Created
May 16, 2014 15:41
-
-
Save matthutchinson/d6770107a3131abab362 to your computer and use it in GitHub Desktop.
store.pmfaqtory.com nginx/unicorn/ssl/tls/oscp/resumption/forward secrecy/NPN/SPDY/3.1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # https://istlsfastyet.com | |
| # https://github.com/igrigorik/istlsfastyet.com/blob/master/nginx.conf | |
| # https://github.com/matthutchinson/matthutchinson.github.com/wiki/NGINX | |
| # nginx (1.5.10) with resumption, OCSP stapling, 1400 byte TLS records, forward secrecy, NPN + SPDY/3.1 | |
| upstream unicorn { | |
| server unix:/var/www/pmfaqtory-store/shared/tmp/sockets/unicorn.sock fail_timeout=0; | |
| } | |
| # redirect all non ssl traffic to ssl | |
| server { | |
| listen 80; | |
| server_name store.pmfaqtory.com; | |
| rewrite ^ https://$server_name$request_uri? permanent; | |
| } | |
| # https://github.com/igrigorik/istlsfastyet.com/blob/master/nginx.conf | |
| ssl_session_cache shared:SSL:10m; # 10MB -> ~40,000 sessions. | |
| ssl_session_timeout 24h; # 24 hours | |
| ssl_buffer_size 1400; # 1400 bytes to fit in one MTU | |
| server { | |
| listen 443 default ssl spdy; | |
| server_name store.pmfaqtory.com; | |
| # Adjust connection keepalive for SPDY and non-SPDY clients: | |
| spdy_keepalive_timeout 300; # up from 180 secs default | |
| keepalive_timeout 300; # up from 75 secs default | |
| # ssl | |
| ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
| # courtesy of https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_Ciphersuite | |
| ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK; | |
| ssl_prefer_server_ciphers on; | |
| ssl on; | |
| ssl_certificate /etc/ssl/certs/store.pmfaqtory.com-premium-chained.crt; | |
| ssl_certificate_key /etc/ssl/private/store.pmfaqtory.com-premium.key; | |
| # OCSP stapling... | |
| ssl_stapling on; | |
| ssl_stapling_verify on; | |
| ssl_trusted_certificate /etc/ssl/certs/store.pmfaqtory.com-premium-chained.crt; | |
| resolver 8.8.8.8; | |
| # nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and | |
| # when a restart is performed the previous key is lost, which resets all previous | |
| # sessions. The fix for this is to setup a manual rotation mechanism: | |
| # http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx | |
| # | |
| # Note that you'll have to define and rotate the keys securely by yourself. In absence | |
| # of such infrastructure, consider turning off session tickets: | |
| ssl_session_tickets off; | |
| # enable SPDY header compression | |
| spdy_headers_comp 6; | |
| # remember the certificate for a year and automatically connect to HTTPS | |
| add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains'; | |
| # app | |
| root /var/www/pmfaqtory-store/current/public; | |
| index index.html index.htm; | |
| # logs | |
| access_log /var/www/pmfaqtory-store/shared/log/access.log main; | |
| error_log /var/www/pmfaqtory-store/shared/log/error.log info; | |
| # maintenance | |
| if (-f $document_root/system/maintenance.html) { | |
| rewrite ^(.*)$ /system/maintenance.html last; | |
| break; | |
| } | |
| # block bots who like track urls (php usually) | |
| location ~ \.php$ { | |
| deny all; | |
| } | |
| location / { | |
| # forward user IP address to rails | |
| proxy_set_header X-Real-IP $remote_addr; | |
| # needed for HTTPS | |
| proxy_set_header X_FORWARDED_PROTO https; | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| proxy_set_header Host $http_host; | |
| proxy_redirect off; | |
| proxy_max_temp_file_size 0; | |
| # asset pipeline | |
| location ~ ^/(assets)/ { | |
| root /var/www/pmfaqtory-store/current/public; | |
| gzip_static on; | |
| expires max; | |
| add_header Cache-Control public; | |
| } | |
| # serve static files | |
| if (-f $request_filename) { | |
| break; | |
| } | |
| if (!-f $request_filename) { | |
| proxy_pass http://unicorn; | |
| } | |
| } | |
| # error pages | |
| error_page 500 502 503 504 /500.html; | |
| location = /500.html { | |
| root /var/www/pmfaqtory-store/current/public; | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment