omotam img

Skip to main content
  1. Posts/

Setup Nginx to host a Static Site

··240 words·2 mins·
# https://www.example.com
server {

    # Enable SSL and HTTP2
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name www.example.com;

    # Set certificate path
    ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
    ssl_prefer_server_ciphers on;
    ssl_conf_command Options ServerPreference;
    ssl_conf_command Ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256;

    # Enable OCSP
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 1.1.1.1 1.0.0.1;
    resolver_timeout 5s;

    # Add security headers
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header Referrer-Policy "strict-origin" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;

    # Set root path
    root /var/www/www.example.com/;
    index index.html;

    location / {  
        try_files $uri $uri/ =404;
    }
	
    # Cache static content
    location ~* \.(css|js|png|jpg|webp)$ {
        expires max;
        add_header Cache-Control "public";
    }

    # Disable accessing hidden files except .well-known
    location ~ /\.(?!well-known).* {
        deny all;
    }

    # Disable unused methods
    if ($request_method !~ ^(GET|HEAD)$ ) {
        return 405;
    }

    error_page 404 /404.html;
}

# http://www.example.com
# Redirects to https://www.example.com
server {

    listen 80;
    listen [::]:80;
    server_name  www.example.com;

    # Redirect http to https
    return 301 https://$host$request_uri;
}

# https://example.com
# Redirects to https://www.example.com
server {

    # Enable SSL and HTTP2
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    # Set certificate path
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/example.com/fullchain.pem;

    server_name example.com;

	# Add HSTS header
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;

    # Redirect http to https
    return 301 https://www.$host$request_uri;
}

# http://example.com
# Redirects to https://www.example.com
server {

    listen 80;
    listen [::]:80;
    server_name  example.com;

    # Redirect http to https
    return 301 https://www.$host$request_uri;
}