Basje/secure-tls

## secure-tls
## Include this file in your `server` block listening to secure connections, probably on port 443.
## You can use this statement: `include conf.d/secure-tls;`

## For more information about the settings, please read the following articles:
# - https://wiki.mozilla.org/Security/Server_Side_TLS
# - https://mozilla.github.io/server-side-tls/ssl-config-generator/
# - https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

# Certs sent to the client in SERVER HELLO are concatenated in ssl_certificate.
# This improves performance by avoiding the costly session negotiation process where possible
# Sessions expire after 10 minutes, and are put in a shared cache of 50MB
# Session tickets are disabled because of some security concerns
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache
# https://www.imperialviolet.org/2013/06/27/botchingpfs.html
ssl_session_timeout  10m;
ssl_session_cache    shared:SSL:50m;
ssl_session_tickets  off;

# Diffie-Hellman parameter for DHE ciphersuites, recommended 4096 bits.
ssl_dhparam  /etc/ssl/certs/dhparam.pem;

# Intermediate configuration.
ssl_protocols              TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers                'DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:!DSS';
ssl_prefer_server_ciphers  on;

# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
# Extra info added based on https://hstspreload.appspot.com
add_header  Strict-Transport-Security "max-age=15768000; includeSubDomains";

# OCSP Stapling
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling         on;
ssl_stapling_verify  on;

# Extra security headers
# Based on https://observatory.mozilla.org
add_header Content-Security-Policy "default-src 'self' https://domain.tld https://*.domain.tld; object-src 'none'; frame-src 'none'; child-src 'none'";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN always;
add_header X-XSS-Protection "1; mode=block" always;
	## Include this file in your `server` block listening to secure connections, probably on port 443.
	## You can use this statement: `include conf.d/secure-tls;`

	## For more information about the settings, please read the following articles:
	# - https://wiki.mozilla.org/Security/Server_Side_TLS
	# - https://mozilla.github.io/server-side-tls/ssl-config-generator/
	# - https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

	# Certs sent to the client in SERVER HELLO are concatenated in ssl_certificate.
	# This improves performance by avoiding the costly session negotiation process where possible
	# Sessions expire after 10 minutes, and are put in a shared cache of 50MB
	# Session tickets are disabled because of some security concerns
	# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache
	# https://www.imperialviolet.org/2013/06/27/botchingpfs.html
	ssl_session_timeout 10m;
	ssl_session_cache shared:SSL:50m;
	ssl_session_tickets off;

	# Diffie-Hellman parameter for DHE ciphersuites, recommended 4096 bits.
	ssl_dhparam /etc/ssl/certs/dhparam.pem;

	# Intermediate configuration.
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers 'DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:!DSS';
	ssl_prefer_server_ciphers on;

	# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
	# Extra info added based on https://hstspreload.appspot.com
	add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";

	# OCSP Stapling
	# fetch OCSP records from URL in ssl_certificate and cache them
	ssl_stapling on;
	ssl_stapling_verify on;

	# Extra security headers
	# Based on https://observatory.mozilla.org
	add_header Content-Security-Policy "default-src 'self' https://domain.tld https://*.domain.tld; object-src 'none'; frame-src 'none'; child-src 'none'";
	add_header X-Content-Type-Options nosniff;
	add_header X-Frame-Options SAMEORIGIN always;
	add_header X-XSS-Protection "1; mode=block" always;