Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #create certificate
- mkdir /etc/ssl/private
- chmod 700 /etc/ssl/private
- openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt
- #create diffie-helman
- openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
- #configure https block
- nano /etc/nginx/conf.d/wordpress1.conf
- server {
- server_name wordpress1.com www.wordpress1.com;
- root /app/wordpress1/;
- index index.php index.html index.htm;
- #charset koi8-r;
- access_log /var/log/nginx/wordpress1.com-access_log;
- error_log /var/log/nginx/wordpress1.com-error_log error;
- location / {
- try_files $uri $uri/ /index.php?$query_string =404;
- }
- # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
- location ~ \.php$ {
- root /app/wordpress1.com/;
- fastcgi_pass 127.0.0.1:9071; #set port for php71-fpm to listen on
- fastcgi_index index.php;
- fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
- include fastcgi_params;
- include /etc/nginx/fastcgi_params;
- }
- #https configuration
- listen 443 http2 ssl;
- listen [::]:443 http2 ssl;
- #self signed
- ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
- ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
- ssl_dhparam /etc/ssl/certs/dhparam.pem;
- #tambahan keamanan
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- ssl_prefer_server_ciphers on;
- ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
- ssl_ecdh_curve secp384r1;
- ssl_session_cache shared:SSL:10m;
- ssl_session_tickets off;
- ssl_stapling on;
- ssl_stapling_verify on;
- resolver 8.8.8.8 8.8.4.4 valid=300s;
- resolver_timeout 5s;
- # Disable preloading HSTS for now. You can use the commented out header line that includes
- # the "preload" directive if you understand the implications.
- #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
- add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
- add_header X-Frame-Options DENY;
- add_header X-Content-Type-Options nosniff;
- ##################################
- # END https://cipherli.st/ BLOCK #
- ##################################
- }
- #redirect http to https
- #bisa dengan hsts
- #atau redirect di webserver
- nano /etc/nginx/conf.d/wordpress1.conf
- ...
- server {
- if ($host = wordpress1.com) {
- return 301 https://$host$request_uri;
- }
- server_name wordpress1.com www.wordpress1.com;
- listen 80;
- return 404;
- }
- #restart nginx
- nginx -t
- nginx -s reload
- #cek via browser
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement