Kovács Zoltán
6d9394e62d
* new dependency: libnginx-mod-http-headers-more-filter * security headers in _general.conf (inherited to all vhosts) * scheme-dependent Strict-Transport-Security header in nginx.conf
43 lines
1.5 KiB
Plaintext
43 lines
1.5 KiB
Plaintext
# A restrictive default virtualhost configuration.
|
|
# Provides HTTPs with a self-signed certificate.
|
|
|
|
# The STS header should only be sent over https.
|
|
map $scheme $hsts_header { https "max-age=31536000; includeSubDomains"; }
|
|
|
|
server {
|
|
listen 80 default_server;
|
|
listen 443 ssl default_server;
|
|
|
|
server_name _;
|
|
|
|
root /var/www/html;
|
|
index index.html index.htm index.nginx-debian.html;
|
|
|
|
location / {
|
|
types { } default_type text/html;
|
|
return 404 "<span style='font-size: large'>$hostname</span>";
|
|
}
|
|
|
|
##################################################################################
|
|
# The SSL part
|
|
# https://ssl-config.mozilla.org/
|
|
# https://community.letsencrypt.org/t/howto-a-with-all-100-s-on-ssl-labs-test-using-nginx-mainline-stable/55033
|
|
|
|
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
|
|
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
|
|
|
|
# Settings to achieve 'A' grade on https://www.ssllabs.com/ssltest/
|
|
ssl_session_timeout 1440m;
|
|
ssl_session_tickets off;
|
|
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_prefer_server_ciphers off;
|
|
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA";
|
|
|
|
# Activate it only in case of stable HTTPs service.
|
|
# more_set_headers "Strict-Transport-Security: $hsts_header";
|
|
# ssl_stapling on;
|
|
# ssl_stapling_verify on;
|
|
|
|
}
|