user nginx; worker_processes 1; daemon off; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; gzip on; # Modern SSL config ssl_protocols TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; ssl_prefer_server_ciphers on; ssl_session_timeout 1d; ssl_session_cache shared:HTTPS:50m; ssl_session_tickets off; ssl_dhparam /etc/nginx/ssl/dhparam/tls.dhparam; # Logstash log format log_format logstash '$http_host ' '$remote_addr [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent" ' '$request_time ' '$upstream_response_time'; access_log /var/log/nginx/access.log logstash; # Default tazj.in config (certs need to be overriden for other stuff, like oslo.pub) ssl_certificate /etc/nginx/ssl/tazj.in/tls.crt; ssl_certificate_key /etc/nginx/ssl/tazj.in/tls.key; # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) add_header Strict-Transport-Security max-age=15768000; include /etc/nginx/conf/http.conf; } stream { ssl_protocols TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; ssl_dhparam /etc/nginx/ssl/dhparam/tls.dhparam; ssl_prefer_server_ciphers on; ssl_session_timeout 1d; ssl_session_cache shared:STREAM:50m; ssl_session_tickets off; # Default tazj.in certificate ssl_certificate /etc/nginx/ssl/tazj.in/tls.crt; ssl_certificate_key /etc/nginx/ssl/tazj.in/tls.key; include /etc/nginx/conf/stream.conf; }