## # Put this file in /etc/nginx/conf.d folder and make sure # you have a line 'include /etc/nginx/conf.d/*.conf;' # in your main nginx configuration file ## ## # Redirect to the same URL with https:// ## server { listen 80; # Type your domain name below server_name example.com; return 301 https://$server_name$request_uri; } ## # HTTPS configurations ## server { listen 443 ssl; # Type your domain name below server_name example.com; # Configure the Certificate and Key you got from your CA (e.g. Lets Encrypt) ssl_certificate /path/to/certificate.crt; ssl_certificate_key /path/to/server.key; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; # Only use TLS v1.2 as Transport Security Protocol ssl_protocols TLSv1.2; # Only use ciphersuites that are considered modern and secure by Mozilla ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; # Do not let attackers downgrade the ciphersuites in Client Hello # Always use server-side offered ciphersuites ssl_prefer_server_ciphers on; # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) add_header Strict-Transport-Security max-age=15768000; # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits # Uncomment if you want to use your own Diffie-Hellman parameter, which can be generated with: openssl ecparam -genkey -out dhparam.pem -name prime256v1 # See https://wiki.mozilla.org/Security/Server_Side_TLS#DHE_handshake_and_dhparam # ssl_dhparam /path/to/dhparam.pem; ## OCSP Configuration START # If you want to provide OCSP Stapling, you can uncomment the following lines # See https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx for more infos about OCSP and its use case # fetch OCSP records from URL in ssl_certificate and cache them #ssl_stapling on; #ssl_stapling_verify on; # verify chain of trust of OCSP response using Root CA and Intermediate certs (you will get this file from your CA) #ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates; ## OCSP Configuration END # To let nginx use its own DNS Resolver # resolver <IP DNS resolver>; # Always serve index.html for any request location / { # Set path root /var/www/; try_files $uri /index.html; } # Do not cache sw.js, required for offline-first updates. location /sw.js { add_header Cache-Control "no-cache"; proxy_cache_bypass $http_pragma; proxy_cache_revalidate on; expires off; access_log off; } ## # If you want to use Node/Rails/etc. API server # on the same port (443) config Nginx as a reverse proxy. # For security reasons use a firewall like ufw in Ubuntu # and deny port 3000/tcp. ## # location /api/ { # # proxy_pass http://localhost:3000; # proxy_http_version 1.1; # proxy_set_header X-Forwarded-Proto https; # proxy_set_header Upgrade $http_upgrade; # proxy_set_header Connection 'upgrade'; # proxy_set_header Host $host; # proxy_cache_bypass $http_upgrade; # # } }