nginx.conf.tmpl

pid var/nginx.pid;
error_log var/logs/error.log;

worker_processes 3;
events {
    worker_connections  1024;
}

# Most of the following SSL configuration is based on the ngx_http_ssl_module.
# This module makes use of the Open SSL library.
# See here for more information:
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html

http {
    # The following global SSL configuration is usually same for all virtual servers.
    # Thus we put it into the http context -- it will apply to all servers even when you add new ones later.

    # supported protocol versions and cipher suites (in Open-SSL notation)
    ssl_protocols TLSv1.2;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA;

    # prefer strong cipher suites
    ssl_prefer_server_ciphers on;

    # use custom Diffie-Hellman parameters from a file for DHE cipher suites (use 2048 bit params, rather than the default 1024 bit)
    # looks like neither openssl nor nginx have defaults for this, omitting this directive will silently disable all configured DHE cipher suites
    # the file can be generated with e.g.:
    # openssl dhparam -out nginx.dhparams.pem 3072
    # TODO Generate this on server init? Seems to take about half a minute:(
    ssl_dhparam nginx.dhparams.pem;

    # improve HTTPS performance:
    # use connection keep-alive and session resumption (but disable session tickets for now)
    keepalive_timeout 10s;
    ssl_session_cache shared:foo-example-net:20m;
    ssl_session_timeout 10m;
    ssl_session_tickets off;

    # log http(s) requests to file
    access_log var/logs/access.log;

    # include configuration for distinct servers (virtual hosts)
    include ./virtual/*/nginx.conf;
}