My Example conf.d/mydomain.conf

1 minute read Published:

This is my example Nginx reverse-proxy + hardened https config (you need nginx/1.9.9):

# redirect all http requests to https
server {
    listen       80;
    return       301 https://$server_name$request_uri;

# define a new cache (use different names and paths for different caches!
proxy_cache_path    /var/nginx_cache/ levels=1:2 keys_zone=blog_cache:10m max_size=512m inactive=60m use_temp_path=off;

# https server block
server {
    listen       443 ssl http2;
    listen  [::]:443 ssl http2;

    ssl_certificate      /etc/letsencrypt/live/;
    ssl_certificate_key  /etc/letsencrypt/live/;

    ssl_session_cache           shared:SSL:20m;
    ssl_session_timeout         60m;

    ssl_prefer_server_ciphers   on;

    ssl_ciphers                 ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;

    # create a new dhparam by executing:
    # openssl dhparam -out /etc/nginx/cert/dhparam.pem_4096.pem 4096
    ssl_dhparam                 /etc/nginx/cert/dhparam_4096.pem;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/;

    add_header Strict-Transport-Security "max-age=31536000" always;

    location / {
        proxy_cache           blog_cache;
        proxy_cache_min_uses  3;
        proxy_cache_lock      on;

        proxy_pass http://my-upstream-server/;