richpeck · June 7, 2017 12:35 · Feb 17, 2017 · Feb 17, 2017 · Feb 17, 2017 · Feb 17, 2017
diff --git a/site1.com b/site1.com
@@ -23,7 +23,7 @@ server {
   listen [::]:443;
 
   ## Details ##
-  server_name site1.com;
+  server_name site1.com 13.12.11.10 [[ip_address]];
 
   ## SSL ##
   include /app/ssl/ssl.conf;

diff --git a/site1.com b/site1.com
@@ -39,6 +39,7 @@ server {
 ###################
 
 ## HTTPS ##
+## Only assign default to the virtual server you want No-SNI browsers to access ##
 server {
   listen 443 default;
   listen [::]:443 default;

diff --git a/site2.com b/site2.com
@@ -40,8 +40,8 @@ server {
 
 ## HTTPS ##
 server {
-  listen 443 default;
-  listen [::]:443 default;
+  listen 443;
+  listen [::]:443;
 
   ## Details ##
   ## Only accept WWW ##

diff --git a/site1.com b/site1.com
@@ -27,6 +27,10 @@ server {
 
   ## SSL ##
   include /app/ssl/ssl.conf;
+
+  ## Certs ##
+  ssl_certificate /var/ssl/site1/cert_chain.crt;
+  ssl_certificate_key /var/ssl/site1/site1.com.key;
 
   ## Action ##
   return 301 https://www.$host$request_uri;
@@ -49,6 +53,10 @@ server {
 
   ## SSL ##
   include /app/ssl/ssl.conf;
+
+  ## Certs ##
+  ssl_certificate /var/ssl/site1/cert_chain.crt;
+  ssl_certificate_key /var/ssl/site1/site1.com.key;
 
   ## Options ##
   location = /favicon.ico {

diff --git a/site2.com b/site2.com
@@ -27,6 +27,10 @@ server {
 
   ## SSL ##
   include /app/ssl/ssl.conf;
+
+  ## Certs ##
+  ssl_certificate /var/ssl/site2/cert_chain.crt;
+  ssl_certificate_key /var/ssl/site2/site2.com.key;
 
   ## Action ##
   return 301 https://www.$host$request_uri;
@@ -48,7 +52,11 @@ server {
   root /var/www/site2.com;
 
   ## SSL ##
-  include /app/ssl/ssl.conf;
+  include /var/ssl/ssl.conf;
+
+  ## Certs ##
+  ssl_certificate /var/ssl/site2/cert_chain.crt;
+  ssl_certificate_key /var/ssl/site2/site2.com.key;
 
   ## Options ##
   location = /favicon.ico {

diff --git a/ssl.conf b/ssl.conf
@@ -0,0 +1,33 @@
+# /var/ssl/ssl.conf
+## Used in multiple SSL server blocks ##
+###################################################
+
+# enable session resumption to improve https performance
+# http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
+ssl_session_cache shared:SSL:50m;
+ssl_session_timeout 5m;
+
+# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
+ssl_dhparam /etc/nginx/cert/dhparam.pem;
+
+# enables server-side protection from BEAST attacks
+# http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
+ssl_prefer_server_ciphers on;
+
+# disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+
+# ciphers chosen for forward secrecy and compatibility
+# http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html
+ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+
+# enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner)
+# http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
+resolver 8.8.8.8;
+ssl_stapling on;
+
+# config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
+# to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
+add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
+
+###################################################
diff --git a/Files b/Files
@@ -1 +0,0 @@
-# This is where it goes

