Last active
          September 20, 2017 20:04 
        
      - 
      
- 
        Save daveslutzkin/e58e2928fef8a5ca64f4 to your computer and use it in GitHub Desktop. 
    Nginx conf for solid SSL/TLS
  
        
  
    
      This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
      Learn more about bidirectional Unicode characters
    
  
  
    
  | # Thin serving Rails. | |
| upstream app_server { | |
| server 127.0.0.1:3050 fail_timeout=0; | |
| } | |
| # SSL/TLS certificates - the key should be 4096 bit generated with: 'openssl genrsa -des3 -out server.key 4096' | |
| ssl_certificate_key /var/app/deploy/www.thisisatest.com.key; | |
| ssl_certificate /var/app/deploy/www.thisisatest.com.chained.crt; | |
| # Ideally we'd have only TLSv1.2, but that compromises client support significantly | |
| ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
| # SSL/TLS session caching/resumption | |
| ssl_session_cache shared:SSL:20m; | |
| ssl_session_timeout 1d; | |
| # Cipher list checks out well on the Qualys test | |
| ssl_prefer_server_ciphers on; | |
| ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; | |
| # This should be a 4096 bit DH key generated with: 'openssl dhparam -out dhparams.pem 4096' | |
| ssl_dhparam /var/app/deploy/dhparams.pem; | |
| # SSL/TLS OCSP stapling | |
| ssl_stapling on; | |
| ssl_stapling_verify on; | |
| # This contains the root and intermediate certificates from the CA. | |
| ssl_trusted_certificate /var/app/deploy/ca-certs.pem; | |
| resolver 8.8.4.4 8.8.8.8; | |
| # HTTP bare domain redirect. | |
| server { | |
| server_name thisisatest.com; | |
| listen 80; | |
| return 301 https://www.$server_name$request_uri; | |
| } | |
| # HTTP www redirect. | |
| server { | |
| server_name www.thisisatest.com; | |
| listen 80; | |
| return 301 https://$server_name$request_uri; | |
| } | |
| # HTTPS bare domain redirect. | |
| server { | |
| server_name thisisatest.com; | |
| listen 443 ssl; | |
| return 301 $scheme://www.$server_name$request_uri; | |
| add_header Strict-Transport-Security 'max-age=31536000; includeSubdomains'; | |
| } | |
| server { | |
| server_name www.thisisatest.com; | |
| listen 443 ssl default_server deferred; | |
| client_max_body_size 4G; | |
| keepalive_timeout 40; | |
| root /var/app/public; | |
| error_page 500 502 503 504 /500.html; | |
| # SSL/TLS Strict Transport Security (HSTS) | |
| add_header Strict-Transport-Security 'max-age=31536000; includeSubdomains'; | |
| # SSL/TLS Public Key Pinning (HPKP) | |
| add_header Public-Key-Pins 'pin-sha256="lduqX5oR7l7lHvsyLuIVac5iqZmXOLnxWA3osdAhz64="; max-age=5184000; includeSubdomains'; | |
| add_header X-Frame-Options DENY; | |
| add_header X-Content-Type-Options nosniff; | |
| # Rails page caching setup (and other statics). | |
| location / { | |
| try_files /cache$uri.html $uri.html $uri @app; | |
| } | |
| # Serve from Rails. | |
| location @app { | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| proxy_set_header Host $http_host; | |
| proxy_redirect off; | |
| proxy_pass http://app_server; | |
| } | |
| } | 
  
    Sign up for free
    to join this conversation on GitHub.
    Already have an account?
    Sign in to comment