Last active
January 9, 2020 14:22
-
-
Save xaitax/5a532eda6ce21b75722609fb958bc108 to your computer and use it in GitHub Desktop.
Nginx SSL/TLS + LetsEncrypt Configuration For "A+" Qualys SSL Labs Rating
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
server { | |
listen 80 default_server; | |
listen [::]:80 default_server; | |
server_name mysite.com www.mysite.com; | |
rewrite ^ https://$host$request_uri? permanent; | |
} | |
server { | |
listen 443 ssl default_server http2; | |
listen [::]:443 ssl default_server http2; | |
server_name mysite.com www.mysite.com; | |
ssl_certificate /etc/letsencrypt/live/mysite.com/fullchain.pem; | |
ssl_certificate_key /etc/letsencrypt/live/mysite.com/privkey.pem; | |
# Generated with: | |
# openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 4096 | |
ssl_dhparam /etc/ssl/certs/dhparam.pem; | |
ssl_protocols TLSv1.3 TLSv1.2; | |
ssl_prefer_server_ciphers on; | |
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS; | |
ssl_session_cache shared:TLS:2m; | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
resolver 1.1.1.1; # 1dot1dot1dot1.cloudflare-dns.com | |
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always; | |
root /home/www; | |
index index.php index.html; | |
location / { | |
try_files $uri $uri/ =404; | |
} | |
location ~ \.php$ { | |
include snippets/fastcgi-php.conf; | |
fastcgi_pass unix:/run/php/php7.4-fpm.sock; | |
} | |
location ~ /\.ht { | |
deny all; | |
} | |
error_page 401 403 404 /; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment