/octet-stream; | |
# Update charset_types to match updated mime.types. | |
# text/html is always included by charset module. | |
# Default: text/html text/xml text/plain text/vnd.wap.wml application/javascript application/rss+xml | |
charset_types | |
text/css | |
text/plain | |
text/vnd.wap.wml | |
application/javascript | |
application/json | |
application/rss+xml | |
application/xml; | |
# Include $http_x_forwarded_for within default format used in log files | |
log_format main '$remote_addr - $remote_user [$time_local] "$request" ' | |
'$status $body_bytes_sent "$http_referer" ' | |
'"$http_user_agent" "$http_x_forwarded_for"'; | |
# Log access to this file | |
# This is only used when you don't override it on a server{} level | |
# Default: logs/access.log combined | |
access_log /var/log/nginx/access.log main buffer=16k; | |
# How long to allow each connection to stay idle. | |
# Longer values are better for each individual client, particularly for SSL, | |
# but means that worker connections are tied up longer. | |
# Default: 75s | |
keepalive_timeout 20s; | |
# Speed up file transfers by using sendfile() to copy directly | |
# between descriptors rather than using read()/write(). | |
# For performance reasons, on FreeBSD systems w/ ZFS | |
# this option should be disabled as ZFS's ARC caches | |
# frequently used files in RAM by default. | |
# Default: off | |
sendfile on; | |
# Don't send out partial frames; this increases throughput | |
# since TCP frames are filled up before being sent out. | |
# Default: off | |
tcp_nopush on; | |
# Enable gzip compression. | |
# Default: off | |
gzip on; | |
# Compression level (1-9). | |
# 5 is a perfect compromise between size and CPU usage, offering about | |
# 75% reduction for most ASCII files (almost identical to level 9). | |
# Default: 1 | |
gzip_comp_level 5; | |
# Don't compress anything that's already small and unlikely to shrink much | |
# if at all (the default is 20 bytes, which is bad as that usually leads to | |
# larger files after gzipping). | |
# Default: 20 | |
gzip_min_length 256; | |
# Compress data even for clients that are connecting to us via proxies, | |
# identified by the "Via" header (required for CloudFront). | |
# Default: off | |
gzip_proxied any; | |
# Tell proxies to cache both the gzipped and regular version of a resource | |
# whenever the client's Accept-Encoding capabilities header varies; | |
# Avoids the issue where a non-gzip capable client (which is extremely rare | |
# today) would display gibberish if their proxy gave them the gzipped version. | |
# Default: off | |
gzip_vary on; | |
# Compress all output labeled with one of the following MIME-types. | |
# text/html is always compressed by gzip module. | |
# Default: text/html | |
gzip_types | |
application/atom+xml | |
application/javascript | |
application/json | |
application/ld+json | |
application/manifest+json | |
application/rss+xml | |
application/vnd.geo+json | |
application/vnd.ms-fontobject | |
application/x-font-ttf | |
application/x-web-app-manifest+json | |
application/xhtml+xml | |
application/xml | |
font/opentype | |
image/bmp | |
image/svg+xml | |
image/x-icon | |
text/cache-manifest | |
text/css | |
text/plain | |
text/vcard | |
text/vnd.rim.location.xloc | |
text/vtt | |
text/x-component | |
text/x-cross-domain-policy; | |
# This should be turned on if you are going to have pre-compressed copies (.gz) of | |
# static files available. If not it should be left off as it will cause extra I/O | |
# for the check. It is best if you enable this in a location{} block for | |
# a specific directory, or on an individual server{} level. | |
gzip_static on; | |
# Include files in the sites-enabled folder. server{} configuration files should be | |
# placed in the sites-available folder, and then the configuration should be enabled | |
# by creating a symlink to it in the sites-enabled folder. | |
# See doc/sites-enabled.md for more info. | |
include sites-enabled/*; | |
