Skip to content

Instantly share code, notes, and snippets.

@stevenringo

stevenringo/nginx.conf

Forked from daveslutzkin/nginx.conf
Created March 1, 2016 21:10
Show Gist options
  • Save stevenringo/ca3c9263e9ffffe93110 to your computer and use it in GitHub Desktop.
Save stevenringo/ca3c9263e9ffffe93110 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. Dave Slutzkin revised this gist Jul 22, 2015. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion nginx.conf
    View file
    Original file line number Diff line number Diff line change
    @@ -12,7 +12,7 @@ ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    # SSL/TLS session caching/resumption
    ssl_session_cache shared:SSL:20m;
    ssl_session_timeout 5m;
    ssl_session_timeout 1d;

    # Cipher list checks out well on the Qualys test
    ssl_prefer_server_ciphers on;
  2. Dave Slutzkin revised this gist Jul 22, 2015. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion nginx.conf
    View file
    Original file line number Diff line number Diff line change
    @@ -8,7 +8,7 @@ ssl_certificate_key /var/app/deploy/www.thisisatest.com.key;
    ssl_certificate /var/app/deploy/www.thisisatest.com.chained.crt;

    # Ideally we'd have only TLSv1.2, but that compromises client support significantly
    ssl_protocols TLSv1.1 TLSv1.2;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    # SSL/TLS session caching/resumption
    ssl_session_cache shared:SSL:20m;
  3. Dave Slutzkin revised this gist Jul 22, 2015. 1 changed file with 2 additions and 1 deletion.
    3 changes: 2 additions & 1 deletion nginx.conf
    View file
    Original file line number Diff line number Diff line change
    @@ -8,7 +8,7 @@ ssl_certificate_key /var/app/deploy/www.thisisatest.com.key;
    ssl_certificate /var/app/deploy/www.thisisatest.com.chained.crt;

    # Ideally we'd have only TLSv1.2, but that compromises client support significantly
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_protocols TLSv1.1 TLSv1.2;

    # SSL/TLS session caching/resumption
    ssl_session_cache shared:SSL:20m;
    @@ -26,6 +26,7 @@ ssl_stapling on;
    ssl_stapling_verify on;
    # This contains the root and intermediate certificates from the CA.
    ssl_trusted_certificate /var/app/deploy/ca-certs.pem;
    resolver 8.8.4.4 8.8.8.8;

    # HTTP bare domain redirect.
    server {
  4. Dave Slutzkin revised this gist Jul 22, 2015. 1 changed file with 4 additions and 0 deletions.
    4 changes: 4 additions & 0 deletions nginx.conf
    View file
    Original file line number Diff line number Diff line change
    @@ -44,6 +44,7 @@ server {
    server_name thisisatest.com;
    listen 443 ssl;
    return 301 $scheme://www.$server_name$request_uri;
    add_header Strict-Transport-Security 'max-age=31536000; includeSubdomains';
    }

    server {
    @@ -64,6 +65,9 @@ server {
    # SSL/TLS Public Key Pinning (HPKP)
    add_header Public-Key-Pins 'pin-sha256="lduqX5oR7l7lHvsyLuIVac5iqZmXOLnxWA3osdAhz64="; max-age=5184000; includeSubdomains';

    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;

    # Rails page caching setup (and other statics).
    location / {
    try_files /cache$uri.html $uri.html $uri @app;
  5. Dave Slutzkin revised this gist Jul 22, 2015. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion nginx.conf
    View file
    Original file line number Diff line number Diff line change
    @@ -16,7 +16,7 @@ ssl_session_timeout 5m;

    # Cipher list checks out well on the Qualys test
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:AES:!AES128:CAMELLIA:!CAMELLIA128:!aNULL:!PSK:!aECDH';
    ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;

    # This should be a 4096 bit DH key generated with: 'openssl dhparams -out dhparams.pem 4096'
    ssl_dhparam /var/app/deploy/dhparams.pem;
  6. Dave Slutzkin revised this gist Jul 22, 2015. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion nginx.conf
    View file
    Original file line number Diff line number Diff line change
    @@ -24,7 +24,7 @@ ssl_dhparam /var/app/deploy/dhparams.pem;
    # SSL/TLS OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    # This is the root and intermediate certificates from the CA.
    # This contains the root and intermediate certificates from the CA.
    ssl_trusted_certificate /var/app/deploy/ca-certs.pem;

    # HTTP bare domain redirect.
  7. Dave Slutzkin revised this gist Jul 22, 2015. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion nginx.conf
    View file
    Original file line number Diff line number Diff line change
    @@ -7,7 +7,7 @@ upstream app_server {
    ssl_certificate_key /var/app/deploy/www.thisisatest.com.key;
    ssl_certificate /var/app/deploy/www.thisisatest.com.chained.crt;

