├── 50x.html ├── README.md ├── conf.d ├── error-page.conf ├── html5-sse.conf ├── https.conf └── proxy.conf └── nginx.conf /50x.html: -------------------------------------------------------------------------------- 1 | 2 |
3 | 4 |We'll be back shortly.
60 | 61 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## An nginx config for 2017 2 | 3 | nginx has [excellent official documentation](https://www.nginx.com/resources/wiki/start/) but putting all the logic together can take a while. Here's an `nginx.conf` with: 4 | 5 | - HTTP/2 6 | - IPv6 7 | - Load balancing between multiple app servers 8 | - A sorry page (shown if all the app servers go down) 9 | - Static content served on a separate server 10 | - HTML5 SSE support 11 | - Correct proxy headers for working GeoIP 12 | - The various www vs non-www, HTTP vs HTTPS combinations redirected to a single HTTPS site 13 | 14 | See the [full documentation at CertSimple](https://certsimple.com/blog/nginx-http2-load-balancing-config), including diagrams and explanations for why particular values were chosen. 15 | 16 | ## Pull requests welcome 17 | 18 | If you have useful changes or additions you're welcome to send pull requests. Try and use include files in `conf.d` where possible! -------------------------------------------------------------------------------- /conf.d/error-page.conf: -------------------------------------------------------------------------------- 1 | # Gateway error page - should only ever been seen if no servers are up 2 | # 500 and 40x errors are handled by the app servers 3 | # http://nginx.org/en/docs/http/ngx_http_core_module.html#error_page 4 | error_page 502 503 504 /50x.html; # Bad gateway, service unavailable, gateway timeout 5 | location = /50x.html { 6 | root /etc/nginx; 7 | internal; 8 | } -------------------------------------------------------------------------------- /conf.d/html5-sse.conf: -------------------------------------------------------------------------------- 1 | # From http://stackoverflow.com/questions/13672743/eventsource-server-sent-events-through-nginx 2 | proxy_set_header Connection ''; 3 | proxy_http_version 1.1; 4 | chunked_transfer_encoding off; 5 | proxy_buffering off; -------------------------------------------------------------------------------- /conf.d/https.conf: -------------------------------------------------------------------------------- 1 | # Based on Mozilla SSL Configuration Generatorr 2 | # This is using the 'intermediate' config, you may prefer 'modern' 3 | # Check https://mozilla.github.io/server-side-tls/ssl-config-generator/ and update this file! 4 | ssl_certificate /etc/https/cert-and-intermediate.pem; 5 | ssl_certificate_key /etc/https/private-key.pem; 6 | ssl_session_timeout 1d; 7 | ssl_session_cache shared:SSL:50m; 8 | ssl_session_tickets off; 9 | 10 | # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits 11 | # Create this file with: 12 | # openssl dhparam -out dhparam.pem 2048 13 | ssl_dhparam /etc/https/dhparam.pem; 14 | 15 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 16 | ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; 17 | ssl_prefer_server_ciphers on; 18 | 19 | # HSTS (15768000 seconds = 6 months) 20 | add_header Strict-Transport-Security max-age=15768000; 21 | 22 | # OCSP Stapling 23 | # fetch OCSP records from URL in ssl_certificate and cache them 24 | ssl_stapling on; 25 | ssl_stapling_verify on; 26 | 27 | # verify chain of trust of OCSP response using Root CA and Intermediate certs 28 | ssl_trusted_certificate /etc/https/root-and-intermediate.pem; 29 | 30 | # Use local DNS server 31 | resolver