.nginx.conf 3.22 KB
Newer Older
dengxiaofeng's avatar
dengxiaofeng committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
##
# Put this file in /etc/nginx/conf.d folder and make sure
# you have a line 'include /etc/nginx/conf.d/*.conf;'
# in your main nginx configuration file
##

##
# Redirect to the same URL with https://
##

server {

  listen 80;

# Type your domain name below
  server_name example.com;
17
  gzip on;
dengxiaofeng's avatar
dengxiaofeng committed
18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112
  return 301 https://$server_name$request_uri;

}

##
# HTTPS configurations
##

server {

  listen 443 ssl;

# Type your domain name below
  server_name example.com;

# Configure the Certificate and Key you got from your CA (e.g. Lets Encrypt)
  ssl_certificate     /path/to/certificate.crt;
  ssl_certificate_key /path/to/server.key;

  ssl_session_timeout 1d;
  ssl_session_cache shared:SSL:50m;
  ssl_session_tickets off;

# Only use TLS v1.2 as Transport Security Protocol
  ssl_protocols TLSv1.2;

# Only use ciphersuites that are considered modern and secure by Mozilla
  ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';

# Do not let attackers downgrade the ciphersuites in Client Hello
# Always use server-side offered ciphersuites
  ssl_prefer_server_ciphers on;

# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
  add_header Strict-Transport-Security max-age=15768000;

# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
# Uncomment if you want to use your own Diffie-Hellman parameter, which can be generated with: openssl ecparam -genkey -out dhparam.pem -name prime256v1
# See https://wiki.mozilla.org/Security/Server_Side_TLS#DHE_handshake_and_dhparam
# ssl_dhparam /path/to/dhparam.pem;


## OCSP Configuration START
# If you want to provide OCSP Stapling, you can uncomment the following lines
# See https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx for more infos about OCSP and its use case
# fetch OCSP records from URL in ssl_certificate and cache them

#ssl_stapling on;
#ssl_stapling_verify on;

# verify chain of trust of OCSP response using Root CA and Intermediate certs (you will get this file from your CA)
#ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;

## OCSP Configuration END

# To let nginx use its own DNS Resolver
# resolver <IP DNS resolver>;


# Always serve index.html for any request
  location / {
    # Set path
    root /var/www/;
    try_files $uri /index.html;
  }

# Do not cache sw.js, required for offline-first updates.
  location /sw.js {
      add_header Cache-Control "no-cache";
      proxy_cache_bypass $http_pragma;
      proxy_cache_revalidate on;
      expires off;
      access_log off;
  }

##
# If you want to use Node/Rails/etc. API server
# on the same port (443) config Nginx as a reverse proxy.
# For security reasons use a firewall like ufw in Ubuntu
# and deny port 3000/tcp.
##

# location /api/ {
#
#   proxy_pass http://localhost:3000;
#   proxy_http_version 1.1;
#   proxy_set_header X-Forwarded-Proto https;
#   proxy_set_header Upgrade $http_upgrade;
#   proxy_set_header Connection 'upgrade';
#   proxy_set_header Host $host;
#   proxy_cache_bypass $http_upgrade;
#
# }

}