NGINX Reverse Proxy with Mozilla SSL Conf

Alex Sage

This is what I came up with. Going to make dinner, but I'll be back soon to test it

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name sub.domain.com;

    # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name sub.domain.com;

    location / {
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Host $http_host;
                proxy_set_header X-NginX-Proxy true;
                proxy_pass http://<IP_ADDRESS>:<PORT>;
                proxy_redirect off;
        }

    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;


    # modern configuration. tweak to your needs.
    ssl_protocols TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
    ssl_prefer_server_ciphers on;

    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    add_header Strict-Transport-Security max-age=15768000;

    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;

    ## verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /etc/letsencrypt/live/domain.com/chain.pem;

    resolver 1.1.1.1;

}

Alex Sage

This post is deleted!

Alex Sage

This post is deleted!

Alex Sage

Got it!

0_1541553753187_d4c1fbf4-50c2-4c75-a912-648ab38aaaab-image.png

.conf coming soon!

Alex Sage

https://github.com/aaronstuder/lxq/blob/master/wildcard.temp

JaredBusch

WTF does this have to do with Wildcard?

It is simply a Nginx config. Nginx doesn't give a shit about the number of SAN on a cert.

wirestyle22

@aaronstuder You delete a lot of your posts on each thread you create and it is a lot less helpful for people who are trying to find answers to questions. I have no idea what your problem was or what the solution was. This looks like a normal nginx server block.

Alex Sage

@wirestyle22 Huh?

coliver

@aaronstuder said in NGINX Reverse Proxy with Mozilla SSL Conf:

@wirestyle22 Huh?

You delete and edit posts after the fact. It'd be easier to just leave them as is and let people see the process.

wirestyle22

@aaronstuder what do you learn from this?

Post 1: What is this config? --edited and corrected
Post 2: deleted
Post 3: deleted
Post 4: Working!