    # Ideally we'd have TLSv1.2 and above, but that compromises client support significantly
    # Ideally we'd have only TLSv1.2, but that compromises client support significantly
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    # SSL/TLS session caching/resumption
  8. Dave Slutzkin revised this gist Jul 22, 2015. 1 changed file with 2 additions and 1 deletion.
    3 changes: 2 additions & 1 deletion nginx.conf
    View file
    Original file line number Diff line number Diff line change
    @@ -7,7 +7,7 @@ upstream app_server {
    ssl_certificate_key /var/app/deploy/www.thisisatest.com.key;
    ssl_certificate /var/app/deploy/www.thisisatest.com.chained.crt;

    # Ideally we'd have TLSv1.2 and above, but that compromises client support
    # Ideally we'd have TLSv1.2 and above, but that compromises client support significantly
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    # SSL/TLS session caching/resumption
    @@ -24,6 +24,7 @@ ssl_dhparam /var/app/deploy/dhparams.pem;
    # SSL/TLS OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    # This is the root and intermediate certificates from the CA.
    ssl_trusted_certificate /var/app/deploy/ca-certs.pem;

    # HTTP bare domain redirect.
  9. Dave Slutzkin revised this gist Jul 22, 2015. 1 changed file with 3 additions and 3 deletions.
    6 changes: 3 additions & 3 deletions nginx.conf
    View file
    Original file line number Diff line number Diff line change
    @@ -30,19 +30,19 @@ ssl_trusted_certificate /var/app/deploy/ca-certs.pem;
    server {
    server_name thisisatest.com;
    listen 80;
    return 301 https://www.thisisatest.com$request_uri;
    return 301 https://www.$server_name$request_uri;
    }
    # HTTP www redirect.
    server {
    server_name www.thisisatest.com;
    listen 80;
    return 301 https://www.thisisatest.com$request_uri;
    return 301 https://$server_name$request_uri;
    }
    # HTTPS bare domain redirect.
    server {
    server_name thisisatest.com;
    listen 443 ssl;
    return 301 $scheme://www.thisisatest.com$request_uri;
    return 301 $scheme://www.$server_name$request_uri;
    }

    server {
  10. Dave Slutzkin created this gist Jul 20, 2015.
    79 changes: 79 additions & 0 deletions nginx.conf
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,79 @@
    # Thin serving Rails.
    upstream app_server {
    server 127.0.0.1:3050 fail_timeout=0;
    }

    # SSL/TLS certificates - the key should be 4096 bit generated with: 'openssl genrsa -des3 -out server.key 4096'
    ssl_certificate_key /var/app/deploy/www.thisisatest.com.key;
    ssl_certificate /var/app/deploy/www.thisisatest.com.chained.crt;

    # Ideally we'd have TLSv1.2 and above, but that compromises client support
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    # SSL/TLS session caching/resumption
    ssl_session_cache shared:SSL:20m;
    ssl_session_timeout 5m;

    # Cipher list checks out well on the Qualys test
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:AES:!AES128:CAMELLIA:!CAMELLIA128:!aNULL:!PSK:!aECDH';

    # This should be a 4096 bit DH key generated with: 'openssl dhparams -out dhparams.pem 4096'
    ssl_dhparam /var/app/deploy/dhparams.pem;

    # SSL/TLS OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /var/app/deploy/ca-certs.pem;

    # HTTP bare domain redirect.
    server {
    server_name thisisatest.com;
    listen 80;
    return 301 https://www.thisisatest.com$request_uri;
    }
    # HTTP www redirect.
    server {
    server_name www.thisisatest.com;
    listen 80;
    return 301 https://www.thisisatest.com$request_uri;
    }
    # HTTPS bare domain redirect.
    server {
    server_name thisisatest.com;
    listen 443 ssl;
    return 301 $scheme://www.thisisatest.com$request_uri;
    }

    server {
    server_name www.thisisatest.com;

    listen 443 ssl default_server deferred;

    client_max_body_size 4G;
    keepalive_timeout 40;

    root /var/app/public;

    error_page 500 502 503 504 /500.html;

    # SSL/TLS Strict Transport Security (HSTS)
    add_header Strict-Transport-Security 'max-age=31536000; includeSubdomains';

    # SSL/TLS Public Key Pinning (HPKP)
    add_header Public-Key-Pins 'pin-sha256="lduqX5oR7l7lHvsyLuIVac5iqZmXOLnxWA3osdAhz64="; max-age=5184000; includeSubdomains';

    # Rails page caching setup (and other statics).
    location / {
    try_files /cache$uri.html $uri.html $uri @app;
    }

    # Serve from Rails.
    location @app {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_redirect off;

    proxy_pass http://app_server;
    }
    }