Installation let's encrypt and ticket key for nginx : sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt --depth=1
sudo openssl rand -out /etc/nginx/ssl/ticket.key 48
sudo openssl dhparam -out /etc/nginx/ssl/dhparam4.pem 4096
sudo /opt/letsencrypt/letsencrypt-auto certonly --rsa-key-size 4096 --webroot --webroot-path /var/www/domaine.ltd -d domaine.ltd 0 0 1 * * /opt/letsencrypt/letsencrypt-auto renew >> /var/log/letsencrypt/renewal.log # /root/letsencrypt-config/myApp.ini# Let's Encrypt config for myApp# Use the webroot authenticatorauthenticator = webroot
webroot-path = /var/www/letsencrypt/<myApp>
# Use the standalone authenticator on port 443# authenticator = standalone# standalone-supported-challenges = tls-sni-01# Generate certificates for the specified domaindomains = domaine.ltd
# Register with the specified email addressemail = [email protected]
# use a 4096 bit RSA key instead of 2048rsa-key-size = 4096server {
listen 80 ;
server_name domaine.ltd;
root /var/www/domaine.ltd;
location ^~ /.well-known {
alias /var/www/letsencrypt/myApp/.well-known;
}
location / {
return 301 https://domaine.ltd$request_uri ;
}
}
server {
listen 80 ;
server_name www.domaine.ltd;
return 301 https://domaine.ltd$request_uri ;
}
server {
#http2 pour Nginx >= 1.9.5
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name domaine.ltd;
root /var/www/domaine.ltd;
index index.php index.html;
location / {
autoindex off ;
try_files $uri $uri / /index.php?$query_string ;
}
location ~ \.php$ {
try_files $uri =404 ;
fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name ;
include fastcgi_params;
}
#### Locations
# On cache les fichiers statiques
location ~* \.(html|css|js|png|jpg|jpeg|gif|ico|svg|eot|woff|ttf)$ { expires max ; }
# On interdit les dotfiles
location ~ /\. { deny all ; }
#### SSL
ssl_certificate /etc/letsencrypt/live/domaine.ltd/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domaine.ltd/privkey.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/hdomaine.ltd/fullchain.pem;
# Google DNS, Open DNS, Dyn DNS
resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 216.146.35.35 216.146.36.36 valid=300s;
resolver_timeout 3s ;
#### Session Tickets
ssl_session_cache shared:SSL:100m;
ssl_session_timeout 24h ;
ssl_session_tickets on;
ssl_session_ticket_key /etc/nginx/ssl/ticket.key;
ssl_dhparam /etc/nginx/ssl/dhparam4.pem;
#### ECDH Curve
ssl_ecdh_curve secp384r1;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on ;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK' ;
}Generate your certificat : /opt/letsencrypt/letsencrypt-auto certonly -c /root/letsencrypt-config/myApp.ini 