} | |
# configuration file /etc/nginx/mime.types: | |
types { | |
text/html html htm shtml; | |
text/css css; | |
text/xml xml; | |
image/gif gif; | |
image/jpeg jpeg jpg; | |
application/javascript js; | |
application/atom+xml atom; | |
application/rss+xml rss; | |
text/mathml mml; | |
text/plain txt; | |
text/vnd.sun.j2me.app-descriptor jad; | |
text/vnd.wap.wml wml; | |
text/x-component htc; | |
image/png png; | |
image/tiff tif tiff; | |
image/vnd.wap.wbmp wbmp; | |
image/x-icon ico; | |
image/x-jng jng; | |
image/x-ms-bmp bmp; | |
image/svg+xml svg svgz; | |
image/webp webp; | |
application/font-woff woff; | |
application/java-archive jar war ear; | |
application/json json; | |
application/mac-binhex40 hqx; | |
application/msword doc; | |
application/pdf pdf; | |
application/postscript ps eps ai; | |
application/rtf rtf; | |
application/vnd.apple.mpegurl m3u8; | |
application/vnd.ms-excel xls; | |
application/vnd.ms-fontobject eot; | |
application/vnd.ms-powerpoint ppt; | |
application/vnd.wap.wmlc wmlc; | |
application/vnd.google-earth.kml+xml kml; | |
application/vnd.google-earth.kmz kmz; | |
application/x-7z-compressed 7z; | |
application/x-cocoa cco; | |
application/x-java-archive-diff jardiff; | |
application/x-java-jnlp-file jnlp; | |
application/x-makeself run; | |
application/x-perl pl pm; | |
application/x-pilot prc pdb; | |
application/x-rar-compressed rar; | |
application/x-redhat-package-manager rpm; | |
application/x-sea sea; | |
application/x-shockwave-flash swf; | |
application/x-stuffit sit; | |
application/x-tcl tcl tk; | |
application/x-x509-ca-cert der pem crt; | |
application/x-xpinstall xpi; | |
application/xhtml+xml xhtml; | |
application/xspf+xml xspf; | |
application/zip zip; | |
application/octet-stream bin exe dll; | |
application/octet-stream deb; | |
application/octet-stream dmg; | |
application/octet-stream iso img; | |
application/octet-stream msi msp msm; | |
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx; | |
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; | |
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; | |
audio/midi mid midi kar; | |
audio/mpeg mp3; | |
audio/ogg ogg; | |
audio/x-m4a m4a; | |
audio/x-realaudio ra; | |
video/3gpp 3gpp 3gp; | |
video/mp2t ts; | |
video/mp4 mp4; | |
video/mpeg mpeg mpg; | |
video/quicktime mov; | |
video/webm webm; | |
video/x-flv flv; | |
video/x-m4v m4v; | |
video/x-mng mng; | |
video/x-ms-asf asx asf; | |
video/x-ms-wmv wmv; | |
video/x-msvideo avi; | |
} | |
# configuration file /etc/nginx/sites-enabled/forum: | |
upstream io_nodes { | |
# ip_hash; | |
server x.x.x.x:4567; | |
} | |
server { | |
listen 80; | |
listen [::]:80; | |
server_name forum.example.com forums.example.com; | |
return 301 https://forum.example.com/$request_uri; | |
} | |
server { | |
listen 443 ssl http2; | |
listen [::]:443 ssl http2; | |
server_name forum.example.com forums.example.com; | |
access_log /var/log/nginx/forum_access.log; | |
error_log /var/log/nginx/forum_error.log; | |
ssl on; | |
# enables all versions of TLS, but not SSLv2 or 3 which are weak and now deprecated. | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
# disables all weak ciphers | |
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; | |
ssl_prefer_server_ciphers on; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
proxy_set_header Host $http_host; | |
proxy_set_header X-NginX-Proxy true; | |
proxy_redirect off; | |
# Socket.io Support | |
proxy_http_version 1.1; | |
proxy_set_header Upgrade $http_upgrade; | |
proxy_set_header Connection "upgrade"; | |
gzip on; | |
gzip_min_length 1000; | |
gzip_proxied off; | |
gzip_types text/plain application/xml application/x-javascript text/css application/json; | |
