And you don't set the `default_server` as this document suggest. `default_server` is a parameter to the `listen`-directive. The only reason the docs might work is because the first server-block defined, when no-one is defined as `default_server`, becomes the default server.
listen 80 default_server;
Edit: Shout-out to #nginx on FreeNode, where you'll always find someone to point you i the right directing or help you out.
"Some of the headers that is suggested have some implications that aren't really explained at all. Like HSTS including sub-domains." - This repo also contain "Force all connections over TLS". However, I understand your attention.
"And you don't set the `default_server` as this document suggest. `default_server` is a parameter to the `listen`-directive. The only reason the docs might work is because the first server-block defined, when no-one is defined as `default_server`, becomes the default server." - You're right, your suggestion is very well (it's also from Nginx official handbook) and rationale, thanks for this! I receive this criticism, My mistake.
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always;
On a top domain site like https://example.com, if there are subdomain sites like http://golf.example.com which are not configured with TLS. The setting will be stored on the clients and they need to "forget" non-https sites after you have rolled back the misconfiguration. Of course you could go in the other direction and enable https for all subdomains. :)
Is this really the best solution? This might get me an A+ at ssllabs but I also need an "A" from gtmetrics and if I turn of gzip I will not get an A.
How does HTTP2 and HTTP3 perform in this question? I always percieved deflate/gzip compression as something preferable. I never realized the CRIME attack before.
SSL/TLS compression has been disabled in nginx since 1.3.2
Web server Configuration should be simple if you already have the correct mindset. It's the nuances of each specific directive or variables that makes config hard. Try remember all those access_log formats. Ehh!
Also, I added a PR to add thread_pool support (https://github.com/valentinxxx/nginxconfig.io/pull/66)
1100 lines (707 sloc) 36.4 KB