Last active
March 20, 2016 01:27
Revisions
-
eby revised this gist
Mar 20, 2016 . 1 changed file with 14 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -5,7 +5,7 @@ server_name docstore.yourdomain.org; return 301 https://$server_name$request_uri; } # SSL Server based off https://cipherli.st/ and H5BP server { # Listen on IPv6/4 listen [::]:443 ssl spdy; @@ -37,15 +37,26 @@ # ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; # Some SSL options for performance and security ssl_session_cache shared:SSL:10m; ssl_session_timeout 24h; ssl_session_tickets off; # Requires nginx >= 1.5.9 ssl_stapling on; # Requires nginx >= 1.3.7 ssl_stapling_verify on; # Requires nginx => 1.3.7 resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 2s; add_header Strict-Transport-Security "max-age=63072000; preload"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; # Nginx can cache file descriptors and 404s # You can enable this globally, server or just a location # This should help with any documents that become popular # You can tweak the inactive passed on your doc stability open_file_cache max=1000 inactive=20s; open_file_cache_valid 30s; open_file_cache_min_uses 2; open_file_cache_errors on; # Static directory has css/js/sprites # Otherwise you can match by extension location ^~ /static/ { -
Mar 20, 2016 . 1 changed file with 3 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -47,9 +47,11 @@ add_header X-Content-Type-Options nosniff; # Static directory has css/js/sprites # Otherwise you can match by extension location ^~ /static/ { expires max; access_log off; add_header Cache-Control "public"; } location / { proxy_pass_header Server; -
Mar 20, 2016 . 1 changed file with 26 additions and 27 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -7,34 +7,34 @@ } # SSL Server based off https://cipherli.st/ server { # Listen on IPv6/4 listen [::]:443 ssl spdy; listen 443 ssl spdy; server_name docstore.yourdomain.org; access_log /var/log/nginx/docstore_access_log main; error_log /var/log/nginx/docstore_error_log info; root /path/to/docstore; # Tweak for what you want max upload size to be client_max_body_size 2G; # SSL Configuration # This will get A- or A+ depending on cipher list on ssllabs # You'll want a SHA2 cert ssl_certificate /etc/ssl/nginx/yourssl.crt; ssl_certificate_key /etc/ssl/private/yourssl.key; # Generate with 'openssl dhparam -out dhparams.pem 4096' ssl_dhparam /etc/ssl/nginx/dhparams.pem; # Disable SSLv2 and SSLv3 due to attacks ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 ssl_prefer_server_ciphers on; # Ciphers if you want A+ SSLLabs rating but don't mind <IE11 not being able to connect ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; # Ciphers if you want to support IE8/XP (will be A-) # ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; # Some SSL options for performance and security ssl_session_cache shared:SSL:10m; ssl_session_tickets off; # Requires nginx >= 1.5.9 @@ -46,11 +46,10 @@ add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; # Static directory has css/js/sprites location ^~ /static/ { expires max; access_log off; } location / { proxy_pass_header Server; -
Mar 20, 2016 . 1 changed file with 4 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -46,10 +46,11 @@ add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; # In docstore static directory has css/js/sprites # If you care about recording hits to those then remove access_log statement location ^~ /static/ { expires max; access_log off; } location / { proxy_pass_header Server; -
Mar 20, 2016 . 1 changed file with 43 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -5,17 +5,58 @@ server_name docstore.yourdomain.org; return 301 https://$server_name$request_uri; } # SSL Server based off https://cipherli.st/ server { # Listen on IPv6/4 listen [::]:443 ssl spdy; listen 443 ssl spdy; server_name docstore.yourdomain.org; access_log /var/log/nginx/docstore_access_log main; error_log /var/log/nginx/docstore_error_log info; root /path/to/docstore; # Tweak for what you want max upload size to be client_max_body_size 2G; # SSL Configuration # This will get A- or A+ depending on cipher list on ssllabs # You'll want a SHA2 cert ssl_certificate /etc/ssl/nginx/yourssl.crt; ssl_certificate_key /etc/ssl/private/yourssl.key; # Generate with 'openssl dhparam -out dhparams.pem 4096' ssl_dhparam /etc/ssl/nginx/dhparams.pem; # Disable SSLv2 and SSLv3 due to attacks ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 ssl_prefer_server_ciphers on; # Ciphers if you want A+ SSLLabs rating but don't mind <IE11 not being able to connect ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; # Ciphers if you want to support IE8/XP (will be A-) # ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; # Some SSL options for performance and security ssl_session_cache shared:SSL:10m; ssl_session_tickets off; # Requires nginx >= 1.5.9 ssl_stapling on; # Requires nginx >= 1.3.7 ssl_stapling_verify on; # Requires nginx => 1.3.7 resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; location ^~ /static/ { if ($query_string) { expires max; } } location / { proxy_pass_header Server; proxy_set_header Host $http_host; proxy_redirect off; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Scheme $scheme; proxy_pass http://127.0.0.1:8000; } } -
Mar 19, 2016 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,21 @@ # Redirect all traffic to SSL server { listen [::]:80; listen 80; server_name docstore.yourdomain.org; return 301 https://$server_name$request_uri; } server { # Listen on IPv6/4 listen [::]:443 ssl spdy; listen 443 ssl spdy; server_name docstore.yourdomain.org; # Tweak for what you want max upload size to be client_max_body_size 2G; # SSL Configuration # This will get A- or A+ depending on cipher list on ssllabs ssl_certificate /etc/ssl/nginx/yourssl.crt; ssl_certificate_key /etc/ssl/private/yourssl.key;