Created
July 23, 2018 17:51
-
-
Save blaadje/564579f2e73a43459e8ea3ab2391e153 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Redirection http vers https | |
server { | |
listen 80; | |
listen [::]:80; | |
server_name mondomaine.fr; | |
location ~ /\.well-known/acme-challenge { | |
allow all; | |
} | |
location / { | |
return 301 https://mondomaine.fr$request_uri; | |
} | |
} | |
# Notre bloc serveur | |
server { | |
# spdy pour Nginx < 1.9.5 | |
listen 443 ssl spdy; | |
listen [::]:443 ssl spdy; | |
spdy_headers_comp 9; | |
# http2 pour Nginx >= 1.9.5 | |
#listen 443 ssl http2; | |
#listen [::]:443 ssl http2; | |
server_name mondomaine.fr; | |
root /var/www/mondomaine.fr; | |
index index.html index.htm; | |
error_log /var/log/nginx/mondomaine.fr.log notice; | |
access_log off; | |
#### Locations | |
# On cache les fichiers statiques | |
location ~* \.(html|css|js|png|jpg|jpeg|gif|ico|svg|eot|woff|ttf)$ { expires max; } | |
# On interdit les dotfiles | |
location ~ /\. { deny all; } | |
#### SSL | |
ssl on; | |
ssl_certificate /etc/letsencrypt/live/mondomaine.fr/fullchain.pem; | |
ssl_certificate_key /etc/letsencrypt/live/mondomaine.fr/privkey.pem; | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
ssl_trusted_certificate /etc/letsencrypt/live/mondomaine.fr/fullchain.pem; | |
# Google DNS, Open DNS, Dyn DNS | |
resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 216.146.35.35 216.146.36.36 valid=300s; | |
resolver_timeout 3s; | |
#### Session Tickets | |
# Session Cache doit avoir la même valeur sur tous les blocs "server". | |
ssl_session_cache shared:SSL:100m; | |
ssl_session_timeout 24h; | |
ssl_session_tickets on; | |
# [ATTENTION] il faudra générer le ticket de session. | |
ssl_session_ticket_key /etc/nginx/ssl/ticket.key; | |
# [ATTENTION] Les paramètres Diffie-Helman doivent être générés | |
ssl_dhparam /etc/nginx/ssl/dhparam4.pem; | |
#### ECDH Curve | |
ssl_ecdh_curve secp384r1; | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
ssl_prefer_server_ciphers on; | |
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment