Skip to content

Commit

Permalink
Updated SSL conf using letsencrypt
Browse files Browse the repository at this point in the history
  • Loading branch information
@bartTC
bartTC committed Dec 8, 2015
1 parent 0736f83 commit 240ccb1
Showing 1 changed file with 27 additions and 10 deletions.
37 changes: 27 additions & 10 deletions server/nginx.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,6 @@ log_format combined_port '$remote_addr - $remote_user [$time_local] '
# -----------------------------------------------------------------------------
server {
listen 80;
listen [::]:80;

server_name dpaste.de
www.dpaste.de
Expand All @@ -24,6 +23,11 @@ server {
location / {
rewrite ^ https://$server_name$request_uri? permanent;
}

location /.well-known/acme-challenge/ {
alias /var/www/challenges/;
try_files $uri =404;
}
}

# -----------------------------------------------------------------------------
Expand All @@ -32,12 +36,21 @@ server {

server {
listen 443 ssl spdy;
listen [::]:443 ssl spdy;

server_name dpaste.org www.dpaste.org;

ssl_certificate /srv/dpaste.de/var/ssl/dpaste_org_unified.crt;
ssl_certificate_key /srv/dpaste.de/var/ssl/dpaste_org.key;
ssl on;
ssl_certificate /srv/dpaste.de/etc/ssl/dpaste_org_chained.pem;
ssl_certificate_key /srv/dpaste.de/etc/ssl/dpaste_org.key;
ssl_dhparam /etc/ssl/dhparam.pem;

# SSL modern config for modern browsers Pete told me
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_stapling on;
ssl_stapling_verify on;

add_header Strict-Transport-Security max-age=25200;

# Redirect to dpaste.de
Expand All @@ -48,16 +61,20 @@ server {

server {
listen 443 ssl spdy;
listen [::]:443 ssl spdy;

server_name dpaste.de www.dpaste.de;

ssl_certificate /srv/dpaste.de/var/ssl_2015/ssl-unified.crt;
ssl_certificate_key /srv/dpaste.de/var/ssl_2015/ssl.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers AES256+EECDH:AES256+EDH;
ssl_session_cache builtin:1000 shared:SSL:5m;
ssl on;
ssl_certificate /srv/dpaste.de/etc/ssl/dpaste_de_chained.pem;
ssl_certificate_key /srv/dpaste.de/etc/ssl/dpaste_de.key;
ssl_dhparam /etc/ssl/dhparam.pem;

# SSL modern config for modern browsers Pete told me
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_stapling on;
ssl_stapling_verify on;

add_header Strict-Transport-Security max-age=25200;

Expand Down

0 comments on commit 240ccb1

Please sign in to comment.