Example NGINX configs

A

Akia

Guest
As your the master of Nginx, could you share examples of your config files as a case of best practice, of what settings are best to use etc.
 

Matt

Owner
Is there anything in particular? The configs can be quite varied depending on what you want to achieve.
 

Matt

Owner
OK, so in your http block

Code:
        ssl_session_cache               shared:SSL:10m;
        ssl_session_timeout             10m;
http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache

Then, in your server block (example from this site)
Code:
        listen                  176.58.127.146:443 default_server ssl spdy;
        listen                  [2a01:7e00::f03c:91ff:fe84:2040]:443 ssl spdy;
        server_name             mattwservices.co.uk;
        keepalive_timeout       70;

        ssl_certificate         /var/www/mattwservices.co.uk/ssl/ssl-unified.crt;
        ssl_certificate_key     /var/www/mattwservices.co.uk/ssl/mattwservices_co_uk.key;
        ssl_trusted_certificate /var/www/mattwservices.co.uk/ssl/ssl-trusted.crt;

        include                 /etc/nginx/ssl.conf;
I then have the specific ssl.conf file which is included

Code:
        ssl_protocols                   TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers                     ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK;
        ssl_prefer_server_ciphers       on;
        add_header                      Alternate-Protocol 443:npn-spdy/3;
        add_header                      Strict-Transport-Security max-age=31536000;
        ssl_buffer_size                 4k;
        spdy_headers_comp               5;
        ssl_session_tickets             on;
        ssl_stapling                    on;
        ssl_stapling_verify             on;
        resolver                        [2001:1608:10:25::1c04:b12f] [2001:1608:10:25::9249:d69b] valid=10m;
        resolver_timeout                10s;
 
Top