Coder Social home page Coder Social logo

nginx-configuration's Introduction

nginx-configuration

Example of high security configuration for Nginx with Certbot.

Structure

nginx.conf
conf.d
  |-location
  |-security
  |-ssl
sites-available
  |-example.com.conf

Symlink

For each configuration files in sites-available folder, we will create a symlink for it in /etc/nginx/sites-enabled/, then it will be visible for nginx.conf.

$ sudo ln -s /etc/nginx/sites-available/example.com.conf /etc/nginx/sites-enabled/

Let's Encrypt - Certbot

Create SSL certificates:

  • certonly: If you want certbot only generate certs and do not proceed any further task.

  • -d example.com: Your domain name.

$ sudo certbot certonly --nginx -d example.com -d www.example.com

Optional parameters:

  • --rsa-key-size 4096: Optional parameter, in case you want to specify RSA key size is 4096.
  • --staging: For testing purpose, add this param to avoid the rate limit of certs creation.
  • --force-renewal: To force re-create / renew the certs that overwrite the existing one.

Auto renew:

$ crontab -e

Copy and save this line:

0 12 * * * /usr/bin/certbot renew --quiet --post-hook "systemctl reload nginx"

Done ๐ŸŽ‰ So after that:

  1. Cronjob will run every 12 hours / day.
  2. Certbot will check if can renew your SSL certs (either can or cannot, it will not prompt any message --quiet)
  3. --post-hook after all certs are got renew, it will execute systemctl reload nginx to reload Nginx.

DHParam

To improve the security, we add the Diffie-Hellman (DH) key exchange parameters. The key size which is following your SSL certs 2048 or 4096.

$ openssl dhparam -out /etc/ssl/certs/dhparam-2048.pem 2048

Test, Reload

For any changes which will affect Nginx, we need to test the configuration before applying:

$ nginx -t

Or can do like this will reload Nginx right after then:

$ nginx -t && nginx -s reload

Result in Qualys SSL Labs

โ€‚โ€‚SSL Labs Result

nginx-configuration's People

Contributors

tuan78 avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.