Skip to main content

How to enable http2 and Secure Server FQDN for VestaCp in Ubuntu 16.04 L.T.S?

We have already secure nginx and vesta-nginx using Let's Encrypt SSL in our previous tutorial. Now it is very important to secure Server FQDN where my Server FQDN is mail.datahead.biz. At first I will enable http2  then i will redirect all http request to https.
1. At first Enable http2 in server block
# vi /home/admin/conf/web/mail.datahead.biz.nginx.ssl.conf

server {
    listen      192.146.82.3:443 ssl http2;
    server_name mail.datahead.biz ;
    server_tokens off;
    root        /home/admin/web/mail.datahead.biz/public_html;
    index       index.php index.html index.htm;
    access_log  /var/log/nginx/domains/mail.datahead.biz.log combined;
    access_log  /var/log/nginx/domains/mail.datahead.biz.bytes bytes;
    error_log   /var/log/nginx/domains/mail.datahead.biz.error.log error;

    #ssl         on;
    ssl_certificate      /home/admin/conf/web/ssl.mail.datahead.biz.pem;
    ssl_certificate_key  /home/admin/conf/web/ssl.mail.datahead.biz.key;
2. Redirect all http request to https
server {
    listen      192.146.82.3:80;
    server_name mail.datahead.biz ;
    server_tokens off;
    root        /home/admin/web/mail.datahead.biz/public_html;
    index       index.php index.html index.htm;
    access_log  /var/log/nginx/domains/mail.datahead.biz.log combined;
    access_log  /var/log/nginx/domains/mail.datahead.biz.bytes bytes;
    error_log   /var/log/nginx/domains/mail.datahead.biz.error.log error;
    return 301 https://$server_name$request_uri;
3. Enable Flag-Flox addon to your Mozilla Firefox, Check Status
4. Visit the following https://tools.keycdn.com/http2-test to check http2
5. Add the following Code to ssl_certificate section
# vi /home/admin/conf/web/mail.datahead.biz.nginx.ssl.conf

#ssl         on;
ssl_certificate      /home/admin/conf/web/ssl.mail.datahead.biz.pem;
ssl_certificate_key  /home/admin/conf/web/ssl.mail.datahead.biz.key;

# SSL Settings
#ssl_protocols TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers   on;
ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
#ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0

ssl_session_timeout 10m;
ssl_session_cache   shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9

# OCSP stapling
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7

port_in_redirect off;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
ssl_buffer_size 4k;
6. Add the following Code to location section
# vi /home/admin/conf/web/mail.datahead.biz.nginx.ssl.conf

    location / {

        #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
        add_header X-Frame-Options "SAMEORIGIN"  always;
        add_header X-Content-Type-Options "nosniff"  always;
        add_header X-XSS-Protection "1; mode=block";
        add_header Content-Security-Policy "frame-ancestors https://mail.datahead.biz/;";
        add_header Referrer-Policy strict-origin-when-cross-origin;
        add_header Feature-Policy "accelerometer 'none'; ";


        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
            expires     max;
        }
It is better to create Template, Template Location: /usr/local/vesta/data/templates/web/
Labels:

Comments

Post a Comment

You are always welcome to comment here, but your remarks should be relevant to the conversation. To keep the exchanges focused and engaging, we reserve the right to remove off-topic comments, or self-promoting URLs and vacuous messages.

We will try to reply to your queries as soon as time allows.



Regards,
Admin