-
-
Notifications
You must be signed in to change notification settings - Fork 21
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
7bf7856
commit 934ff3c
Showing
5 changed files
with
230 additions
and
168 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,222 +1,170 @@ | ||
| #### Config from https://github.com/eustasy/certbot-with-nginx | ||
| # Replace "example.com" with your domain. | ||
| # Search for [OPTION] to find options. | ||
| # Search for [WARNING] to find common warnings. | ||
| # Search for [OPTION] to find options. | ||
| # [DEFAULT] denotes a default option choice. | ||
|
|
||
|
|
||
|
|
||
| #### HTTP Redirection & Verification Block | ||
| include nginx.verify.conf; | ||
|
|
||
|
|
||
| #### On-line Verification & Redirection | ||
|
|
||
| #### HTTPS Redirection Block | ||
| server { | ||
| listen 80; | ||
| listen [::]:80; | ||
|
|
||
| #### Listen Directive | ||
| # [OPTION] HTTP2 or SPDY dependent on your Nginx version. | ||
| # [WARNING] Making an incorrect selection will result in a non-working site. | ||
|
|
||
| # Option 1. [DEFAULT] HTTP2 for Nginx >= 1.9.5 | ||
| listen 443 deferred ssl http2; | ||
| listen [::]:443 deferred ssl http2; | ||
|
|
||
| # Option 2. SPDY for Nginx < 1.9.5 | ||
| #listen 443 deferred ssl spdy; | ||
| #listen [::]:443 deferred ssl spdy; | ||
| #spdy_headers_comp 9; | ||
|
|
||
|
|
||
| #### Core Configuration | ||
| # [OPTION] Server Name | ||
| server_name example.com; | ||
| location '/.well-known/acme-challenge' { | ||
| default_type 'text/plain'; | ||
| root /tmp/certbot-with-nginx; | ||
| } | ||
|
|
||
|
|
||
| #### Logs | ||
| # [OPTION] Set access log location. | ||
| # [DEFAULT] off; | ||
| access_log off; | ||
|
|
||
| # [OPTION] Set error log location. | ||
| error_log /var/log/nginx/example.com.log notice; | ||
|
|
||
|
|
||
| #### Redirection from www.HTTPS to root.HTTPS | ||
| # [OPTION] Server Name | ||
| location / { | ||
| return 301 https://example.com$request_uri; | ||
| } | ||
| } | ||
|
|
||
|
|
||
| #### Let's Encrypt Pass-Through | ||
| include nginx.well-known.conf; | ||
|
|
||
| #### HTTPS Redirection | ||
| server { | ||
|
|
||
| #### Listen Directive | ||
| # [OPTION] | ||
| #### SSL Inclusion | ||
| include nginx.ssl.conf; | ||
|
|
||
| # spdy for Nginx < 1.9.5 | ||
| #listen 443 ssl spdy; | ||
| #listen [::]:443 ssl spdy; | ||
| #spdy_headers_comp 9; | ||
|
|
||
| # http2 for Nginx >= 1.9.5 | ||
| listen 443 ssl http2; | ||
| listen [::]:443 ssl http2; | ||
|
|
||
| server_name www.example.com; | ||
| error_log /var/log/nginx/example.com.log notice; | ||
| access_log off; | ||
| location '/.well-known/acme-challenge' { | ||
| default_type 'text/plain'; | ||
| root /tmp/certbot-with-nginx; | ||
| } | ||
| location / { | ||
| return 301 https://example.com$request_uri; | ||
| } | ||
| add_header Strict-Transport-Security "max-age=63072000"; | ||
| add_header X-Frame-Options DENY; | ||
| ssl on; | ||
| ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; | ||
| ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; | ||
| ssl_stapling on; | ||
| ssl_stapling_verify on; | ||
| ssl_trusted_certificate /etc/letsencrypt/live/example.com/fullchain.pem; | ||
| resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 216.146.35.35 216.146.36.36 valid=300s; | ||
| resolver_timeout 3s; | ||
| ssl_session_cache shared:SSL:100m; | ||
| ssl_session_timeout 24h; | ||
| ssl_session_tickets on; | ||
| ssl_session_ticket_key /etc/nginx/ssl/ticket.key; | ||
| ssl_dhparam /etc/nginx/ssl/dhparam4.pem; | ||
| ssl_ecdh_curve secp384r1; | ||
| ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | ||
