Please Note: This has only been tested on RHEL6/RHEL7 with EPEL & provided nginx. YMMV.

TL;DR: Check out the Website Config File

# clone this reporitory to /etc/nginx/templates
git clone [email protected]:timgws/handy-nginx-includes.git /etc/nginx/templates
ln -s /etc/nginx/templates/site-includes /etc/nginx/site-config

• website.conf: A generic vhost domain. Has www and non-www support. Logs access to a seperate log file. Has easy to enable SSL support. Comment out the sections that you don't want or need.
• reverse-proxy.conf: A generic reverse proxy. Awesome for when you want to migrate servers. Has a block in there for serving files that exist in the root locally. Unfound files will be served by the reverse proxy.

Inside the site-includes folder there is a bunch of files that have pre-rolled setting:

• expires.conf: set high expires values for css, javascript and common image formats
• gzip.conf: enable gzip compression for common formats
• laravel.conf: a simple laravel config file
• log-me-not.conf: don't log images in the access log
• ssl.conf: enable ssl, test with Qualys SSL Labs (https://www.ssllabs.com/ssltest/) which provides a comprehensive SSL testing suite. Config should give you a green A+.

There is a template provided in vhost-template/website.conf. I recommend that this template is copied with the required vhost name into /etc/nginx/conf.d.

For example, when setting up newdomain.com, copy vhost-template/website.conf as /etc/nginx/conf.d/newdomain.com.conf.

Edit the newly created file and ensure that the settings are all correct

To avoid Logjam (https://weakdh.org/sysadmin.html) you want to ensure that before you use SSL for the first time on a server that you generate an unique dhparam file.

mkdir /etc/ssl/certs && cd /etc/ssl/certs
openssl dhparam -out dhparam.pem 4096

If you don't do this, the SSL templates will not work for you.

Create an SSL certificate. Use the SSL template to ensure you can't skip required names (like the email address or hostname field).

cd /etc/nginx/ssl/
openssl req -config ../templates/openssl/ssl.conf -new -nodes -keyout domainname.com.key -out domainname.com.csr

# output the CSR and send to the certificate provider
cat domainname.com.csr

# or, on a mac, to automatically copy the contents into your clipboard
cat domainname.com.csr | pbcopy

After ordering an SSL certificate with your favourite SSL provider (I normally order Geotrust $10 certificates from either enom or Namecheap), paste the above generated CSR when asked by your certificate wholesaler. Ensure that you can send an email to one of the listed email addresses.

Confirm your email address, then save the certificate once you recieve it.

# on a mac
pbpaste > /etc/nginx/ssl/domainname.com.crt

# on Linux
cat > /etc/nginx/ssl/domainname.com.crt

{paste certificate from email/web interface}
{CTRL+D}