[Nginx] virtualhost config(http2,HSTS,SSL) A+ in SSL Labs

server {
  # 傾聽 HTTPS 標準埠號 443
  listen 443 ssl http2;

  # 同時啟用 IPv6 的 HTTPS 安全加密網頁
  listen [::]:443 ssl http2;
 
  #HSTS
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
 
  server_name www.charlie27.com;

  root /var/www/wordpress;
  index index.php index.html index.htm;
  
  location / {          
	  try_files $uri $uri/ =404;
  }

  location ~ \.php$ {
       include snippets/fastcgi-php.conf;
       fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
  }

  location ~ /\.ht {
       deny all;
  }
  # 啟用 SSL
  ssl on;
  
  # 設定 SSL 憑證
  ssl_certificate /etc/letsencrypt/live/www.charlie27.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/www.charlie27.com/privkey.pem;

  # 其他 SSL 選項
  ssl_session_timeout 5m;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # omit SSLv3 because of POODLE (CVE-2014-3566)
  ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
  ssl_prefer_server_ciphers on;

0
0 Comments
Inline Feedbacks
View all comments