diff options
| author | Martina Pietruschka | 2015-06-08 22:25:47 +0000 |
|---|---|---|
| committer | Martina Pietruschka | 2015-06-08 22:25:47 +0000 |
| commit | 1b7a6d1c62b7c1ac40f27fbb2f36d9d24fb09059 (patch) | |
| tree | e89162de9770c6d4e07b7ea807594a5d5f02c2b1 /nginx-ssl.example.conf | |
| download | aur-1b7a6d1c62b7c1ac40f27fbb2f36d9d24fb09059.tar.gz | |
Initial import
Diffstat (limited to 'nginx-ssl.example.conf')
| -rw-r--r-- | nginx-ssl.example.conf | 56 |
1 files changed, 56 insertions, 0 deletions
diff --git a/nginx-ssl.example.conf b/nginx-ssl.example.conf new file mode 100644 index 00000000000..a37c2447634 --- /dev/null +++ b/nginx-ssl.example.conf @@ -0,0 +1,56 @@ + + server { + # server_name YOUR_SERVER_FQDN; ## uncomment replace this with something like www.example.com + listen 443; + + server_tokens off; ## Don't show the nginx version number, a security best practice + root /var/lib/nginx/http + + ## Strong SSL Security + ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/ + ## + ## Generate a strong SSL-Certificate and DHE parameter: + ## openssl genrsa -out /etc/ssl/private/zarafa.key 4096 + ## openssl req -new -sha512 -key /etc/ssl/private/zarafa.key -out /tmp/zarafa.csr + ## openssl x509 -req -days 3650 -in /tmp/zarafa.csr -signkey /etc/ssl/private/zarafa.key -out /etc/ssl/private/zarafa.crt + ## openssl dhparam -out /etc/ssl/private/zarafa.dh 4096 + ## chmod go-rwx /etc/ssl/private/zarafa.*; + ## chmod u+rw /etc/ssl/private/zarafa.* + ## chown root:root /etc/ssl/private/zarafa.* + ## + ssl on; + ssl_certificate_key /etc/ssl/private/zarafa.key; + ssl_certificate /etc/ssl/private/zarafa.crt; + ssl_dhparam /etc/ssl/private/zarafa.dh; + + ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ## The recommended cipher suite for backwards compatibility (IE6/WinXP): + ssl_ciphers 'AES256+EECDH:AES256+EDH:!aNULL'; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:50m; + ssl_session_timeout 5m; + + ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL. + ## Replace with your ssl_trusted_certificate. For more info see: + ## - https://medium.com/devops-programming/4445f4862461 + ## - https://www.ruby-forum.com/topic/4419319 + ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx + ## - https://raymii.org/s/tutorials/OCSP_Stapling_on_nginx.html + ## - http://freiburg79.de/ocsp-stapling-mit-nginx/ + # ssl_stapling on; + # ssl_stapling_verify on; + # ssl_stapling_file /etc/ssl/private/de-autorisation-m.ocsp; + # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired + # resolver_timeout 5s; + + # HIDDEN FILES AND FOLDERS + rewrite ^(.*)\/\.(.*)$ @404 break; + + location = @404 { + return 404; + } + + include ${PATH_TO_ATTACHED_LOCATION_FILE}; + include ${PATH_TO_ANOTHER_LOCATION_FILE}; + }
\ No newline at end of file |