gustavorv86 · March 6, 2021 12:18
diff --git a/openssl.cnf b/openssl.cnf
 ## Run this command (change server01.domain.local from your server):
 ## openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -sha256 -config ./openssl.cnf -keyout /etc/ssl/private/server01.domain.local.key -out /etc/ssl/certs/server01.domain.local.crt

 ## Install the generated /etc/ssl/certs/server01.domain.local.crt on your computers and mobiles on Thrusted Root Certification Authorities store.

 ## Run this command to generate NGINX dhparam.
 ## openssl dhparam -out /etc/nginx/dhparam.pem 4096

 [req]
 distinguished_name = req_distinguished_name
 x509_extensions = v3_req
 prompt = no

 [req_distinguished_name]
 commonName = server01.domain.local
 organizationalUnitName = IT
 organizationName = domain.local
 localityName = Madrid
 stateOrProvinceName = Madrid
 countryName = ES
 emailAddress = [email protected]

 [v3_req]
 basicConstraints=CA:TRUE
 keyUsage = critical, digitalSignature, keyAgreement
 extendedKeyUsage = serverAuth
 subjectAltName = @alt_names

 [alt_names]
 DNS.1 = server01.domail.local
 DNS.2 = www.domain.local
 DNS.3 = myapplicationname.domain.local
 IP.1 = 172.16.1.222
diff --git a/self-signed.conf b/self-signed.conf
 ## Create this file on /etc/nginx/snipplets.

 ssl_certificate /etc/ssl/certs/server01.domain.local.crt;
 ssl_certificate_key /etc/ssl/private/server01.domain.local.key;

 ssl_protocols TLSv1.2;
 ssl_prefer_server_ciphers on;
 ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
 ssl_session_timeout 10m;
 ssl_session_cache shared:SSL:10m;
 ssl_session_tickets off;
 ssl_stapling off;
 ssl_stapling_verify on;
 # Use local DNS resolver: Router, Firewall or AD.
 resolver 172.16.1.1 172.16.1.101 8.8.4.4 valid=300s;
 resolver_timeout 5s;
 add_header X-Frame-Options DENY;
 add_header X-Content-Type-Options nosniff;
 add_header X-XSS-Protection "1; mode=block";

 ssl_dhparam /etc/nginx/dhparam.pem;
 ssl_ecdh_curve secp384r1;
diff --git a/www-nginx.conf b/www-nginx.conf
 ## Create this file on /etc/nginx/sites-available and create symbilic link into /etc/nginx/sites-enabled.
 ## Change server01.domain.local from your server.

 server {
        listen 443 ssl;
        listen [::]:443 ssl;
        include snippets/self-signed.conf;

        root /opt/html/www;

        index index.php index.html;

        server_name server01.domain.local;

        location / {
                try_files $uri $uri/ =404;
        }

        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/run/php/php7.3-fpm.sock;
        }
        
        # Deny access to folders.
        
        location ~ /\.git {
                deny all;
        }

        location ~ /bin {
                deny all;
        }

        location ~ /etc {
                deny all;
        }

        location ~ /log {
                deny all;
        }

 }
	## Run this command (change server01.domain.local from your server):
	## openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -sha256 -config ./openssl.cnf -keyout /etc/ssl/private/server01.domain.local.key -out /etc/ssl/certs/server01.domain.local.crt

	## Install the generated /etc/ssl/certs/server01.domain.local.crt on your computers and mobiles on Thrusted Root Certification Authorities store.

	## Run this command to generate NGINX dhparam.
	## openssl dhparam -out /etc/nginx/dhparam.pem 4096

	[req]
	distinguished_name = req_distinguished_name
	x509_extensions = v3_req
	prompt = no

	[req_distinguished_name]
	commonName = server01.domain.local
	organizationalUnitName = IT
	organizationName = domain.local
	localityName = Madrid
	stateOrProvinceName = Madrid
	countryName = ES
	emailAddress = [email protected]

	[v3_req]
	basicConstraints=CA:TRUE
	keyUsage = critical, digitalSignature, keyAgreement
	extendedKeyUsage = serverAuth
	subjectAltName = @alt_names

	[alt_names]
	DNS.1 = server01.domail.local
	DNS.2 = www.domain.local
	DNS.3 = myapplicationname.domain.local
	IP.1 = 172.16.1.222
	## Create this file on /etc/nginx/snipplets.

	ssl_certificate /etc/ssl/certs/server01.domain.local.crt;
	ssl_certificate_key /etc/ssl/private/server01.domain.local.key;

	ssl_protocols TLSv1.2;
	ssl_prefer_server_ciphers on;
	ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
	ssl_session_timeout 10m;
	ssl_session_cache shared:SSL:10m;
	ssl_session_tickets off;
	ssl_stapling off;
	ssl_stapling_verify on;
	# Use local DNS resolver: Router, Firewall or AD.
	resolver 172.16.1.1 172.16.1.101 8.8.4.4 valid=300s;
	resolver_timeout 5s;
	add_header X-Frame-Options DENY;
	add_header X-Content-Type-Options nosniff;
	add_header X-XSS-Protection "1; mode=block";

	ssl_dhparam /etc/nginx/dhparam.pem;
	ssl_ecdh_curve secp384r1;
	## Create this file on /etc/nginx/sites-available and create symbilic link into /etc/nginx/sites-enabled.
	## Change server01.domain.local from your server.

	server {
	listen 443 ssl;
	listen [::]:443 ssl;
	include snippets/self-signed.conf;

	root /opt/html/www;

	index index.php index.html;

	server_name server01.domain.local;

	location / {
	try_files $uri $uri/ =404;
	}

	location ~ \.php$ {
	include snippets/fastcgi-php.conf;
	fastcgi_pass unix:/run/php/php7.3-fpm.sock;
	}

	# Deny access to folders.

	location ~ /\.git {
	deny all;
	}

	location ~ /bin {
	deny all;
	}

	location ~ /etc {
	deny all;
	}

	location ~ /log {
	deny all;
	}

	}