Skip to main content

How to enable http2 and Secure Server FQDN for VestaCp in Ubuntu 16.04 L.T.S?

We have already secure nginx and vesta-nginx using Let's Encrypt SSL in our previous tutorial. Now it is very important to secure Server FQDN where my Server FQDN is mail.datahead.biz. At first I will enable http2  then i will redirect all http request to https.
1. At first Enable http2 in server block
# vi /home/admin/conf/web/mail.datahead.biz.nginx.ssl.conf

server {
    listen      192.146.82.3:443 ssl http2;
    server_name mail.datahead.biz ;
    server_tokens off;
    root        /home/admin/web/mail.datahead.biz/public_html;
    index       index.php index.html index.htm;
    access_log  /var/log/nginx/domains/mail.datahead.biz.log combined;
    access_log  /var/log/nginx/domains/mail.datahead.biz.bytes bytes;
    error_log   /var/log/nginx/domains/mail.datahead.biz.error.log error;

    #ssl         on;
    ssl_certificate      /home/admin/conf/web/ssl.mail.datahead.biz.pem;
    ssl_certificate_key  /home/admin/conf/web/ssl.mail.datahead.biz.key;
2. Redirect all http request to https
server {
    listen      192.146.82.3:80;
    server_name mail.datahead.biz ;
    server_tokens off;
    root        /home/admin/web/mail.datahead.biz/public_html;
    index       index.php index.html index.htm;
    access_log  /var/log/nginx/domains/mail.datahead.biz.log combined;
    access_log  /var/log/nginx/domains/mail.datahead.biz.bytes bytes;
    error_log   /var/log/nginx/domains/mail.datahead.biz.error.log error;
    return 301 https://$server_name$request_uri;
3. Enable Flag-Flox addon to your Mozilla Firefox, Check Status
4. Visit the following https://tools.keycdn.com/http2-test to check http2
5. Add the following Code to ssl_certificate section
# vi /home/admin/conf/web/mail.datahead.biz.nginx.ssl.conf

#ssl         on;
ssl_certificate      /home/admin/conf/web/ssl.mail.datahead.biz.pem;
ssl_certificate_key  /home/admin/conf/web/ssl.mail.datahead.biz.key;

# SSL Settings
#ssl_protocols TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers   on;
ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
#ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0

ssl_session_timeout 10m;
ssl_session_cache   shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9

# OCSP stapling
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7

port_in_redirect off;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
ssl_buffer_size 4k;
6. Add the following Code to location section
# vi /home/admin/conf/web/mail.datahead.biz.nginx.ssl.conf

    location / {

        #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
        add_header X-Frame-Options "SAMEORIGIN"  always;
        add_header X-Content-Type-Options "nosniff"  always;
        add_header X-XSS-Protection "1; mode=block";
        add_header Content-Security-Policy "frame-ancestors https://mail.datahead.biz/;";
        add_header Referrer-Policy strict-origin-when-cross-origin;
        add_header Feature-Policy "accelerometer 'none'; ";


        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
            expires     max;
        }
It is better to create Template, Template Location: /usr/local/vesta/data/templates/web/
Labels:

Comments

Post a Comment