The beta release of NixOS 16.09 comes with a very cool config generator for your NGINX configuration. It makes it easy to:
- Use Let’s Encrypt for certificates
- Configure virtualhosts
- Have good default configurations for SSL and headers
- Avoid mistakes
Here’s a simple setup for serving SSL-only content on example.com:
{
"example.com" = {
forceSSL = true; # 3
enableACME = true; # 4
locations."/" = {
root = "/var/www";
};
};
}
Line 3 forces traffic from unsecured HTTP (port 80) to HTTPS (port 443).
Line 4 tells NixOS to get a certificate from Let’s Encrypt (via the ACME protocol). This line does two things: NixOS generates a self-signed certificate to use as a placeholder until the ACME certificate arrives. It also enables a weekly systemd timer to renew the certificates in time - Let’s Encrypt certs are valid for only three months.
Lastly we want to enable NGINX with good default settings:
services.nginx = {
enable = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
virtualHosts = import ./conf/example.com.nix;
};
This gives us a grade B on ssllabs.com (as of September 2016) which is a good compromise between supporting older browsers and being secure.