Skip to content

Commit dfc433a

Browse files
author
Andrew Welch
committed
Merge branch 'release/1.0.28'
2 parents 1eca62d + 349b8cd commit dfc433a

File tree

5 files changed

+16
-8
lines changed

5 files changed

+16
-8
lines changed

CHANGELOG.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,10 @@
11
# Nginx-Craft Changelog
22

3+
## 1.0.28 - 2020.08.20
4+
### Changed
5+
* Set `server_tokens` to `off`
6+
* Changed the `dhparam` setting to `/etc/nginx/dhparams.pem` to mirror the Forge default
7+
38
## 1.0.27 - 2020.06.23
49
### Changed
510
* Explicitly set `DOCUMENT_ROOT`

README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -51,7 +51,7 @@ This Nginx configuration comes in two parts:
5151
## Using Nginx-Craft
5252

5353
1. Obtain an SSL certificate for your domain via [LetsEncrypt.com](https://letsencrypt.org/) (or via other certificate authorities). LetsEncrypt.com is free, and it's automated. You will need a basic server up and running that responds to port 80 to do this, [LetsEnecrypt/Nginx tutorial](https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04)
54-
2. Create a `dhparam.pem` via `sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048`
54+
2. Create a `dhparam.pem` via `sudo openssl dhparam -out /etc/nginx/dhparams.pem 2048`
5555
3. Download your Issuer certificate via `mkdir /etc/nginx/ssl; sudo wget -O /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem "https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem"`
5656
4. Upload the entire `nginx-partials` folder to `/etc/nginx/`
5757
5. Rename the `somedomain.com.conf` file to `yourdomain.com.conf`

forge-example/NginxConfiguration.conf

Lines changed: 5 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
# FORGE CONFIG (DOT NOT REMOVE!)
1+
# FORGE CONFIG (DO NOT REMOVE!)
22
include forge-conf/SOMEDOMAIN.com/before/*;
33

44
# Bots to ban via user agent
@@ -14,6 +14,7 @@ server {
1414

1515
# General virtual host settings
1616
server_name SOMEDOMAIN.com;
17+
server_tokens off;
1718
root /home/forge/SOMEDOMAIN.com/public;
1819
index index.html index.htm index.php;
1920
charset utf-8;
@@ -59,16 +60,14 @@ server {
5960
#error_log syslog:server=unix:/dev/log,facility=local7,tag=nginx,severity=error;
6061

6162
# FORGE SSL (DO NOT REMOVE!)
62-
# ssl_certificate;
63-
# ssl_certificate_key;
6463
ssl_certificate /etc/nginx/ssl/SOMEDOMAIN.com/XXXXXX/server.crt;
6564
ssl_certificate_key /etc/nginx/ssl/SOMEDOMAIN.com/XXXXXX/server.key;
6665

6766
# SSL/TLS configuration, with TLSv1.0 disabled because it is insecure; note that IE 8, 9 & 10 support
6867
# TLSv1.1, but it's not enabled by default clients using those browsers will not be able to connect
6968
ssl_protocols TLSv1.2 TLSv1.1;
7069
ssl_prefer_server_ciphers on;
71-
ssl_dhparam /etc/ssl/certs/dhparam.pem;
70+
ssl_dhparam /etc/nginx/dhparams.pem;
7271
ssl_ciphers 'ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5';
7372
ssl_buffer_size 4k;
7473
ssl_session_timeout 4h;
@@ -77,7 +76,7 @@ server {
7776
ssl_stapling_verify on;
7877
ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;
7978

80-
# FORGE CONFIG (DOT NOT REMOVE!)
79+
# FORGE CONFIG (DO NOT REMOVE!)
8180
include forge-conf/SOMEDOMAIN.com/server/*;
8281

8382
# Load configuration files from nginx-partials
@@ -156,5 +155,5 @@ server {
156155
}
157156
}
158157

159-
# FORGE CONFIG (DOT NOT REMOVE!)
158+
# FORGE CONFIG (DO NOT REMOVE!)
160159
include forge-conf/SOMEDOMAIN.com/after/*;

sites-available/basic_localdev.com.conf

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@ server {
1616

1717
# General virtual host settings
1818
server_name SOMEDOMAIN.com;
19+
server_tokens off;
1920
root "/var/www/SOMEDOMAIN/public";
2021
index index.html index.htm index.php;
2122
charset utf-8;

sites-available/somedomain.com.conf

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,7 @@ server {
1717
listen 80;
1818
listen [::]:80;
1919
server_name .SOMEDOMAIN.com;
20+
server_tokens off;
2021
return 301 https://SOMEDOMAIN.com$request_uri;
2122
}
2223

@@ -26,6 +27,7 @@ server {
2627
listen 443 ssl http2;
2728
listen [::]:443 ssl http2;
2829
server_name *.SOMEDOMAIN.com;
30+
server_tokens off;
2931
ssl_certificate /etc/letsencrypt/live/SOMEDOMAIN.com/fullchain.pem;
3032
ssl_certificate_key /etc/letsencrypt/live/SOMEDOMAIN.com/privkey.pem;
3133
return 301 https://SOMEDOMAIN.com$request_uri;
@@ -39,6 +41,7 @@ server {
3941

4042
# General virtual host settings
4143
server_name SOMEDOMAIN.com;
44+
server_tokens off;
4245
root "/var/www/SOMEDOMAIN/public";
4346
index index.html index.htm index.php;
4447
charset utf-8;
@@ -163,7 +166,7 @@ server {
163166
ssl_certificate_key /etc/letsencrypt/live/SOMEDOMAIN.com/privkey.pem;
164167
ssl_protocols TLSv1.2 TLSv1.1;
165168
ssl_prefer_server_ciphers on;
166-
ssl_dhparam /etc/ssl/certs/dhparam.pem;
169+
ssl_dhparam /etc/nginx/dhparams.pem;
167170
ssl_ciphers 'ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5';
168171
ssl_buffer_size 4k;
169172
ssl_session_timeout 4h;

0 commit comments

Comments
 (0)