summarylogtreecommitdiffstats
path: root/nginx-ssl.example.conf
diff options
context:
space:
mode:
authorMartiMcFly2018-05-31 00:41:12 +0200
committerMartiMcFly2018-05-31 00:41:12 +0200
commitd9d145c6e74a09539f9ed6496898476214abd6f9 (patch)
tree3ccbda40dd0e24463a9a87acb8c8f268791359cc /nginx-ssl.example.conf
downloadaur-kopano-webapp.tar.gz
init
Diffstat (limited to 'nginx-ssl.example.conf')
-rw-r--r--nginx-ssl.example.conf56
1 files changed, 56 insertions, 0 deletions
diff --git a/nginx-ssl.example.conf b/nginx-ssl.example.conf
new file mode 100644
index 00000000000..aba9f0c5f26
--- /dev/null
+++ b/nginx-ssl.example.conf
@@ -0,0 +1,56 @@
+
+ server {
+ # server_name YOUR_SERVER_FQDN; ## uncomment replace this with something like www.example.com
+ listen 443;
+
+ server_tokens off; ## Don't show the nginx version number, a security best practice
+ root /usr/share/nginx/html;
+ index index.html index.htm;
+
+ ## Strong SSL Security
+ ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
+ ##
+ ## Generate a strong SSL-Certificate and DHE parameter:
+ ## openssl genrsa -out /etc/ssl/private/kopano.key 4096
+ ## openssl req -new -sha512 -key /etc/ssl/private/kopano.key -out /tmp/kopano.csr
+ ## openssl x509 -req -days 3650 -in /tmp/kopano.csr -signkey /etc/ssl/private/kopano.key -out /etc/ssl/private/kopano.crt
+ ## openssl dhparam -out /etc/ssl/private/kopano.dh 4096
+ ## chmod go-rwx /etc/ssl/private/kopano.*;
+ ## chmod u+rw /etc/ssl/private/kopano.*
+ ## chown root:root /etc/ssl/private/kopano.*
+ ##
+ ssl on;
+ ssl_certificate_key /etc/ssl/private/kopano.key;
+ ssl_certificate /etc/ssl/private/kopano.crt;
+ ssl_dhparam /etc/ssl/private/kopano.dh;
+
+ ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
+ ## The recommended cipher suite for backwards compatibility (IE6/WinXP):
+ ssl_ciphers 'AES256+EECDH:AES256+EDH:!aNULL';
+ ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ ssl_prefer_server_ciphers on;
+ ssl_session_cache shared:SSL:50m;
+ ssl_session_timeout 5m;
+
+ ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL.
+ ## Replace with your ssl_trusted_certificate. For more info see:
+ ## - https://medium.com/devops-programming/4445f4862461
+ ## - https://www.ruby-forum.com/topic/4419319
+ ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
+ ## - https://raymii.org/s/tutorials/OCSP_Stapling_on_nginx.html
+ ## - http://freiburg79.de/ocsp-stapling-mit-nginx/
+ # ssl_stapling on;
+ # ssl_stapling_verify on;
+ # ssl_stapling_file /etc/ssl/private/de-autorisation-m.ocsp;
+ # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired
+ # resolver_timeout 5s;
+
+ # HIDDEN FILES AND FOLDERS
+ rewrite ^(.*)\/\.(.*)$ @404 break;
+
+ location = @404 {
+ return 404;
+ }
+
+ include ${PATH_TO_ATTACHED_LOCATION_FILE};
+ } \ No newline at end of file