initial commit - skeleton setup

2019-10-16 23:44:47 -06:00
parent 3536434902
commit 141b932a1c
17 changed files with 268 additions and 0 deletions
@@ -0,0 +1,34 @@
+#######
+### NGINX SSL configuration
+### Generated using the Mozilla SSL Configuration Generator
+### (https://ssl-config.mozilla.org)
+### 'Intermediate' profile for NGINX 1.17 with OpenSSL 1.1.1c HSTS optional
+### Last generated: October 16, 2019
+#######
+
+# SSL certificates should be defined in the relevant server block
+
+# SSL parameters
+ssl_session_timeout 1d;
+ssl_session_cache shared:SSL:10m;
+ssl_session_tickets off;
+
+# SSL protocols and ciphers
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;ssl_prefer_server_ciphers off;
+
+# Diffie-Hellman parameter for DHE cipher suites, using 4096 bits
+ssl_dhparam /certs/dhparam.pem;
+
+# HSTS (6 months = 15768000 seconds)
+#add_header Strict-Transport-Security "max-age=63072000" always;
+
+# OCSP Stapling
+# fetch OCSP records from URL in ssl_certificate and cache them
+ssl_stapling on;
+ssl_stapling_verify on;
+
+# verify chain of trust of OCSP response using Root CA and Intermediate certs
+ssl_trusted_certificate /certs/chain.pem;
+
+# resolver should be specified in nginx.conf or in networking configuration
@@ -0,0 +1,31 @@
+#######
+### NGINX SSL configuration
+### Generated using the Mozilla SSL Configuration Generator
+### (https://ssl-config.mozilla.org)
+### 'Modern' profile for NGINX 1.17 with OpenSSL 1.1.1c HSTS optional
+### Last generated: October 16, 2019
+#######
+
+# SSL certificates should be defined in the relevant server block
+
+# SSL parameters
+ssl_session_timeout 1d;
+ssl_session_cache shared:SSL:10m;
+ssl_session_tickets off;
+
+# SSL protocols and ciphers
+ssl_protocols TLSv1.3;
+ssl_prefer_server_ciphers off;
+
+# HSTS (6 months = 15768000 seconds)
+#add_header Strict-Transport-Security "max-age=63072000" always;
+
+# OCSP Stapling
+# fetch OCSP records from URL in ssl_certificate and cache them
+ssl_stapling on;
+ssl_stapling_verify on;
+
+# verify chain of trust of OCSP response using Root CA and Intermediate certs
+ssl_trusted_certificate /certs/chain.pem;
+
+# resolver should be specified in nginx.conf or in networking configuration
@@ -0,0 +1,49 @@
+#
+### NGINX main configuration
+#
+
+user nginx;
+worker_processes 1;
+pid /var/run/nginx.pid;
+
+error_log /var/log/nginx/error.log warn;
+
+# include dynamically linked modules
+include /etc/nginx/modules/*.conf;
+
+events {
+    worker_connections 512;
+    multi_accept off;
+    use epoll;    
+}
+
+http {
+    default_type application/octet-stream;
+    charset utf-8;
+    include /etc/nginx/mime.types;
+
+    # set default index and webroot
+    index index.php index.html;
+    root /usr/share/nginx/html;
+
+    # logging options (off by default for performance)
+    log_format main '$remote_addr - $remote_user [$time_local] $request '
+        '$status $body_bytes_sent "$http_referer" '
+        '"$http_user_agent" "$http_x_forwarded_for" '
+        '"$host" server="$server_name" '
+        'reqtime="$request_time" '
+        'uaddr="$upstream_addr" ustat="$upstream_status" '
+        'utime="$upstream_response_time" ulen="$upstream_response_length" '
+        'cache="$upstream_cache_status"';
+    #access_log /var/log/nginx/access.log main;
+    access_log off;
+
+    # server configuration options
+    server_tokens off;
+    real_ip_recursive on;
+    resolver 1.1.1.1;
+    include /etc/nginx/config/*.conf;
+    
+    # include enabled server blocks from sites/*.conf
+    include /etc/nginx/sites/*.conf;
+}
@@ -0,0 +1,7 @@
+# server names
+server_name
+    domain.tld
+    www.domain.tld
+    server.domain.tld
+    alt.domain.tld
+    ;
@@ -0,0 +1,3 @@
+# SSL certificate for this connection
+ssl_certificate         <SSL_CERT>;
+ssl_certificate_key     <SSL_KEY>;