location @nodebb { | |
proxy_pass http://io_nodes; | |
} | |
location / { | |
proxy_pass http://io_nodes; | |
} | |
ssl_certificate /etc/letsencrypt/live/forum.example.com/fullchain.pem; # managed by Certbot | |
ssl_certificate_key /etc/letsencrypt/live/forum.example.com/privkey.pem; # managed by Certbot | |
} | |
# configuration file /etc/nginx/sites-enabled/example.com: | |
upstream @backend { | |
server x.x.x.x; | |
} | |
# Choose between www and non-www, listen on the *wrong* one and redirect to | |
# the right one -- http://wiki.nginx.org/Pitfalls#Server_Name | |
# | |
server { | |
listen [::]:80; | |
listen 80; | |
# listen on both hosts | |
server_name example.com www.example.com; | |
# and redirect to the https host (declared below) | |
# avoiding http://www -> https://www -> https:// chain. | |
return 301 https://example.com$request_uri; | |
} | |
server { | |
listen [::]:443 ssl http2; | |
listen 443 ssl http2; | |
# listen on the wrong host | |
server_name www.example.com; | |
# Protect against the BEAST and POODLE attacks by not using SSLv3 at all. If you need to support older browsers (IE6) you may need to add | |
# SSLv3 to the list of protocols below. | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
# Ciphers set to best allow protection from Beast, while providing forwarding secrecy, as defined by Mozilla (Intermediate Set) - https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx | |
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA; | |
ssl_prefer_server_ciphers on; | |
ssl_ecdh_curve secp384r1; | |
# Optimize SSL by caching session parameters for 10 minutes. This cuts down on the number of expensive SSL handshakes. | |
# The handshake is the most CPU-intensive operation, and by default it is re-negotiated on every new/parallel connection. | |
# By enabling a cache (of type "shared between all Nginx workers"), we tell the client to re-use the already negotiated state. | |
# Further optimization can be achieved by raising keepalive_timeout, but that shouldn't be done unless you serve primarily HTTPS. | |
ssl_session_cache shared:SSL:100m; # a 1mb cache can hold about 4000 sessions, so we can hold 40000 sessions | |
ssl_session_timeout 24h; | |
# SSL buffer size was added in 1.5.9 | |
ssl_buffer_size 4k; # 1400 bytes to fit in one MTU | |
ssl_dhparam /etc/nginx/ssl/dhparams.pem; | |
# Use a higher keepalive timeout to reduce the need for repeated handshakes | |
keepalive_timeout 300s; # up from 75 secs default | |
# HSTS (HTTP Strict Transport Security) | |
# This header tells browsers to cache the certificate for a year and to connect exclusively via HTTPS. | |
add_header Strict-Transport-Security "max-age=31536000; preload" always; | |
# This default SSL certificate will be served whenever the client lacks support for SNI (Server Name Indication). | |
# Make it a symlink to the most important certificate you have, so that users of IE 8 and below on WinXP can see your main site without SSL errors. | |
ssl_certificate /etc/nginx/ssl/example-comodo-new.crt; | |
ssl_certificate_key /etc/nginx/ssl/example.key; | |
add_header Public-Key-Pins 'pin-sha256="vlcGi1dfOAlN+CD5XYGHt5k="; pin-sha256="QIe7zfXtxxcL0fdRwdDe2s="; max-age=5184000'; | |
# OCSP stapling... | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
#trusted cert must be made up of your intermediate certificate followed by root certificate | |
ssl_trusted_certificate /etc/nginx/ssl/trusted-intermediate.crt; | |
resolver 8.8.8.8 8.8.4.4 valid=60s; | |
resolver_timeout 2s; | |
# and redirect to the non-www host (declared below) | |
return 301 https://example.com$request_uri; | |
} | |
server { | |
listen [::]:443 ssl http2; # for Linux | |
listen 443 ssl http2; # for Linux | |
# The host name to respond to | |
server_name example.com; | |
