Update nginx configuration.

stefansundin · Sep 20, 2023 · 3e1bccb · 3e1bccb
1 parent 7f186ad
commit 3e1bccb
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 18 deletions.
diff --git a/.ebextensions/21-certbot.config b/.ebextensions/21-certbot.config
@@ -10,10 +10,6 @@
 
 # Once you have the cert and the symlink is set up, update nginx.conf to use it.
 
-# Also create a self-signed cert to avoid exposing the real cert when the wrong SNI hostname is used:
-# mkdir -p /etc/letsencrypt/selfsigned/
-# openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -keyout /etc/letsencrypt/selfsigned/privkey.pem -out /etc/letsencrypt/selfsigned/cert.pem -subj "/"
-
 # packages:
 #   yum:
 #     python2-certbot-apache.noarch: []

diff --git a/.platform/nginx/nginx.conf b/.platform/nginx/nginx.conf
@@ -53,9 +53,13 @@ http {
     # ssl_certificate           /etc/letsencrypt/live/eb/fullchain.pem;
     # ssl_certificate_key       /etc/letsencrypt/live/eb/privkey.pem;
     # ssl_session_timeout       5m;
+    # ssl_session_cache         builtin:1000 shared:SSL:10m;
     # ssl_protocols             TLSv1.2;
-    # ssl_ciphers               "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
-    # ssl_prefer_server_ciphers on;
+    # ssl_prefer_server_ciphers off;
+    # ssl_stapling              on;
+
+    # DNS resolver is required for OCSP stapling
+    resolver 169.254.169.253 1.1.1.1;
 
     # Compress static assets
     gzip            on;
@@ -103,6 +107,7 @@ http {
   #   # To limit this to when the correct domain name is used:
   #   # server_name yourdomainhere.elasticbeanstalk.com;
   #   listen 80;
+  #   listen [::]:80;
   #   location ^~ /.well-known/  {
   #     root /var/acme-challenges;
   #   }
@@ -114,24 +119,18 @@ http {
   #   }
   # }
 
-  # Serve 404 errors when the wrong domain name is used (will catch most bots)
+  # Block requests that use the wrong domain name (will catch most bots)
   # server {
   #   listen 80 default_server;
+  #   listen [::]:80 default_server;
   #   location / {
   #     return 404;
   #   }
   # }
   # server {
-  #   listen 443 ssl http2 default_server;
-  #   listen [::]:443 ssl http2 default_server;
-  #   ssl_certificate           /etc/letsencrypt/selfsigned/cert.pem;
-  #   ssl_certificate_key       /etc/letsencrypt/selfsigned/privkey.pem;
-  #   ssl_session_timeout       5m;
-  #   ssl_protocols             TLSv1.2;
-  #   ssl_ciphers               "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
-  #   ssl_prefer_server_ciphers on;
-  #   location / {
-  #     return 404;
-  #   }
+  #   listen 443 ssl default_server;
+  #   listen [::]:443 ssl default_server;
+  #   ssl_protocols TLSv1.2;
+  #   ssl_reject_handshake on;
   # }
 }