Example NGINX configs

[Akia]

As your the master of Nginx, could you share examples of your config files as a case of best practice, of what settings are best to use etc.

 

[Matt]

Is there anything in particular? The configs can be quite varied depending on what you want to achieve.

 

[Akia]

mainly on the best settings on SSL to enable spdy etc.

 

[Matt]

OK, so in your http block

        ssl_session_cache               shared:SSL:10m;
        ssl_session_timeout             10m;

http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache

Then, in your server block (example from this site)

        listen                  176.58.127.146:443 default_server ssl spdy;
        listen                  [2a01:7e00::f03c:91ff:fe84:2040]:443 ssl spdy;
        server_name             mattwservices.co.uk;
        keepalive_timeout       70;

        ssl_certificate         /var/www/mattwservices.co.uk/ssl/ssl-unified.crt;
        ssl_certificate_key     /var/www/mattwservices.co.uk/ssl/mattwservices_co_uk.key;
        ssl_trusted_certificate /var/www/mattwservices.co.uk/ssl/ssl-trusted.crt;

        include                 /etc/nginx/ssl.conf;

I then have the specific ssl.conf file which is included

        ssl_protocols                   TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers                     ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK;
        ssl_prefer_server_ciphers       on;
        add_header                      Alternate-Protocol 443:npn-spdy/3;
        add_header                      Strict-Transport-Security max-age=31536000;
        ssl_buffer_size                 4k;
        spdy_headers_comp               5;
        ssl_session_tickets             on;
        ssl_stapling                    on;
        ssl_stapling_verify             on;
        resolver                        [2001:1608:10:25::1c04:b12f] [2001:1608:10:25::9249:d69b] valid=10m;
        resolver_timeout                10s;