diff options
author | Jakob Odersky <jakob@odersky.com> | 2017-12-26 12:53:02 +0100 |
---|---|---|
committer | Jakob Odersky <jakob@odersky.com> | 2017-12-26 12:53:02 +0100 |
commit | 86ce9c1e65b47452f821375cfe4f1a4c8df83ddf (patch) | |
tree | 165b128ffa7e1614f29c0944f79514ca7ea0c0d1 /letsencrypt | |
download | nginx-letsencrypt-86ce9c1e65b47452f821375cfe4f1a4c8df83ddf.tar.gz nginx-letsencrypt-86ce9c1e65b47452f821375cfe4f1a4c8df83ddf.tar.bz2 nginx-letsencrypt-86ce9c1e65b47452f821375cfe4f1a4c8df83ddf.zip |
Initial commit
Diffstat (limited to 'letsencrypt')
-rw-r--r-- | letsencrypt | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/letsencrypt b/letsencrypt new file mode 100644 index 0000000..9e2c06b --- /dev/null +++ b/letsencrypt @@ -0,0 +1,31 @@ +# Include this file in an nginx server block to enable ssl + +# Location for automatic renewal +location ^~ /.well-known/acme-challenge/ { + default_type "text/plain"; + root /var/www/letsencrypt; +} + +# Hide /acme-challenge subdirectory and return 404 on all requests. +# It is somewhat more secure than letting Nginx return 403. +# Ending slash is important! +location = /.well-known/acme-challenge/ { + return 404; +} + +listen 443 ssl; +listen [::]:443 ssl; + +ssl_certificate /etc/letsencrypt/live/nginx/fullchain.pem; +ssl_certificate_key /etc/letsencrypt/live/nginx/privkey.pem; +ssl_session_timeout 1d; +ssl_session_cache shared:SSL:50m; +ssl_session_tickets off; + +ssl_protocols TLSv1.1 TLSv1.2; +ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; +ssl_prefer_server_ciphers on; + +ssl_stapling on; +ssl_stapling_verify on; +ssl_trusted_certificate /etc/letsencrypt/live/nginx/fullchain.pem; |