server { # server_name YOUR_SERVER_FQDN; ## uncomment replace this with something like www.example.com listen 443; server_tokens off; ## Don't show the nginx version number, a security best practice root /usr/share/nginx/html; index index.html index.htm; ## Strong SSL Security ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/ ## ## Generate a strong SSL-Certificate and DHE parameter: ## openssl genrsa -out /etc/ssl/private/kopano.key 4096 ## openssl req -new -sha512 -key /etc/ssl/private/kopano.key -out /tmp/kopano.csr ## openssl x509 -req -days 3650 -in /tmp/kopano.csr -signkey /etc/ssl/private/kopano.key -out /etc/ssl/private/kopano.crt ## openssl dhparam -out /etc/ssl/private/kopano.dh 4096 ## chmod go-rwx /etc/ssl/private/kopano.*; ## chmod u+rw /etc/ssl/private/kopano.* ## chown root:root /etc/ssl/private/kopano.* ## ssl on; ssl_certificate_key /etc/ssl/private/kopano.key; ssl_certificate /etc/ssl/private/kopano.crt; ssl_dhparam /etc/ssl/private/kopano.dh; ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html ## The recommended cipher suite for backwards compatibility (IE6/WinXP): ssl_ciphers 'AES256+EECDH:AES256+EDH:!aNULL'; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:50m; ssl_session_timeout 5m; ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL. ## Replace with your ssl_trusted_certificate. For more info see: ## - https://medium.com/devops-programming/4445f4862461 ## - https://www.ruby-forum.com/topic/4419319 ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx ## - https://raymii.org/s/tutorials/OCSP_Stapling_on_nginx.html ## - http://freiburg79.de/ocsp-stapling-mit-nginx/ # ssl_stapling on; # ssl_stapling_verify on; # ssl_stapling_file /etc/ssl/private/de-autorisation-m.ocsp; # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired # resolver_timeout 5s; # HIDDEN FILES AND FOLDERS rewrite ^(.*)\/\.(.*)$ @404 break; location = @404 { return 404; } include ${PATH_TO_ATTACHED_LOCATION_FILE}; }