<ol> <li> <p>Generate a <code>dhparam.pem</code> file required to setup SSL connections<!-- EXPLAIN MORE EXACTLY? -->:</p> <pre><code class="language-shell">openssl dhparam -out /etc/nginx/dhparam.pem 2048</code></pre> <blockquote> <p>:bulb: Grab a cup of coffee, this can take a while (how long depends on your CPU power).</p> <p>:information_source: Please see: <a href="https://en.wikipedia.org/wiki/Diffie–Hellman_key_exchange">dhparam.pem specific information</a> and/or <a href="https://blog.cloudflare.com/keyless-ssl-the-nitty-gritty-technical-details/">keyless-ssl details</a>.</p> </blockquote> </li> <li> <p>Create <code>/etc/nginx/ssl_params</code>:</p> <pre><code class="language-diff">+ # Path to the PUBLIC and PRIVATE KEYS to enable SSL connections to this server: + ssl_certificate /etc/certs/example.org/fullchain.pem; + ssl_certificate_key /etc/certs/example.org/privkey.pem; + + # SSL PROTOCLS TO USE (the ones still considered safe): + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH; + + # Specify that server ciphers should be preferred over client ciphers: + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + + # Specify the file with DH parameters for DHE ciphers (made in step 1): + ssl_dhparam dhparam.pem; + + # HSTS (https-use without http negotiation enforcement) + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # Referal header information prevention + add_header Referrer-Policy "no-referrer" always; </code></pre> <blockquote> <blockquote> <blockquote> <p>Replace <code>example.org</code> by your domain (2x).</p> </blockquote> </blockquote> </blockquote> </li> <li> <p>Edit <code>/etc/nginx/nginx.conf</code> to increase <a href="http://nginx.org/en/docs/hash.html">hash-tables</a> size to prepare Nginx for more salient configuration settings than it has space for by default:</p> <pre><code class="language-diff">- # server_names_hash_bucket_size 64; + server_names_hash_bucket_size 64;</code></pre> </li> <li> <p>Disable nginx' default vhost so it can be redefined in the next step:</p> <pre><code class="language-shell">unlink /etc/nginx/sites-enabled/default</code></pre> </li> <li> <p>Create a new default vhost <code>/etc/nginx/sites-enabled/default</code>:</p> <pre><code class="language-diff">+ server { + + listen 80 default_server; + + location / { + return 301 https://$host$request_uri; + } + } + + server { + listen 443 ssl http2 default_server; + include ssl_params; + + location / { + root /var/www/html; + index index.nginx-debian.html; + } + }</code></pre> </li> <li> <p>Create a new vhost for webmail <code>/etc/nginx/sites-enabled/webmail</code>:</p> <pre><code class="language-diff">+ server { + listen 443 ssl http2; + include ssl_params; + server_name webmail.example.org; + + location / { + include proxy_params; + proxy_pass http://<WEBMAIL IP>:80; + } + }</code></pre> <blockquote> <p>:warning: Replace <code>example.org</code> by your domain.</p> <p>:warning: Replace <code><WEBMAIL IP></code> to the IP of your webmail server/container/vm.</p> <p>:bulb: Repeate this step for each HTTP/HTTPS service to be hosted.</p> </blockquote> </li> <li> <p>Reload nginx service to have the changes effectuated:</p> <pre><code class="language-shell">service nginx reload</code></pre> </li> <li> <p>Create a weekly cron job reloading nginx to automate inclusion of renewed certificates by issuing <code>crontab -e</code>:</p> <pre><code class="language-shell">@weekly service nginx reload</code></pre> </li> </ol> <!-- REFERENCES --> <!-- REFERENCES -->