# default blank vhost # # clients asking for "example.com" should only get a response if we have # a vhost serving that domain. server { listen 80 default; listen [::]:80 default; server_name _; return 444; } server { listen 443 ssl http2 default; server_name _; # "snakeoil" certificate (self signed!) ssl_certificate /etc/ssl/certs/nginx-snakeoil.crt; ssl_certificate_key /etc/ssl/private/nginx-snakeoil.key; ssl_session_timeout {{ nginx_ssl_session_timeout }}; ssl_session_cache {{ nginx_ssl_session_cache }}; ssl_buffer_size {{ nginx_ssl_buffer_size }}; ssl_dhparam {{ nginx_ssl_dhparam }}; ssl_protocols {{ nginx_ssl_protocols }}; ssl_ciphers "{{ tls_cipher_suite }}"; ssl_prefer_server_ciphers on; # nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and # when a restart is performed the previous key is lost, which resets all previous # sessions. The fix for this is to setup a manual rotation mechanism: # http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx # # Note that you'll have to define and rotate the keys securely by yourself. In absence # of such infrastructure, consider turning off session tickets: ssl_session_tickets off; return 444; }