# Protect against the BEAST and POODLE attacks by not using SSLv3 at all. If you need to support older browsers (IE6) you may need to add | |
# SSLv3 to the list of protocols below. | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
# Ciphers set to best allow protection from Beast, while providing forwarding secrecy, as defined by Mozilla (Intermediate Set) - https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx | |
#ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS; | |
# Original ciphers: | |
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA; | |
ssl_prefer_server_ciphers on; | |
ssl_ecdh_curve secp384r1; | |
# Optimize SSL by caching session parameters for 10 minutes. This cuts down on the number of expensive SSL handshakes. | |
# The handshake is the most CPU-intensive operation, and by default it is re-negotiated on every new/parallel connection. | |
# By enabling a cache (of type "shared between all Nginx workers"), we tell the client to re-use the already negotiated state. | |
# Further optimization can be achieved by raising keepalive_timeout, but that shouldn't be done unless you serve primarily HTTPS. | |
ssl_session_cache shared:SSL:100m; # a 1mb cache can hold about 4000 sessions, so we can hold 40000 sessions | |
ssl_session_timeout 24h; | |
# SSL buffer size was added in 1.5.9 | |
ssl_buffer_size 4k; # 1400 bytes to fit in one MTU | |
ssl_dhparam /etc/nginx/ssl/dhparams.pem; | |
# Use a higher keepalive timeout to reduce the need for repeated handshakes | |
keepalive_timeout 300s; # up from 75 secs default | |
# HSTS (HTTP Strict Transport Security) | |
# This header tells browsers to cache the certificate for a year and to connect exclusively via HTTPS. | |
add_header Strict-Transport-Security "max-age=31536000; preload" always; | |
# This default SSL certificate will be served whenever the client lacks support for SNI (Server Name Indication). | |
# Make it a symlink to the most important certificate you have, so that users of IE 8 and below on WinXP can see your main site without SSL errors. | |
ssl_certificate /etc/nginx/ssl/example-comodo-new.crt; | |
ssl_certificate_key /etc/nginx/ssl/example.key; | |
# Consider using OCSP Stapling as shown in ssl-stapling.conf | |
add_header Public-Key-Pins 'pin-sha256="vlcGi1akqx2Aymv/prdAlN+CD5XYGHt5k="; pin-sha256="QIe7zSbFxw7vJdwFXXtxxcL0fdRwdDe2s="; max-age=5184000'; | |
# OCSP stapling... | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
#trusted cert must be made up of your intermediate certificate followed by root certificate | |
ssl_trusted_certificate /etc/nginx/ssl/trusted-intermediate.crt; | |
resolver 8.8.8.8 8.8.4.4 valid=60s; | |
resolver_timeout 2s; | |
# Path for static files | |
root /var/www/html; | |
#Specify a charset | |
charset utf-8; | |
location / | |
{ | |
proxy_pass http://@backend; | |
proxy_buffers 32 128k; | |
proxy_buffer_size 128k; | |
proxy_busy_buffers_size 256k; | |
proxy_max_temp_file_size 2048m; | |
proxy_temp_file_write_size 128k; | |
proxy_cache_bypass $http_pragma $http_authorization; | |
proxy_connect_timeout 59s; | |
proxy_hide_header X-Powered-By; | |
proxy_http_version 1.1; | |
proxy_ignore_headers Cache-Control Expires; | |
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504 http_404; | |
proxy_no_cache $http_pragma $http_authorization; | |
proxy_pass_header Set-Cookie; | |
proxy_read_timeout 600; | |
proxy_redirect off; | |
proxy_send_timeout 600; | |
#proxy_temp_file_write_size 64k; | |
proxy_set_header Accept-Encoding ''; | |
proxy_set_header Cookie $http_cookie; | |
proxy_set_header Host $host; | |
proxy_set_header Proxy ''; | |
proxy_set_header Referer $http_referer; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Forwarded-Host $host; | |
proxy_set_header X-Forwarded-Server $host; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
proxy_set_header X-Original-Request $request_uri; | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment