qnub · March 12, 2016 17:44
diff --git a/README.md b/README.md
diff --git a/acme-challenge b/acme-challenge
 # /etc/nginx/acme-challenge
 location /.well-known/acme-challenge/ {
  alias /var/run/acme/acme-challenge/;
 }
diff --git a/acme.conf b/acme.conf
 # /etc/nginx/conf.d/acme.conf
 server {
    server_name *.example.com;  # iterate your SSL domains here
    root /var/run/acme/acme-challenge;

    include acme-challenge;

    location / {
        return 301 https://$host$request_uri;
    }
 }
diff --git a/example.conf b/example.conf
 # /etc/nginx/conf.d/example.conf

 server {
    listen 443 ssl;
    server_name example.com; # this domain must match Common Name (CN) in the SSL certificate

    ssl on;

    ssl_certificate /var/lib/acme/live/example.com/fullchain;
    ssl_certificate_key /var/lib/acme/live/example.com/privkey;

    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_session_timeout 5m;
    ssl_session_cache shared:SSL:10m;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';

    add_header  Strict-Transport-Security "max-age=63072000;";

    include acme-challenge;

    # If your application is not compatible with IE <= 10, this will redirect visitors 
    # to a page advising a browser update
    # This works because IE 11 does not present itself as MSIE anymore
    if ($http_user_agent ~ "MSIE" ) {
        return 303 https://browser-update.org/update.html;
    }

    # all your domain stuff here
 }
	# /etc/nginx/acme-challenge
	location /.well-known/acme-challenge/ {
	alias /var/run/acme/acme-challenge/;
	}
	# /etc/nginx/conf.d/acme.conf
	server {
	server_name *.example.com; # iterate your SSL domains here
	root /var/run/acme/acme-challenge;

	include acme-challenge;

	location / {
	return 301 https://$host$request_uri;
	}
	}
	# /etc/nginx/conf.d/example.conf

	server {
	listen 443 ssl;
	server_name example.com; # this domain must match Common Name (CN) in the SSL certificate

	ssl on;

	ssl_certificate /var/lib/acme/live/example.com/fullchain;
	ssl_certificate_key /var/lib/acme/live/example.com/privkey;

	ssl_stapling on;
	ssl_stapling_verify on;
	ssl_session_timeout 5m;
	ssl_session_cache shared:SSL:10m;

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';

	add_header Strict-Transport-Security "max-age=63072000;";

	include acme-challenge;

	# If your application is not compatible with IE <= 10, this will redirect visitors
	# to a page advising a browser update
	# This works because IE 11 does not present itself as MSIE anymore
	if ($http_user_agent ~ "MSIE" ) {
	return 303 https://browser-update.org/update.html;
	}

	# all your domain stuff here
	}