Skip to content

Instantly share code, notes, and snippets.

@nrollr

nrollr/nginx.conf

Last active October 5, 2025 07:59
Show Gist options
  • Save nrollr/9a39bb636a820fb97eec2ed85e473d38 to your computer and use it in GitHub Desktop.
Save nrollr/9a39bb636a820fb97eec2ed85e473d38 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. nrollr revised this gist Feb 17, 2019. 1 changed file with 6 additions and 6 deletions.
    12 changes: 6 additions & 6 deletions nginx.conf
    View file
    Original file line number Diff line number Diff line change
    @@ -1,4 +1,4 @@
    # UPDATED 30 January 2019
    # UPDATED 17 February 2019
    # Redirect all HTTP traffic to HTTPS
    server {
    listen 80;
    @@ -22,24 +22,24 @@ server {
    # Enable server-side protection against BEAST attacks
    ssl_protocols TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
    ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";

    # RFC-7919 recommended: https://wiki.mozilla.org/Security/Server_Side_TLS#ffdhe4096
    ssl_dhparam /etc/ssl/ffdhe4096.pem;
    ssl_ecdh_curve secp384r1;
    ssl_ecdh_curve secp521r1:secp384r1;

    # Aditional Security Headers
    # ref: https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

    # ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
    add_header X-Frame-Options DENY;
    add_header X-Frame-Options DENY always;

    # ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
    add_header X-Content-Type-Options nosniff;
    add_header X-Content-Type-Options nosniff always;

    # ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
    add_header X-Xss-Protection "1; mode=block";
    add_header X-Xss-Protection "1; mode=block" always;

    # Enable OCSP stapling
    # ref. http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox
  2. nrollr revised this gist Jan 30, 2019. 1 changed file with 27 additions and 20 deletions.
    47 changes: 27 additions & 20 deletions nginx.conf
    View file
    Original file line number Diff line number Diff line change
    @@ -1,45 +1,52 @@
    # Advanced config for NGINX
    server_tokens off;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options nosniff;

    # UPDATED 30 January 2019
    # Redirect all HTTP traffic to HTTPS
    server {
    listen 80;
    server_name www.domain.com domain.com;
    return 301 https://$host$request_uri;
    listen [::]:80;
    server_name www.domain.com domain.com;
    return 301 https://$host$request_uri;
    }

    # SSL configuration
    server {
    listen 443 ssl default deferred;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name www.domain.com domain.com;
    ssl_certificate /etc/letsencrypt/live/www.domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.domain.com/privkey.pem;

    # Improve HTTPS performance with session resumption
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 5m;
    ssl_session_timeout 10m;

    # Enable server-side protection against BEAST attacks
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
    ssl_protocols TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;

    # Disable SSLv3
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    # RFC-7919 recommended: https://wiki.mozilla.org/Security/Server_Side_TLS#ffdhe4096
    ssl_dhparam /etc/ssl/ffdhe4096.pem;
    ssl_ecdh_curve secp384r1;

    # Diffie-Hellman parameter for DHE ciphersuites
    # $ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    # Aditional Security Headers
    # ref: https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

    # ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
    add_header X-Frame-Options DENY;

    # ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
    add_header X-Content-Type-Options nosniff;

    # Enable HSTS (https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security)
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    # ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
    add_header X-Xss-Protection "1; mode=block";

    # Enable OCSP stapling (http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox)
    # Enable OCSP stapling
    # ref. http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/www.domain.com/fullchain.pem;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; # Cloudflare
    resolver_timeout 5s;

    # Required for LE certificate enrollment using certbot
  3. nrollr revised this gist Oct 19, 2016. 1 changed file with 2 additions and 2 deletions.
    4 changes: 2 additions & 2 deletions nginx.conf
    View file
    Original file line number Diff line number Diff line change
    @@ -45,9 +45,9 @@ server {
    # Required for LE certificate enrollment using certbot
    location '/.well-known/acme-challenge' {
    default_type "text/plain";
    root /var/www;
    root /var/www/html;
    }
    location / {
    root /var/www;
    root /var/www/html;
    }
    }
  4. nrollr revised this gist Oct 19, 2016. 1 changed file with 34 additions and 33 deletions.
    67 changes: 34 additions & 33 deletions nginx.conf
    View file
    Original file line number Diff line number Diff line change
    @@ -4,49 +4,50 @@
    add_header X-Content-Type-Options nosniff;

    # Redirect all HTTP traffic to HTTPS
    server {
    listen 80;
    server_name www.domain.com domain.com;
    return 301 https://$host$request_uri;
    }
    server {
    listen 80;
    server_name www.domain.com domain.com;
    return 301 https://$host$request_uri;
    }

    # SSL configuration
    server {
    listen 443 ssl default deferred;
    server_name www.domain.com domain.com;
    ssl_certificate /etc/letsencrypt/live/www.domain.com/fullchain.pem;
    server {
    listen 443 ssl default deferred;
    server_name www.domain.com domain.com;
    ssl_certificate /etc/letsencrypt/live/www.domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.domain.com/privkey.pem;

    # Improve HTTPS performance with session resumption
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 5m;
    # Improve HTTPS performance with session resumption
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 5m;

    # Enable server-side protection against BEAST attacks
    ssl_prefer_server_ciphers on;
    # Enable server-side protection against BEAST attacks
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;

    # Disable SSLv3
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    # Disable SSLv3
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    # Diffie-Hellman parameter for DHE ciphersuites
    # $ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
    # $ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    # Enable HSTS (https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security)
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    # Enable HSTS (https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security)
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";

    # Enable OCSP stapling (http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox)
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/www.domain.com/fullchain.pem;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    # Enable OCSP stapling (http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox)
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/www.domain.com/fullchain.pem;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

    # Required for LE certificate enrollment using certbot
    location '/.well-known/acme-challenge' {
    default_type "text/plain";
    root /var/www;
    }
    location / {
    root /var/www;
    }
    # Required for LE certificate enrollment using certbot
    location '/.well-known/acme-challenge' {
    default_type "text/plain";
    root /var/www;
    }
    location / {
    root /var/www;
    }
    }
  5. nrollr created this gist Oct 15, 2016.
    52 changes: 52 additions & 0 deletions nginx.conf
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,52 @@
    # Advanced config for NGINX
    server_tokens off;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options nosniff;

    # Redirect all HTTP traffic to HTTPS
    server {
    listen 80;
    server_name www.domain.com domain.com;
    return 301 https://$host$request_uri;
    }

    # SSL configuration
    server {
    listen 443 ssl default deferred;
    server_name www.domain.com domain.com;
    ssl_certificate /etc/letsencrypt/live/www.domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.domain.com/privkey.pem;

    # Improve HTTPS performance with session resumption
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 5m;

    # Enable server-side protection against BEAST attacks
    ssl_prefer_server_ciphers on;

    # Disable SSLv3
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    # Diffie-Hellman parameter for DHE ciphersuites
    # $ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    # Enable HSTS (https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security)
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";

    # Enable OCSP stapling (http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox)
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/www.domain.com/fullchain.pem;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

    # Required for LE certificate enrollment using certbot
    location '/.well-known/acme-challenge' {
    default_type "text/plain";
    root /var/www;
    }
    location / {
    root /var/www;
    }
    }