From 6e7ae0d7c75aad5305debe15acd47f9dc7cee2af Mon Sep 17 00:00:00 2001 From: Robert Gingras Date: Wed, 29 Oct 2025 15:54:46 +0000 Subject: [PATCH] add default SSL configuration for Nginx reverse proxy --- nginx-reverse-proxy/conf.d/default-ssl.conf | 41 +++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 nginx-reverse-proxy/conf.d/default-ssl.conf diff --git a/nginx-reverse-proxy/conf.d/default-ssl.conf b/nginx-reverse-proxy/conf.d/default-ssl.conf new file mode 100644 index 00000000..567a5303 --- /dev/null +++ b/nginx-reverse-proxy/conf.d/default-ssl.conf @@ -0,0 +1,41 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; + listen 443 quic; + listen [::]:443 quic; + http2 on; + http3 on; + + server_name _; + + # SSL certificates + ssl_certificate /root/.acme.sh/opensource.mieweb.org/fullchain.cer; + ssl_certificate_key /root/.acme.sh/opensource.mieweb.org/opensource.mieweb.org.key; + + # Modern TLS configuration + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; + ssl_prefer_server_ciphers off; + + # SSL session optimization + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + ssl_session_tickets off; + + # OCSP stapling + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate /root/.acme.sh/opensource.mieweb.org/fullchain.cer; + resolver 1.1.1.1 8.8.8.8 valid=300s; + resolver_timeout 5s; + + # Security headers + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Alt-Svc 'h3=":443"; ma=86400' always; + + # Return 404 for un-handled hostnames + return 404; +} \ No newline at end of file