Letsencrypt friendly nginx configuration
by Emile `iMil' Heitor - 2016-03-12
So I use this great cheat sheet in order to use letsencrypt free Certificate authority on my own servers, but while this small doc is very straightforward it doesn’t explain much about nginx’s configuration. So I’ll drop my own right here so your journey through TLS is even simpler:
$ cat /usr/pkg/etc/nginx/nginx.conf
# this nginx installation comes from pkgsrc for both Linux and NetBSD
# you might have to adapt paths to suit your needs... or switch to pkgsrc ;)
user nginx nginx;
worker_processes 2;
events {
worker_connections 1024;
}
http {
include /usr/pkg/etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
# a little bit of browser leverage doesn't hurt :)
gzip on;
gzip_vary on;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript;
gzip_proxied any;
server {
# serve boths IPv4 and IPv6 FWIW
listen [::]:80;
listen 80;
server_name localhost example.com *.example.com;
# this is where letsencrypt will drop the callenge
location /.well-known/acme-challenge {
default_type "text/plain";
root /var/www/letsencrypt;
}
# redirect everything else to HTTPS
location / { return 302 https://$host$request_uri; }
}
server {
listen [::]:443 ssl;
listen 443 ssl;
# you'll have to declare those domains accordingly in letsencrypt conf
server_name localhost example.com *.example.com;
# here lies letsencrypt PEM files
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# harden used protocols a little
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
# and then include actual locations
include sites/*;
}
}
A very basic proxy_pass
location would be:
$ cat /usr/pkg/etc/nginx/sites/example.com
location / {
proxy_pass http://mydomU:8080/;
# forward real address for statistic purposes
proxy_set_header X-Forwarded-For $remote_addr;
}
For an even more hardened configuration, you might want to checkout 2*yo’s own configuration.