| ssl_prefer_server_ciphers on; | ||
| ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; | ||
| } | ||
|
|
||
|
|
||
|
|
||
| #### Main Server Block | ||
| #### Main HTTPS Block | ||
| server { | ||
|
|
||
| #### Listen Directive | ||
| # [OPTION] | ||
|
|
||
| # spdy for Nginx < 1.9.5 | ||
| #listen 443 ssl spdy; | ||
| #listen [::]:443 ssl spdy; | ||
| #spdy_headers_comp 9; | ||
| # [OPTION] HTTP2 or SPDY dependent on your Nginx version. | ||
| # [WARNING] Making an incorrect selection will result in a non-working site. | ||
|
|
||
| # http2 for Nginx >= 1.9.5 | ||
| listen 443 ssl http2; | ||
| listen [::]:443 ssl http2; | ||
| # Option 1. [DEFAULT] HTTP2 for Nginx >= 1.9.5 | ||
| listen 443 deferred ssl http2; | ||
| listen [::]:443 deferred ssl http2; | ||
|
|
||
| # Option 2. SPDY for Nginx < 1.9.5 | ||
| #listen 443 deferred ssl spdy; | ||
| #listen [::]:443 deferred ssl spdy; | ||
| #spdy_headers_comp 9; | ||
|
|
||
|
|
||
| #### Primary Configuration | ||
| #### Core Configuration | ||
| # [OPTION] Server Name | ||
| server_name example.com; | ||
|
|
||
| # [OPTION] Root Path | ||
| root /path/to/example.com; | ||
|
|
||
| # [OPTION] Index Entries | ||
| index index.php index.html index.htm; | ||
| error_log /var/log/nginx/example.com.log notice; | ||
|
|
||
| # [OPTION] Automatic Indexes | ||
| autoindex off; | ||
|
|
||
|
|
||
| #### Logs | ||
| # [OPTION] Set access log location. | ||
| # [DEFAULT] off; | ||
| access_log off; | ||
|
|
||
| # [OPTION] Set error log location. | ||
| error_log /var/log/nginx/example.com.log notice; | ||
|
|
||
|
|
||
| #### Let's Encrypt Pass-Through | ||
| location '/.well-known/acme-challenge' { | ||
| default_type 'text/plain'; | ||
| root /tmp/certbot-with-nginx; | ||
| } | ||
|
|
||
|
|
||
| #### Extensionless PHP | ||
|
|
||
| #### Location Blocks | ||
| # Try static files, then extensionless PHP. | ||
| location / { | ||
| autoindex on; | ||
| try_files $uri $uri/ @extensionless-php; | ||
| } | ||
| # Cache Static Files | ||
| location ~* \.(html|css|js|png|jpg|jpeg|gif|ico|svg|eot|woff|ttf)$ { expires max; } | ||
| # Do not allow access to hidden files. | ||
| location ~ /\. { deny all; } | ||
|
|
||
| # Enable extensionless PHP | ||
| location @extensionless-php { | ||
| rewrite ^(.*)$ $1.php last; | ||
| } | ||
|
|
||
|
|
||
| #### Caching & Hidden Files | ||
|
|
||
| # Cache Static Files | ||
| location ~* \.(html|css|js|png|jpg|jpeg|gif|ico|svg|eot|woff|ttf)$ { expires max; } | ||
|
|
||
| # Do not allow access to hidden files. | ||
| location ~ /\. { deny all; } | ||
| location ~ /\_ { deny all; } | ||
|
|
||
|
|
||
| #### GZip | ||
| gzip on; | ||
| gzip_vary on; | ||
| gzip_types text/css text/javascript text/plain text/xml application/json application/x-javascript application/xml application/xml+rss | ||
|
|
||
| # [OPTION] Enable to increase compresssion slightly. Sacrifices CPU. | ||
| #gzip_comp_level 9; | ||
|
|
||
|
|
||
| #### PHP | ||
| # [OPTION] Specify PHP version for Socket. | ||
| location ~ \.php$ { | ||
| try_files $uri =404; | ||
| include /etc/nginx/fastcgi_params; | ||
| fastcgi_split_path_info ^(.+\.php)(/.+)$; | ||
| fastcgi_index index.php; | ||
| include /etc/nginx/fastcgi_params; | ||
| # PHP 5 | ||
| #fastcgi_pass unix:/var/run/php5-fpm.sock; | ||
| # PHP 7 | ||
| fastcgi_pass unix:/run/php/php7.0-fpm.sock; | ||
| fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | ||
| } | ||
|
|
||
| # [OPTION] Specify PHP version for Socket. | ||
|
|
||
| # Option 1. [DEFAULT] PHP 7.0 | ||
| fastcgi_pass unix:/run/php/php7.0-fpm.sock; | ||
|
|
||
