From 240ccb1cdd0cf6ebd2d8ef2811bd47019238c614 Mon Sep 17 00:00:00 2001 From: Martin Mahner Date: Tue, 8 Dec 2015 15:12:55 +0000 Subject: [PATCH] Updated SSL conf using letsencrypt --- server/nginx.conf | 37 +++++++++++++++++++++++++++---------- 1 file changed, 27 insertions(+), 10 deletions(-) diff --git a/server/nginx.conf b/server/nginx.conf index 69bb357..5b5ff52 100644 --- a/server/nginx.conf +++ b/server/nginx.conf @@ -14,7 +14,6 @@ log_format combined_port '$remote_addr - $remote_user [$time_local] ' # ----------------------------------------------------------------------------- server { listen 80; - listen [::]:80; server_name dpaste.de www.dpaste.de @@ -24,6 +23,11 @@ server { location / { rewrite ^ https://$server_name$request_uri? permanent; } + + location /.well-known/acme-challenge/ { + alias /var/www/challenges/; + try_files $uri =404; + } } # ----------------------------------------------------------------------------- @@ -32,12 +36,21 @@ server { server { listen 443 ssl spdy; - listen [::]:443 ssl spdy; server_name dpaste.org www.dpaste.org; - ssl_certificate /srv/dpaste.de/var/ssl/dpaste_org_unified.crt; - ssl_certificate_key /srv/dpaste.de/var/ssl/dpaste_org.key; + ssl on; + ssl_certificate /srv/dpaste.de/etc/ssl/dpaste_org_chained.pem; + ssl_certificate_key /srv/dpaste.de/etc/ssl/dpaste_org.key; + ssl_dhparam /etc/ssl/dhparam.pem; + + # SSL modern config for modern browsers Pete told me + ssl_prefer_server_ciphers on; + ssl_protocols TLSv1.1 TLSv1.2; + ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; + ssl_stapling on; + ssl_stapling_verify on; + add_header Strict-Transport-Security max-age=25200; # Redirect to dpaste.de @@ -48,16 +61,20 @@ server { server { listen 443 ssl spdy; - listen [::]:443 ssl spdy; server_name dpaste.de www.dpaste.de; - ssl_certificate /srv/dpaste.de/var/ssl_2015/ssl-unified.crt; - ssl_certificate_key /srv/dpaste.de/var/ssl_2015/ssl.key; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers AES256+EECDH:AES256+EDH; - ssl_session_cache builtin:1000 shared:SSL:5m; + ssl on; + ssl_certificate /srv/dpaste.de/etc/ssl/dpaste_de_chained.pem; + ssl_certificate_key /srv/dpaste.de/etc/ssl/dpaste_de.key; + ssl_dhparam /etc/ssl/dhparam.pem; + + # SSL modern config for modern browsers Pete told me ssl_prefer_server_ciphers on; + ssl_protocols TLSv1.1 TLSv1.2; + ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; + ssl_stapling on; + ssl_stapling_verify on; add_header Strict-Transport-Security max-age=25200;