lostsnow · December 1, 2016 06:56
diff --git a/ngx-ssl.conf b/ngx-ssl.conf
 server {
    listen 80;
    server_name www.xxoo.com xxoo.com;
    server_tokens off;

    location ^~ /.well-known/acme-challenge/ {
        alias /var/lib/acme/.well-known/acme-challenge/;
        try_files $uri =404;
    }

    location / {
        rewrite ^/(.*)$ https://www.xxoo.com/$1 permanent;
    }
 }

 server {
    listen 443 ssl http2 fastopen=3 reuseport;
    listen [::]:443 ssl http2;
    server_name www.xxoo.com xxoo.com fastopen=3 reuseport;
    server_tokens off;
    root /usr/share/nginx/html;
    index index.html index.htm;

    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    ssl_certificate /var/lib/acme/live/www.xxoo.com/fullchain;
    ssl_certificate_key /var/lib/acme/live/www.xxoo.com/privkey;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    ssl_dhparam /var/lib/acme/conf/dh4096.pem;

    # modern configuration. tweak to your needs.
    ssl_protocols TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
    ssl_prefer_server_ciphers on;

    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    add_header Strict-Transport-Security max-age=15768000;

    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;

    ## verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /var/lib/acme/live/www.xxoo.com/chain;

    resolver 8.8.8.8;
 }
	server {
	listen 80;
	server_name www.xxoo.com xxoo.com;
	server_tokens off;

	location ^~ /.well-known/acme-challenge/ {
	alias /var/lib/acme/.well-known/acme-challenge/;
	try_files $uri =404;
	}

	location / {
	rewrite ^/(.*)$ https://www.xxoo.com/$1 permanent;
	}
	}

	server {
	listen 443 ssl http2 fastopen=3 reuseport;
	listen [::]:443 ssl http2;
	server_name www.xxoo.com xxoo.com fastopen=3 reuseport;
	server_tokens off;
	root /usr/share/nginx/html;
	index index.html index.htm;

	# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
	ssl_certificate /var/lib/acme/live/www.xxoo.com/fullchain;
	ssl_certificate_key /var/lib/acme/live/www.xxoo.com/privkey;
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:50m;
	ssl_session_tickets off;

	# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
	ssl_dhparam /var/lib/acme/conf/dh4096.pem;

	# modern configuration. tweak to your needs.
	ssl_protocols TLSv1.2;
	ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
	ssl_prefer_server_ciphers on;

	# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
	add_header Strict-Transport-Security max-age=15768000;

	# OCSP Stapling ---
	# fetch OCSP records from URL in ssl_certificate and cache them
	ssl_stapling on;
	ssl_stapling_verify on;

	## verify chain of trust of OCSP response using Root CA and Intermediate certs
	ssl_trusted_certificate /var/lib/acme/live/www.xxoo.com/chain;

	resolver 8.8.8.8;
	}