vim /etc/nginx/nginx.conf ###############################################

1. vim /etc/nginx/nginx.conf
2.  
3.  
4. ######################################################################
5.  
6.  
7. # nginx.conf
8. # ssl redirect
9. server {
10. listen 80;
11. return 302 https://$host$request_uri;
12. }
13.  
14.  
15. include /etc/nginx/conf.d/*.conf;
16.  
17. ######################################################################
18.  
19.  
20. # jira.conf into conf.d
21. server {
22. listen 443 ssl http2;
23. listen [::]:443 ssl http2;
24. server_name jiratest.anarcon.net;
25.  
26. include /etc/nginx/conf.d/ssl_settings_jira.conf.ssl;
27.  
28. proxy_connect_timeout 180;
29. proxy_send_timeout 180;
30. proxy_read_timeout 180;
31. send_timeout 180;
32.  
33. location /{
34. proxy_set_header X-Forwarded-Host $host;
35. proxy_set_header X-Forwarded-Server $host;
36. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
37. proxy_pass http://localhost:8081;
38. client_max_body_size 15M;
39. }
40. }
41.  
42. ######################################################################
43.  
44.  
45.  
46. # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
47. ssl_certificate "/etc/letsencrypt/live/jiratest.anarcon.net/fullchain.pem";
48. ssl_certificate_key "/etc/letsencrypt/live/jiratest.anarcon.net/privkey.pem";
49. ssl_session_timeout 1d;
50. ssl_session_cache shared:SSL:50m;
51. ssl_session_tickets off;
52.  
53. ## verify chain of trust of OCSP response using Root CA and Intermediate certs
54. ssl_trusted_certificate /etc/letsencrypt/live/jiratest.anarcon.net/fullchain.pem;
55.  
56. # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
57. ssl_dhparam /etc/ssl/diffie/dhparams.pem;
58.  
59. # intermediate configuration. tweak to your needs.
60. ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
61. ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256 :ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES12 8-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:E CDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECD HE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA25 6:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
62. ssl_prefer_server_ciphers on;
63.  
64. # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
65. add_header Strict-Transport-Security max-age=15768000;
66.  
67. # OCSP Stapling ---
68. # fetch OCSP records from URL in ssl_certificate and cache them
69. ssl_stapling on;
70. ssl_stapling_verify on;
71.  
72. resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 216.146.35.35 216.146.36.36 valid=300s;
73. resolver_timeout 3s;
74.  
75.  
76.  
77.  
78.  
79.  
80. ######################################################################
81. systemctl restart nginx
82.  
83.  
84.  
85.  
86.  
87.  
88.  
89.  
90. add-apt-repository ppa:certbot/certbot
91. apt-get update
92. apt-get install python-certbot-nginx
93.  
94.  
95. certbot --nginx -d example.com -d www.example.com
96.  
97.  
98. # Verify renewal process
99. certbot renew --dry-run
100.  
101.  
102. # confirm cronjob in
103. /etc/cron.d
104.  
105.  
106.  
107.  
108.  
109.  
110. mkdir -p /etc/ssl/diffie/
111. openssl dhparam -out /etc/ssl/diffie/dhparams.pem 2048
112.  
113.  
114.  
115. vim /opt/atlassian/jira/conf/server.xml
116.  
117.  
118. # extend Connector
119. proxyName="jira.forcam.com"
120. proxyPort="443"
121. scheme="https"
122. secure="true"