2018-05-25 18:16:30 +02:00 · 2018-05-25 18:16:30 +02:00 · 5da068e8e9
commit 5da068e8e9
4 changed files with 63 additions and 0 deletions
--- a/000-default.conf
+++ b/000-default.conf
@ -0,0 +1,51 @@
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+
+    include letsencrypt.conf;
+
+    server_name _;
+    return 301 https://$host$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name _;
+    root /var/www/html;
+
+    ssl_certificate /srv/ssl/default/fullchain.pem;
+    ssl_certificate_key /srv/ssl/default/key.pem;
+
+    server_tokens off;
+    
+    include ssl_params.conf;
+    include letsencrypt.conf;
+
+    add_header X-Frame-Options "SAMEORIGIN";
+    add_header X-XSS-Protection "1; mode=block";
+    add_header X-Content-Type-Options "nosniff";
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+
+    index index.html index.htm;
+
+    charset utf-8;
+
+    location / {
+        try_files $uri $uri/ =404;
+    }
+
+    location /.well-known {
+        auth_basic "off";
+    }
+
+    location = /favicon.ico { access_log off; log_not_found off; }
+    location = /robots.txt  { access_log off; log_not_found off; }
+
+    access_log /var/log/nginx/default-access.log combined;
+    error_log  /var/log/nginx/default-error.log error;
+
+    location ~ /\.ht {
+        deny all;
+    }
+}
--- a/generate-dhparams.sh
+++ b/generate-dhparams.sh
@ -0,0 +1,4 @@
+#!/bin/bash
+touch /etc/nginx/dhparams.pem
+chmod 700 /etc/nginx/dhparams.pem
+openssl dhparam -out /etc/nginx/dhparams.pem 2048
--- a/letsencrypt.conf
+++ b/letsencrypt.conf
@ -0,0 +1,3 @@
+location /.well-known/acme-challenge {
+    alias /var/www/html/.well-known/acme-challenge;
+}
--- a/ssl_params.conf
+++ b/ssl_params.conf
@ -0,0 +1,5 @@
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
+ssl_prefer_server_ciphers on;
+ssl_dhparam /etc/nginx/dhparams.pem;
+ssl_session_cache shared:SSL:10m;