| # Option 2. PHP 5 | ||
| #fastcgi_pass unix:/var/run/php5-fpm.sock; | ||
|
|
||
| } | ||
|
|
||
|
|
||
| ### GZip | ||
| gzip on; | ||
| gzip_types text/css text/javascript text/plain text/xml application/x-javascript; | ||
| # gzip_types text/css text/javascript text/plain text/xml application/json application/x-javascript application/xml application/xml+rss; | ||
| gzip_vary on; | ||
|
|
||
| #### Let's Encrypt Pass-Through | ||
| include nginx.well-known.conf; | ||
|
|
||
|
|
||
| ### Security Headers | ||
| # [WARNING] Strict-Transport-Security will stop HTTP access for specified time. | ||
| add_header Strict-Transport-Security "max-age=63072000"; | ||
| # [WARNING] X-Frame-Options DENY will break iframed sites. | ||
| add_header X-Frame-Options DENY; | ||
|
|
||
|
|
||
|
|
||
| ssl on; | ||
| ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; | ||
| ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; | ||
|
|
||
| ssl_stapling on; | ||
| ssl_stapling_verify on; | ||
| ssl_trusted_certificate /etc/letsencrypt/live/example.com/fullchain.pem; | ||
| # Google DNS, Open DNS, Dyn DNS | ||
| resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 216.146.35.35 216.146.36.36 valid=300s; | ||
| resolver_timeout 3s; | ||
|
|
||
|
|
||
|
|
||
| #### Session Tickets | ||
| # [WARNING] Session Cache must be the same size in all `server` blocks. | ||
| ssl_session_cache shared:SSL:100m; | ||
| ssl_session_timeout 24h; | ||
| ssl_session_tickets on; | ||
| # [WARNING] Session Ticket Key must have been generated. | ||
| ssl_session_ticket_key /etc/nginx/ssl/ticket.key; | ||
|
|
||
| # [WARNING] Diffie-Helman Parameters must have been generated. | ||
| ssl_dhparam /etc/nginx/ssl/dhparam4.pem; | ||
|
|
||
|
|
||
|
|
||
| #### ECDH Curve | ||
| # [OPTION] [WARNING] Breaks some browsers on some settings. | ||
| ssl_ecdh_curve secp384r1; | ||
| # Slightly better with a larger generation, | ||
| # but slower and breaks some IE on mobiles. | ||
| #ssl_ecdh_curve secp521r1; | ||
|
|
||
| ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | ||
| ssl_prefer_server_ciphers on; | ||
|
|
||
| #### Cipher List | ||
| # [OPTION] Pick on Cipher List from Below. | ||
| # [WARNING] Breaks some browsers on some settings. | ||
| # 1. Super-modern, probably not suitable for production, very secure. | ||
| # 2. [DEFAULT] Modern, no XP, secure. | ||
| # 3. Intermediate, no IE <= 6, less secure. | ||
|
|
||
| # Grade A (A+ with HSTS at >= 6 Months) | ||
| # 100 % Security | ||
| # Low Compatibility | ||
| # - No Android 2 | ||
| # - No Java | ||
| # - No IE < 11 | ||
| # Robust Forward Secrecy | ||
| #ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL; | ||
|
|
||
| # Mozilla SSL Configuration Generator | ||
| # https://mozilla.github.io/server-side-tls/ssl-config-generator/ | ||
| # Nginx for Modern Browsers | ||
| # Grade A (A+ with HSTS at >= 6 Months) | ||
| # 90 % Security | ||
| # Medium Compatibility | ||
| # - No Java 6 (No DH parameters > 1024 bits) | ||
| # - No IE on XP | ||
| # Robust Forward Secrecy | ||
| ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; | ||
|
|
||
| # Mozilla SSL Configuration Generator | ||
| # https://mozilla.github.io/server-side-tls/ssl-config-generator/ | ||
| # Nginx for Intermediate Browsers | ||
| # Grade A- | ||
| # 90 % Security | ||
| # High Compatibility | ||
| # - No Java 6 (No DH parameters > 1024 bits) | ||
| # - No IE 6 | ||
| # Some Forward Secrecy | ||
| #ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; | ||
| #### SSL Inclusion | ||
| include nginx.ssl.conf; | ||
|
|
||
| } |
Oops, something went wrong.