Last active
August 3, 2017 16:29
-
-
Save mariusrugan/0655e137d745d84cf8607ac3344ec0a9 to your computer and use it in GitHub Desktop.
sslabs A+ nginx config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
server { | |
listen 80 default_server; | |
listen [::]:80 default_server; | |
access_log off; | |
log_not_found off; | |
server_name _; | |
return 444; | |
} | |
server { | |
listen 443 default_server ssl http2; | |
listen [::]:443 ipv6only=on ssl http2; | |
# | |
# nginx non-SNI request | |
# | |
# Just use a *valid* certificate (any) to serve on this default server | |
# it won't matter the settings since it returns 444 | |
# | |
ssl_certificate /etc/letsencrypt/live/XYZ/fullchain.pem; | |
ssl_certificate_key /etc/letsencrypt/live/XYZ/privkey.pem; | |
ssl_trusted_certificate /etc/letsencrypt/live/XYZ/fullchain.pem; | |
include snippets/ssl.conf; | |
access_log off; | |
log_not_found off; | |
server_name _; | |
return 444; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
server { | |
listen 80; | |
listen [::]:80; | |
server_name example.com www.example.com; | |
include /etc/nginx/snippets/letsencrypt.conf; | |
location / { | |
return 301 https://example.com$request_uri; | |
} | |
} | |
server { | |
listen 443 ssl http2; | |
listen [::]:443 ssl http2; | |
include snippets/headers.conf; | |
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; | |
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; | |
ssl_trusted_certificate /etc/letsencrypt/live/example.com/fullchain.pem; | |
include snippets/ssl.conf; | |
server_name www.example.com; | |
location / { | |
return 301 https://example.com$request_uri; | |
} | |
} | |
server { | |
listen 443 ssl http2; | |
listen [::]:443 ssl http2; | |
include snippets/headers.conf; | |
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; | |
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; | |
ssl_trusted_certificate /etc/letsencrypt/live/example.com/fullchain.pem; | |
include snippets/ssl.conf; | |
root /root/of/example_com; | |
index index.html; | |
server_name example.com; | |
location / { | |
# First attempt to serve request as file, then | |
# as directory, then fall back to displaying a 404. | |
try_files $uri $uri/ =404; | |
} | |
error_page 404 @404; | |
location @404 { | |
internal; | |
if ($http_accept ~ json) { | |
return 404 "{'error': 'Couldn't find it!'}"; | |
} | |
rewrite ^(.*)$ /errors/404.html last; | |
break; | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
add_header "Cache-Control" "max-age=0, no-cache, no-store, must-revalidate"; | |
add_header "Pragma" "no-cache"; | |
add_header "Expires" "-1"; | |
add_header "X-Frame-Options" "DENY"; | |
add_header "X-XSS-Protection" "1; mode=block"; | |
add_header "X-Content-Type-Options" "nosniff"; | |
add_header "X-Download-Options" "noopen"; | |
add_header "X-Permitted-Cross-Domain-Policies" "master-only"; | |
#Content-Security-Policy more detailed example | |
#add_header Content-Security-Policy "default-src 'none'; script-src 'self' https://ajax.googleapis.com https://www.google-analytics.com https://cdnjs.cloudflare.com 'unsafe-inline'; img-src 'self' https://www.google-analytics.com; connect-src 'self'; font-src 'self' https://fonts.googleapis.com https://fonts.gstatic.com 'unsafe-inline'; style-src 'self' https://fonts.googleapis.com/ 'unsafe-inline'"; | |
add_header "X-Content-Security-Policy" "default-src 'self'"; | |
add_header "Strict-Transport-Security" "max-age=31536000; includeSubDomains"; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
location ^~ /.well-known/acme-challenge/ { | |
default_type "text/plain"; | |
root /var/www/letsencrypt; #0755 / drwxr-xr-x | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ssl on; | |
ssl_session_timeout 1d; | |
ssl_session_cache shared:SSL:50m; | |
ssl_session_tickets off; | |
ssl_ecdh_curve secp384r1; | |
ssl_prefer_server_ciphers on; | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; | |
resolver 8.8.8.8 8.8.4.4 valid=86400s; | |
resolver_timeout 5s; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment