Skip to content

Instantly share code, notes, and snippets.

@MKRhere

MKRhere/README.md

Last active November 22, 2022 20:42
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save MKRhere/e9a427aa3febd9215098db17f240467f to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save MKRhere/e9a427aa3febd9215098db17f240467f to your computer and use it in GitHub Desktop.
Download ZIP
nginx (static or reverse proxy) & acme.sh (DNS) configuration
Raw
README.md

1) Create the following directory structure

/etc
├── nginx
│   ├── sites-enabled
│   │   └── domain.tld.port.conf # template attached
│   └── ssl
│       ├── .conf # file attached as `ssl.conf`
│       ├── dhparam.pem # generated
│       ├── fullchain.crt # generated
│       └── crt.key # generated

2) Get your DigitalOcean (or other acme.sh supported DNS provider) API key

List of supported DNS providers

// add to .bashrc
export DO_API_KEY="e63f24889...the.rest.of.your.key"

3) Generate dhparam (this will take some time)

openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048

4) Fetch and install your certs

In the following, use *.DOMAIN.TLD to issue and install wildcard cert. Repeat -d for multiple domains.

# You might want to use your DNS provider's acme.sh plugin in place of dns_dgon, which is for DigitalOcean
acme.sh --issue --dns dns_dgon -d <DOMAIN.TLD>

sudo acme.sh --install-cert -d <DOMAIN.TLD> --key-file /etc/nginx/ssl/cert.key --fullchain-file /etc/nginx/ssl/fullchain.crt

5) Verify config and reload nginx config

sudo nginx -t
# nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
# nginx: configuration file /etc/nginx/nginx.conf test is successful

sudo nginx -s reload
Raw
domain.tld.port.conf
# /etc/nginx/sites-enabled/<domain.tld.port>.conf
# ------ if this is a proxy server ------ #
server {
listen 80;
listen [::]:80;
server_name <DOMAIN.TLD>;
location / {
proxy_pass http://localhost:<PORT>;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
include /etc/nginx/ssl/.conf;
}
# ------ if this is a static server ------ #
server {
listen 80;
listen [::]:80;
root <PATH/TO/WEBROOT>;
index index.html index.htm;
server_name <DOMAIN.TLD>;
location / {
try_files $uri $uri/ =404;
}
include /etc/nginx/ssl/.conf;
}
# ------ #
Raw
ssl.conf
listen [::]:443 ssl http2;
listen 443 ssl http2;
http2_push_preload on;
ssl_certificate /etc/nginx/ssl/fullchain.crt;
ssl_certificate_key /etc/nginx/ssl/cert.key;
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# Security headers
## Recommended 2 years HSTS policy
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header Content-Security-Policy "default-src 'self';";
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "origin";
if ($scheme != "https") {
return 301 https://$host$request_uri;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment