more tweaks to gmg
[fai-configs.git] / files / etc / nginx / sites-available / mediagoblin / DEFAULT
1 server {
2     listen   80;
3     server_name SERVERNAME_TOKEN;
4
5     include    /etc/nginx/mediagoblin-common.conf;
6
7     ## redirect http to https ##
8     rewrite        ^ https://$server_name$request_uri? permanent;
9
10     access_log  /var/log/nginx/SERVERNAME_TOKEN-ssl.access.log;
11     error_log  /var/log/nginx/SERVERNAME_TOKEN-ssl.error.log;
12 }
13
14 server {
15   listen 443;
16
17   include    /etc/nginx/mediagoblin-common.conf;
18
19   access_log  /var/log/nginx/SERVERNAME_TOKEN-ssl.access.log;
20   error_log  /var/log/nginx/SERVERNAME_TOKEN-ssl.error.log;
21
22   ssl on;
23
24   ## Use a SSL/TLS cache for SSL session resume.
25   ssl_session_cache shared:SSL:10m;
26   ssl_session_timeout 10m;
27
28   ssl_certificate /etc/letsencrypt/live/SERVERNAME_TOKEN/fullchain.pem;
29   ssl_certificate_key /etc/letsencrypt/live/SERVERNAME_TOKEN/privkey.pem;
30
31   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
32   ssl_prefer_server_ciphers on;
33   ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
34
35 }