We have already secure nginx and vesta-nginx using Let's Encrypt SSL in our previous tutorial. Now it is very important to secure Server FQDN where my Server FQDN is mail.datahead.biz. At first I will enable http2 then i will redirect all http request to https.
1. At first Enable http2 in server block
4. Visit the following https://tools.keycdn.com/http2-test to check http2
5. Add the following Code to ssl_certificate section
1. At first Enable http2 in server block
# vi /home/admin/conf/web/mail.datahead.biz.nginx.ssl.conf
server {
listen 192.146.82.3:443 ssl http2;
server_name mail.datahead.biz ;
server_tokens off;
root /home/admin/web/mail.datahead.biz/public_html;
index index.php index.html index.htm;
access_log /var/log/nginx/domains/mail.datahead.biz.log combined;
access_log /var/log/nginx/domains/mail.datahead.biz.bytes bytes;
error_log /var/log/nginx/domains/mail.datahead.biz.error.log error;
#ssl on;
ssl_certificate /home/admin/conf/web/ssl.mail.datahead.biz.pem;
ssl_certificate_key /home/admin/conf/web/ssl.mail.datahead.biz.key;
2. Redirect all http request to httpsserver {
listen 192.146.82.3:80;
server_name mail.datahead.biz ;
server_tokens off;
root /home/admin/web/mail.datahead.biz/public_html;
index index.php index.html index.htm;
access_log /var/log/nginx/domains/mail.datahead.biz.log combined;
access_log /var/log/nginx/domains/mail.datahead.biz.bytes bytes;
error_log /var/log/nginx/domains/mail.datahead.biz.error.log error;
return 301 https://$server_name$request_uri;
3. Enable Flag-Flox addon to your Mozilla Firefox, Check Status4. Visit the following https://tools.keycdn.com/http2-test to check http2
5. Add the following Code to ssl_certificate section
# vi /home/admin/conf/web/mail.datahead.biz.nginx.ssl.conf
#ssl on;
ssl_certificate /home/admin/conf/web/ssl.mail.datahead.biz.pem;
ssl_certificate_key /home/admin/conf/web/ssl.mail.datahead.biz.key;
# SSL Settings
#ssl_protocols TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
#ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
# OCSP stapling
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
port_in_redirect off;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
ssl_buffer_size 4k;
6. Add the following Code to location section# vi /home/admin/conf/web/mail.datahead.biz.nginx.ssl.conf
location / {
#add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "frame-ancestors https://mail.datahead.biz/;";
add_header Referrer-Policy strict-origin-when-cross-origin;
add_header Feature-Policy "accelerometer 'none'; ";
location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
expires max;
}
It is better to create Template, Template Location: /usr/local/vesta/data/templates/web/
Comments
Post a Comment