SSL config options for nginx

gistfile1.txt

# Remove legacy SSL support. If you really need it, you're supporting IE6 yourself. Sorry.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;


# Settings for cached SSL sessions.
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;


# Choose some DH params:
# Need java 1.6 and 1.7? You'll need to use a 1k set
# $ openssl dhparam -out dhparam_1k.pem 1024
ssl_dhparam /etc/nginx/certs/dhparam_1k.pem;
 
# Need 1.8? A 2k set is fine
# $ openssl dhparam -out dhparam_2k.pem 2048
ssl_dhparam /etc/nginx/certs/dhparam_2k.pem;
 
# Anything else? Use a 4k or 8k (or set some 16k running and wait a very long time...)
# $ openssl dhparam -out dhparam_4k.pem 4096
ssl_dhparam /etc/nginx/certs/dhparam_4k.pem;
# $ openssl dhparam -out dhparam_8k.pem 8192
ssl_dhparam /etc/nginx/certs/dhparam_8k.pem;
 
 
# Stop browsers doing stupid things and ignoring our ciphers.
ssl_prefer_server_ciphers on;
 
 
# Pick a cipher suite:
# Need IE8/XP? Use this one, as it enables DES-CBC3-SHA for IE8:
ssl_ciphers "EECDH:kRSA:!MD5:!DSS:!RC4:-3DES:!NULL:!DES:!SEED:!IDEA:kRSA+3DES+SHA";
 
# Otherwise, use a more secure set:
ssl_ciphers "EDH:EECDH:!MD5:!DSS:!RC4:!3DES:!NULL:!DES:!SEED:!IDEA";