API tools faq
paste
Advertisement
memugome

selfsigned-nginx

memugome
Dec 16th, 2019
177
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.77 KB | None | 0 0
raw download clone embed print report
  1. #create certificate
  2. mkdir /etc/ssl/private
  3. chmod 700 /etc/ssl/private
  4. openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt
  5. #create diffie-helman
  6. openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
  7. #configure https block
  8. nano /etc/nginx/conf.d/wordpress1.conf
  9. server {
  10. server_name wordpress1.com www.wordpress1.com;
  11.  
  12. root /app/wordpress1/;
  13. index index.php index.html index.htm;
  14.  
  15. #charset koi8-r;
  16. access_log /var/log/nginx/wordpress1.com-access_log;
  17. error_log /var/log/nginx/wordpress1.com-error_log error;
  18.  
  19. location / {
  20. try_files $uri $uri/ /index.php?$query_string =404;
  21. }
  22.  
  23. # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
  24. location ~ \.php$ {
  25.  
  26. root /app/wordpress1.com/;
  27. fastcgi_pass 127.0.0.1:9071; #set port for php71-fpm to listen on
  28. fastcgi_index index.php;
  29. fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
  30. include fastcgi_params;
  31. include /etc/nginx/fastcgi_params;
  32.  
  33. }
  34. #https configuration
  35. listen 443 http2 ssl;
  36. listen [::]:443 http2 ssl;
  37. #self signed
  38. ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
  39. ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
  40. ssl_dhparam /etc/ssl/certs/dhparam.pem;
  41. #tambahan keamanan
  42. ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  43. ssl_prefer_server_ciphers on;
  44. ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
  45. ssl_ecdh_curve secp384r1;
  46. ssl_session_cache shared:SSL:10m;
  47. ssl_session_tickets off;
  48. ssl_stapling on;
  49. ssl_stapling_verify on;
  50. resolver 8.8.8.8 8.8.4.4 valid=300s;
  51. resolver_timeout 5s;
  52. # Disable preloading HSTS for now. You can use the commented out header line that includes
  53. # the "preload" directive if you understand the implications.
  54. #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
  55. add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
  56. add_header X-Frame-Options DENY;
  57. add_header X-Content-Type-Options nosniff;
  58.  
  59. ##################################
  60. # END https://cipherli.st/ BLOCK #
  61. ##################################
  62.  
  63. }
  64.  
  65. #redirect http to https
  66. #bisa dengan hsts
  67. #atau redirect di webserver
  68. nano /etc/nginx/conf.d/wordpress1.conf
  69. ...
  70. server {
  71. if ($host = wordpress1.com) {
  72. return 301 https://$host$request_uri;
  73. }
  74.  
  75.  
  76. server_name wordpress1.com www.wordpress1.com;
  77. listen 80;
  78. return 404;
  79. }
  80. #restart nginx
  81. nginx -t
  82. nginx -s reload
  83.  
  84. #cek via browser
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!