1 files changed, 31 insertions, 0 deletions

diff --git a/letsencrypt b/letsencrypt
new file mode 100644
index 0000000..9e2c06b
--- /dev/null
+++ b/letsencrypt
@@ -0,0 +1,31 @@
+# Include this file in an nginx server block to enable ssl
+
+# Location for automatic renewal
+location ^~ /.well-known/acme-challenge/ {
+    default_type "text/plain";
+    root         /var/www/letsencrypt;
+}
+
+# Hide /acme-challenge subdirectory and return 404 on all requests.
+# It is somewhat more secure than letting Nginx return 403.
+# Ending slash is important!
+location = /.well-known/acme-challenge/ {
+    return 404;
+}
+
+listen 443 ssl;
+listen [::]:443 ssl;
+
+ssl_certificate /etc/letsencrypt/live/nginx/fullchain.pem;
+ssl_certificate_key /etc/letsencrypt/live/nginx/privkey.pem;
+ssl_session_timeout 1d;
+ssl_session_cache shared:SSL:50m;
+ssl_session_tickets off;
+
+ssl_protocols TLSv1.1 TLSv1.2;
+ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+ssl_prefer_server_ciphers on;
+
+ssl_stapling on;
+ssl_stapling_verify on;
+ssl_trusted_certificate /etc/letsencrypt/live/nginx/fullchain.pem;