# Nginx
# Sample Config
Config showing a range of things in use.
# Redirect regular http traffic to https
server {
listen 80;
listen [::]:80;
server_name blasteh.com;
return 301 https://$server_name$request_uri;
}
# Proxy pass and rewrite
Selectively proxy_pass and rewrite by using a custom variable $rw
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name blasteh.com;
ssl_certificate /etc/letsencrypt/live/blasteh.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/blasteh.com/privkey.pem;
include /etc/nginx/tls.conf;
set $rw 1;
location /.well-known/ {
if ($request_method = 'GET') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
}
root /var/www/matrix_root/;
set $rw 0;
}
location /_matrix {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:8008;
set $rw 0;
}
location / {
if ($rw = 1){
rewrite ^/(.*)$ https://blasteh.uk/$1 permanent;
}
}
}
# Regular SSL config
The main chunk of the ssl config is inside tls.conf
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name chat.blasteh.uk;
ssl_certificate /etc/letsencrypt/live/chat.blasteh.uk/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/chat.blasteh.uk/privkey.pem;
include /etc/nginx/tls.conf;
location / {
root /var/www/riotchat/;
}
}
# Different port
server {
listen 8448 default_server ssl http2;
listen [::]:8448 default_server ssl http2;
server_name blasteh.com;
ssl_certificate /etc/letsencrypt/live/blasteh.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/blasteh.com/privkey.pem;
include /etc/nginx/tls.conf;
location / {
proxy_pass http://localhost:8008;
proxy_set_header X-Forwarded-For $remote_addr;
}
}
# TLS Config
ffdhe4096.pem can be obtained from here (opens new window)
/etc/nginx/tls.conf
ssl_protocols TLSv1.3 TLSv1.2;# Requires nginx >= 1.13.0 else use TLSv1.2
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/ffdhe4096.pem; # https://wiki.mozilla.org/Security/Server_Side_TLS#ffdhe4096
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:!aNULL:!eNULL:!EXPORT:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:TLS:10m;
ssl_buffer_size 4k;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s;
resolver_timeout 5s;
# ffdhe4096.pem
Keeping a copy of the ffdhe4096.pem file here for ease of retrieval.
This can be saved to a file /etc/ssl/ffdhe4096.pem
-----BEGIN DH PARAMETERS-----
MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e
8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx
iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K
zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI=
-----END DH PARAMETERS-----
# Certbot nginx reload
/etc/letsencrypt/renewal-hooks/deploy/01-reload-nginx
#! /bin/sh
set -e
/etc/init.d/nginx configtest
/etc/init.d/nginx reload
← Apache PowerShell →