# use https # openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 nano /etc/nginx/snippets/self-signed.conf FILE: ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt; ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key; FILE-END! nano /etc/nginx/snippets/ssl-params.conf FILE: ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_ecdh_curve secp384r1; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; # Disable preloading HSTS for now. You can use the commented out header line that includes # the "preload" directive if you understand the implications. #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; ssl_dhparam /etc/ssl/certs/dhparam.pem; FILE-END! # now password-protect subdomain # htpasswd -c /etc/nginx/.htpasswd username nano /etc/nginx/.htpasswd FILE: username:encrypted-password:comment FILE-END! # to generate password: # perl -le 'print crypt("your-password", "salt-hash")' # or use RUBY with command "irb" # "your-password".crypt("salt-hash") nano /etc/nginx/.htpasswd FILE: username:encrypted-password:comment nano /etc/nginx/sites-available/SUB.conf // change SUB to desired name FILE-REPLACE: server { listen 80; root /path/to/folder; server_name SUB.domain.com SUB.domain.com; return 302 https://$server_name$request_uri; } server { listen 443 ssl default_server; root /path/to/folder; server_name SUB.domain.com SUB.domain.com; include snippets/self-signed.conf; include snippets/ssl-params.conf; location ~* \.php$ { include fastcgi.conf; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; } location / { fancyindex on; fancyindex_default_sort name; # name, size, date, name_desc, size_desc, date_desc fancyindex_directories_first on; fancyindex_exact_size off; fancyindex_name_length 80; fancyindex_localtime on; fancyindex_time_format "%d-%m-%Y %H:%M"; auth_basic "Restricted Content"; auth_basic_user_file /etc/nginx/.htpasswd; } location ~ /\.ht { deny all; } } FILE-END!