Skip to content

Commit 6ca4fee

Browse files
cooperkacooperka
committed
more modern updates to nginx config
1 parent 5cb865f commit 6ca4fee

File tree

1 file changed

+9
-6
lines changed

1 file changed

+9
-6
lines changed

docs/nginx-self-ssl.conf

Lines changed: 9 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,8 @@ http {
2121
error_log /var/log/nginx/error.log;
2222

2323
gzip on;
24+
# Don't gzip HTML (vulnerable to BREACH).
25+
gzip_types text/css application/javascript;
2426

2527
passenger_root /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini;
2628
passenger_show_version_in_header off;
@@ -29,26 +31,27 @@ http {
2931
passenger_ruby /home/deploy/.rbenv/shims/ruby;
3032

3133
server {
32-
listen 443;
34+
listen 443 ssl;
3335

3436
# Change this to your domain name.
3537
server_name yoursite.example.com;
3638

37-
# Ensure this is the path to the public folder of the nemo code.
39+
# Ensure this is the path to the public folder of the app code.
3840
root /home/deploy/nemo/public;
3941

4042
passenger_enabled on;
4143
rails_env production;
4244

4345
client_max_body_size 50m;
4446

45-
# Certificate
46-
ssl on;
47+
# Ensure certificate paths are correct.
48+
# Note: .key is paired with a .csr, and that .csr is used to generate .cer/.crt/.pem
4749
ssl_certificate ssl/ssl.crt;
4850
ssl_certificate_key ssl/ssl.key;
4951
ssl_session_timeout 5m;
50-
ssl_protocols TLSv1.2;
51-
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
52+
ssl_session_tickets off;
53+
ssl_protocols TLSv1.2 TLSv1.3;
54+
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-CCM:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCM";
5255
ssl_prefer_server_ciphers on;
5356

5457
# Redirect server error pages to the static page /50x.html

0 commit comments

Comments
 (0)