Skip to content

Instantly share code, notes, and snippets.

@rexdivakar
Created January 10, 2023 07:20
Show Gist options
  • Save rexdivakar/e53d1bd7578fc3f51ce22110b3a003bc to your computer and use it in GitHub Desktop.
Save rexdivakar/e53d1bd7578fc3f51ce22110b3a003bc to your computer and use it in GitHub Desktop.
################################
## our HTTP server at port 80 ##
################################
server {
listen 80;
server_name <website_url>;
# HTTP STS
add_header Strict-Transport-Security "max-age=31533600; includeSubDomians; preload" always;
return 301 https://$host$request_uri;
}
#########################################################################
## Our HTTPS server at port 443. You need to provide ssl config below ###
#########################################################################
server {
listen 443 ssl;
server_name <website_url>;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=15768000" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
# Improves TTFB by using a smaller SSL buffer than the nginx default
ssl_buffer_size 8k;
# certs sent to the client in SERVER are concatenated in ssl_certificate
#ssl_certificate /etc/letsencrypt/live/<website_url>/fullchain.pem;
#ssl_certificate_key /etc/letsencrypt/live/<website_url>/privkey.pem;
#ssl_trusted_certificate /etc/letsencrypt/live/<website_url>/chain.pem;
ssl_certificate /etc/ssl/certs/cert.pem;
ssl_certificate_key /etc/ssl/private/key.pem;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
ssl_session_tickets off;
# ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# TLS Support restriction
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
# Nginx Logging
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
## PROXY backend
location / {
# redirect all HTTP traffic to localhost:8088;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:<port_no>;
proxy_redirect http://127.0.0.1:<port_no> https://<website_url>;
proxy_read_timeout 90;
# prevents 502 bad gateway error
proxy_buffers 8 32k;
proxy_buffer_size 64k;
# Enable support for web sockets
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_hide_header 'Access-Control-Allow-Origin';
# Protect from Click Jacking
proxy_hide_header X-Powered-By;
add_header X-Frame-Options SAMEORIGIN;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment