ziazon · March 10, 2017 21:13
diff --git a/nginx.conf b/nginx.conf
 server {
    listen       80;
    server_name  domain.com www.domain.com;
    return       301 https://www.domain.com$request_uri;
 }

 server {
    listen       443 ssl http2;
    server_name  www.domain.com domain.com;

    if ($host != www.domain.com) {
        return 301 https://www.domain.com$request_uri;
    }

    # if you use letsencrypt, you'll want to update the cert and key paths accordingly.
    ssl on;
    ssl_certificate /etc/nginx/ssl/server.crt;
    ssl_certificate_key /etc/nginx/ssl/server.key;
    ssl_trusted_certificate /etc/nginx/ssl/server.crt;
    ssl_dhparam /etc/nginx/ssl/dhparam.pem;
    ssl_ciphers "ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!SRP:!CAMELLIA";
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 5m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;

    resolver 8.8.8.8 8.8.4.4;

    #add_header Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-eval' 'unsafe-inline' www.google-analytics.com ajax.googleapis.com cdnjs.cloudflare.com; connect-src 'self'; img-src 'self' www.google-analytics.com ajax.googleapis.com; style-src 'self' 'unsafe-inline'; font-src 'self';";
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always;
    add_header X-Frame-Options DENY;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options nosniff;
    add_header Access-Control-Allow-Origin "*";
    add_header Access-Control-Allow-Headers "Access-Control-Allow-Origin, Access-Control-Allow-Headers, Origin, Accept, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers, X-CSRF-TOKEN, X-Requested-With, corssDomain, Authorization, Lang";
    add_header Access-Control-Allow-Methods "GET, POST, HEAD, OPTIONS, PUT";

    if ( $request_method = OPTIONS ) {
        return 200;
    }

    root /usr/share/nginx/html/;

    access_log /usr/share/nginx/logs/www-access.log;
    error_log /usr/share/nginx/logs/www-error.log;

    index index.html;

    location /50x.html {
        allow all;
    }

    location / {
        # static html? reverse proxy?  update this for how your website is server.

    }


    # for letsencrypt.
    location ~ /.well-known {
            allow all;
    }

    location /nginx_status {
        allow 127.0.0.1;
        stub_status;
        deny all;
    }
 }
diff --git a/preconfig.sh b/preconfig.sh
 mkdir /etc/nginx/ssl;
 openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048;
 mkdir /usr/share/nginx/logs;
	server {
	listen 80;
	server_name domain.com www.domain.com;
	return 301 https://www.domain.com$request_uri;
	}

	server {
	listen 443 ssl http2;
	server_name www.domain.com domain.com;

	if ($host != www.domain.com) {
	return 301 https://www.domain.com$request_uri;
	}

	# if you use letsencrypt, you'll want to update the cert and key paths accordingly.
	ssl on;
	ssl_certificate /etc/nginx/ssl/server.crt;
	ssl_certificate_key /etc/nginx/ssl/server.key;
	ssl_trusted_certificate /etc/nginx/ssl/server.crt;
	ssl_dhparam /etc/nginx/ssl/dhparam.pem;
	ssl_ciphers "ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!SRP:!CAMELLIA";
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;
	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 5m;
	ssl_session_tickets off;
	ssl_stapling on;
	ssl_stapling_verify on;

	resolver 8.8.8.8 8.8.4.4;

	#add_header Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-eval' 'unsafe-inline' www.google-analytics.com ajax.googleapis.com cdnjs.cloudflare.com; connect-src 'self'; img-src 'self' www.google-analytics.com ajax.googleapis.com; style-src 'self' 'unsafe-inline'; font-src 'self';";
	add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always;
	add_header X-Frame-Options DENY;
	add_header X-XSS-Protection "1; mode=block";
	add_header X-Content-Type-Options nosniff;
	add_header Access-Control-Allow-Origin "*";
	add_header Access-Control-Allow-Headers "Access-Control-Allow-Origin, Access-Control-Allow-Headers, Origin, Accept, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers, X-CSRF-TOKEN, X-Requested-With, corssDomain, Authorization, Lang";
	add_header Access-Control-Allow-Methods "GET, POST, HEAD, OPTIONS, PUT";

	if ( $request_method = OPTIONS ) {
	return 200;
	}

	root /usr/share/nginx/html/;

	access_log /usr/share/nginx/logs/www-access.log;
	error_log /usr/share/nginx/logs/www-error.log;

	index index.html;

	location /50x.html {
	allow all;
	}

	location / {
	# static html? reverse proxy? update this for how your website is server.

	}


	# for letsencrypt.
	location ~ /.well-known {
	allow all;
	}

	location /nginx_status {
	allow 127.0.0.1;
	stub_status;
	deny all;
	}
	}
	mkdir /etc/nginx/ssl;
	openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048;
	mkdir /usr/share/nginx/logs;