-
Notifications
You must be signed in to change notification settings - Fork 14
Nginx full SSL configuration
Matt Rude edited this page Mar 8, 2015
·
3 revisions
This is the full nginx config file for a https/hkps setup. This file may be placed in directly in /etc/nginx/nginx.conf. You must modify ###-IPv4-address-### and if you have a IPv6 address, also change ###-IPv4-address-###.
#/etc/nginx/nginx.conf
user www-data;
worker_processes 4;
pid /run/nginx.pid;
events {
worker_connections 768;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
client_max_body_size 8m;
log_format main '$remote_addr - $remote_user [$time_local] $http_host "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" '
'$upstream_cache_status';
access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log;
rewrite_log on;
# SSH Configuration
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:!RC4-SHA:!MD5:!aNULL:!EDH;
spdy_headers_comp 5;
# config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
# to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
charset utf-8;
include /etc/nginx/mime.types;
default_type application/octet-stream;
server_names_hash_bucket_size 64;
gzip on;
gzip_static on;
gzip_min_length 1000;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/css application/xml application/x-javascript;
#----------------------------------------------------------------------
# OpenPGP Public SKS Key Server
#----------------------------------------------------------------------
server {
listen 80;
listen [::]:80;
listen ###-IPv4-address-###:11371;
listen [###-IPv6-address-###]:11371;
server_name keyserver.example.com;
server_name *.sks-keyservers.net;
server_name *.pool.sks-keyservers.net;
server_name *.gnupg.net;
server_name pgp.mit.edu;
server_name pgp.ipfire.org;
root /var/www/html;
rewrite ^/stats /pks/lookup?op=stats;
rewrite ^/s/(.*) /pks/lookup?search=$1;
rewrite ^/search/(.*) /pks/lookup?search=$1;
rewrite ^/g/(.*) /pks/lookup?op=get&search=$1;
rewrite ^/get/(.*) /pks/lookup?op=get&search=$1;
rewrite ^/d/(.*) /pks/lookup?op=get&options=mr&search=$1;
rewrite ^/download/(.*) /pks/lookup?op=get&options=mr&search=$1;
expires 1y;
add_header Pragma public;
add_header Cache-Control "public";
location ~ (.git|readme.md) {
deny all;
return 404;
}
location /pks {
proxy_pass http://127.0.0.1:11371;
proxy_pass_header Server;
add_header Via "1.1 keyserver.example.com:11371 (nginx)";
}
}
server {
listen 443;
listen [::]:443;
server_name hkps.pool.sks-keyservers.net;
root /var/www/html;
ssl on;
ssl_certificate /var/lib/sks/CA/hkps.pool.sks-keyservers.net.crt;
ssl_certificate_key /var/lib/sks/CA/hkps.pool.sks-keyservers.net.key;
rewrite ^/stats /pks/lookup?op=stats;
rewrite ^/s/(.*) /pks/lookup?search=$1;
rewrite ^/search/(.*) /pks/lookup?search=$1;
rewrite ^/g/(.*) /pks/lookup?op=get&search=$1;
rewrite ^/get/(.*) /pks/lookup?op=get&search=$1;
rewrite ^/d/(.*) /pks/lookup?op=get&options=mr&search=$1;
rewrite ^/download/(.*) /pks/lookup?op=get&options=mr&search=$1;
expires 1y;
add_header Pragma public;
add_header Cache-Control "public";
location ~ (.git|readme.md) {
deny all;
return 404;
}
location /pks {
proxy_pass http://127.0.0.1:11371;
proxy_pass_header Server;
add_header Via "1.1 keyserver.example.com:11371 (nginx)";
}
}
}