Letsencrypt friendly nginx configuration

by Emile `iMil' Heitor - 2016-03-12

So I use this great cheat sheet in order to use letsencrypt free Certificate authority on my own servers, but while this small doc is very straightforward it doesn’t explain much about nginx’s configuration. So I’ll drop my own right here so your journey through TLS is even simpler:

$ cat /usr/pkg/etc/nginx/nginx.conf

# this nginx installation comes from pkgsrc for both Linux and NetBSD
# you might have to adapt paths to suit your needs... or switch to pkgsrc ;)

user   nginx  nginx;
worker_processes  2;

events {
    worker_connections  1024;
}

http {
    include       /usr/pkg/etc/nginx/mime.types;
    default_type  application/octet-stream;

    sendfile        on;
    keepalive_timeout  65;

    # a little bit of browser leverage doesn't hurt :)
    gzip  on;
    gzip_vary on;
    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript;
    gzip_proxied any;

    server {
        # serve boths IPv4 and IPv6 FWIW
        listen       [::]:80;
        listen       80;

        server_name  localhost example.com *.example.com;

        # this is where letsencrypt will drop the callenge
        location /.well-known/acme-challenge {
                default_type "text/plain";
                root /var/www/letsencrypt;
        }

        # redirect everything else to HTTPS
        location / { return 302 https://$host$request_uri; }
    }

    server {
        listen       [::]:443 ssl;
        listen       443 ssl;

        # you'll have to declare those domains accordingly in letsencrypt conf
        server_name  localhost example.com *.example.com;

        # here lies letsencrypt PEM files
        ssl_certificate      /etc/letsencrypt/live/example.com/fullchain.pem;
        ssl_certificate_key  /etc/letsencrypt/live/example.com/privkey.pem;

        # harden used protocols a little
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
        ssl_prefer_server_ciphers  on;

        # and then include actual locations
        include sites/*;
    }
}

A very basic proxy_pass location would be:

$ cat /usr/pkg/etc/nginx/sites/example.com
location / {
    proxy_pass http://mydomU:8080/;
    # forward real address for statistic purposes
    proxy_set_header X-Forwarded-For $remote_addr;
}

For an even more hardened configuration, you might want to checkout 2*yo’s own configuration.