diff --git a/default b/default
@@ -0,0 +1,55 @@
+# /etc/nginx/sites-enabled/default
+
+##########################################
+##########################################
+
+##        General Server Setup          ##
+
+##########################################
+##########################################
+
+## General ##
+## Ref: https://gist.github.com/plentz/6737338 ##
+
+# don't send the nginx version number in error pages and Server header
+server_tokens off;
+
+# config to don't allow the browser to render the page inside an frame or iframe
+# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
+# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
+# https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
+add_header X-Frame-Options SAMEORIGIN;
+
+# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
+# to disable content-type sniffing on some browsers.
+# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
+# currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
+# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
+# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
+add_header X-Content-Type-Options nosniff;
+
+# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
+# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
+# this particular website if it was disabled by the user.
+# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
+add_header X-XSS-Protection "1; mode=block";
+
+# with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy),
+# you can tell the browser that it can only download content from the domains you explicitly allow
+# http://www.html5rocks.com/en/tutorials/security/content-security-policy/
+# https://www.owasp.org/index.php/Content_Security_Policy
+# I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
+# directives for css and js(if you have inline css or js, you will need to keep it too).
+# more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
+add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'";
+
+# remove headers
+more_clear_headers Server X-Powered-By X-Runtime;
+
+##########################################
+##########################################
+
+## Individual sites in respective files ##
+
+##########################################
+##########################################
diff --git a/site1.com b/site1.com
@@ -0,0 +1,62 @@
+# /etc/nginx/sites-enabled/site1.com
+
+##########################################
+##########################################
+
+##    Server Setup For Site1.com        ##
+
+##########################################
+##########################################
+
+## Server options stored in nginx.conf  ##
+
+##########################################
+##########################################
+
+## Apex to SSL::WWW ##
+## Redirects from site1.com -> https://www.site1.com (not necessary if you don't mind having multi access) ##
+server {
+  listen 80;
+  listen [::]:80;
+
+  listen 443;
+  listen [::]:443;
+
+  ## Details ##
+  server_name site1.com;
+
+  ## SSL ##
+  include /app/ssl/ssl.conf;
+
+  ## Action ##
+  return 301 https://www.$host$request_uri;
+}
+
+###################
+
+## HTTPS ##
+server {
+  listen 443 default;
+  listen [::]:443 default;
+
+  ## Details ##
+  ## Only accept WWW ##
+  server_name www.site1.com;
+
+  ## Root ##
+  ## You can put index.html in the below folder ##
+  root /var/www/site1.com;
+
+  ## SSL ##
+  include /app/ssl/ssl.conf;
+
+  ## Options ##
+  location = /favicon.ico {
+    access_log     off;
+    log_not_found  off;
+  }
+
+}
+
+##########################################
+##########################################
diff --git a/site2.com b/site2.com
@@ -0,0 +1,62 @@
+# /etc/nginx/sites-enabled/site2.com
+
+##########################################
+##########################################
+
+##    Server Setup For Site2.com        ##
+
+##########################################
+##########################################
+
+## Server options stored in nginx.conf  ##
+
+##########################################
+##########################################
+
+## Apex to SSL::WWW ##
+## Redirects from site2.com -> https://www.site1.com (not necessary if you don't mind having multi access) ##
+server {
+  listen 80;
+  listen [::]:80;
+
+  listen 443;
+  listen [::]:443;
+
+  ## Details ##
+  server_name site2.com;
+
+  ## SSL ##
+  include /app/ssl/ssl.conf;
+
+  ## Action ##
+  return 301 https://www.$host$request_uri;
+}
+
+###################
+
+## HTTPS ##
+server {
+  listen 443 default;
+  listen [::]:443 default;
+
+  ## Details ##
+  ## Only accept WWW ##
+  server_name www.site1.com;
+
+  ## Root ##
+  ## You can put index.html in the below folder ##
+  root /var/www/site2.com;
+
+  ## SSL ##
+  include /app/ssl/ssl.conf;
+
+  ## Options ##
+  location = /favicon.ico {
+    access_log     off;
+    log_not_found  off;
+  }
+
+}
+
+##########################################
+##########################################
diff --git a/Files b/Files
@@ -0,0 +1 @@
+# This is where it goes
No results found