Skip to content

Instantly share code, notes, and snippets.

@cleot

cleot/nginx-vhost-letsencrypt-ocsp.conf

Created September 3, 2016 17:43
Show Gist options
  • Save cleot/54b5aa6381ce353ad4a327faae40db47 to your computer and use it in GitHub Desktop.
Save cleot/54b5aa6381ce353ad4a327faae40db47 to your computer and use it in GitHub Desktop.
Download ZIP
nginx ssl vHost + Letsencrypt OCSP Stapling
Raw
nginx-vhost-letsencrypt-ocsp.conf
server {
listen 443 ssl http2;
ssl on;
#listen [::]:443 ssl http2;
server_name example.com;
keepalive_timeout 300;
# Letsencrypt
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# Cipher
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_dhparam /etc/ssl/private/dhparam.pem;
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# OSCP
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
# Header
add_header Strict-Transport-Security max-age=63072000; # HSTS
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
fastcgi_param HTTPS on;
location / {
proxy_pass http://backend;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header Host $host;
proxy_redirect off;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment