Skip to content

Instantly share code, notes, and snippets.

@daveslutzkin
Last active September 20, 2017 20:04
Show Gist options
  • Save daveslutzkin/e58e2928fef8a5ca64f4 to your computer and use it in GitHub Desktop.
Save daveslutzkin/e58e2928fef8a5ca64f4 to your computer and use it in GitHub Desktop.
Nginx conf for solid SSL/TLS
# Thin serving Rails.
upstream app_server {
server 127.0.0.1:3050 fail_timeout=0;
}
# SSL/TLS certificates - the key should be 4096 bit generated with: 'openssl genrsa -des3 -out server.key 4096'
ssl_certificate_key /var/app/deploy/www.thisisatest.com.key;
ssl_certificate /var/app/deploy/www.thisisatest.com.chained.crt;
# Ideally we'd have only TLSv1.2, but that compromises client support significantly
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# SSL/TLS session caching/resumption
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 1d;
# Cipher list checks out well on the Qualys test
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
# This should be a 4096 bit DH key generated with: 'openssl dhparam -out dhparams.pem 4096'
ssl_dhparam /var/app/deploy/dhparams.pem;
# SSL/TLS OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# This contains the root and intermediate certificates from the CA.
ssl_trusted_certificate /var/app/deploy/ca-certs.pem;
resolver 8.8.4.4 8.8.8.8;
# HTTP bare domain redirect.
server {
server_name thisisatest.com;
listen 80;
return 301 https://www.$server_name$request_uri;
}
# HTTP www redirect.
server {
server_name www.thisisatest.com;
listen 80;
return 301 https://$server_name$request_uri;
}
# HTTPS bare domain redirect.
server {
server_name thisisatest.com;
listen 443 ssl;
return 301 $scheme://www.$server_name$request_uri;
add_header Strict-Transport-Security 'max-age=31536000; includeSubdomains';
}
server {
server_name www.thisisatest.com;
listen 443 ssl default_server deferred;
client_max_body_size 4G;
keepalive_timeout 40;
root /var/app/public;
error_page 500 502 503 504 /500.html;
# SSL/TLS Strict Transport Security (HSTS)
add_header Strict-Transport-Security 'max-age=31536000; includeSubdomains';
# SSL/TLS Public Key Pinning (HPKP)
add_header Public-Key-Pins 'pin-sha256="lduqX5oR7l7lHvsyLuIVac5iqZmXOLnxWA3osdAhz64="; max-age=5184000; includeSubdomains';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
# Rails page caching setup (and other statics).
location / {
try_files /cache$uri.html $uri.html $uri @app;
}
# Serve from Rails.
location @app {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://app_server;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment