eligao · August 5, 2017 14:24
diff --git a/default.conf b/default.conf
 # /etc/nginx/conf.d/default.conf
 # This config is generated as a reference, from 
 # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.12.1&openssl=1.1.0f&hsts=no&profile=modern 
 # Remember to replace <HOSTNAME> if you use this directly.
 # Or generate your own config.

 server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;

  server_name <HOSTNAME>;

  # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
  ssl_certificate /etc/letsencrypt/live/<HOSTNAME>/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/<HOSTNAME>/privkey.pem;
  ssl_session_timeout 1d;
  ssl_session_cache shared:SSL:50m;
  ssl_session_tickets off;


  # modern configuration. tweak to your needs.
  ssl_protocols TLSv1.2;
  ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
  ssl_prefer_server_ciphers on;


  # OCSP Stapling ---
  # fetch OCSP records from URL in ssl_certificate and cache them
  ssl_stapling on;
  ssl_stapling_verify on;

  ## verify chain of trust of OCSP response using Root CA and Intermediate certs
  ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;

  #resolver <IP DNS resolver>;

  #location /{
  #  ...
  #}
 }
diff --git a/http.conf b/http.conf
 #/etc/nginx/conf.d/http.conf

 server {
  listen 80 default_server;
  listen [::]:80 default_server;

  include letsencrypt.conf;
  # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
  location /{
    return 301 https://$host$request_uri;
  }
 }
diff --git a/letsencrypt.conf b/letsencrypt.conf
  #/etc/nginx/letsencrypt.conf
  
  # Use this command to generate a certification:
  # certbot certonly --webroot --agree-tos -m [email protected] -w /var/lib/letsencrypt/ -d hostname.example.com 
  
  # Accept let's encrypt challenges
  # Create folder /var/lib/letsencrypt before use
  location /.well-known {
    allow all;
    root /var/lib/letsencrypt/;
    default_type "text/plain";
    try_files $uri =404;
  }
	# /etc/nginx/conf.d/default.conf
	# This config is generated as a reference, from
	# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.12.1&openssl=1.1.0f&hsts=no&profile=modern
	# Remember to replace <HOSTNAME> if you use this directly.
	# Or generate your own config.

	server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	server_name <HOSTNAME>;

	# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
	ssl_certificate /etc/letsencrypt/live/<HOSTNAME>/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/<HOSTNAME>/privkey.pem;
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:50m;
	ssl_session_tickets off;


	# modern configuration. tweak to your needs.
	ssl_protocols TLSv1.2;
	ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
	ssl_prefer_server_ciphers on;


	# OCSP Stapling ---
	# fetch OCSP records from URL in ssl_certificate and cache them
	ssl_stapling on;
	ssl_stapling_verify on;

	## verify chain of trust of OCSP response using Root CA and Intermediate certs
	ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;

	#resolver <IP DNS resolver>;

	#location /{
	# ...
	#}
	}
	#/etc/nginx/conf.d/http.conf

	server {
	listen 80 default_server;
	listen [::]:80 default_server;

	include letsencrypt.conf;
	# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
	location /{
	return 301 https://$host$request_uri;
	}
	}
	#/etc/nginx/letsencrypt.conf

	# Use this command to generate a certification:
	# certbot certonly --webroot --agree-tos -m [email protected] -w /var/lib/letsencrypt/ -d hostname.example.com

	# Accept let's encrypt challenges
	# Create folder /var/lib/letsencrypt before use
	location /.well-known {
	allow all;
	root /var/lib/letsencrypt/;
	default_type "text/plain";
	try_files $uri =404;
	}