FluffyPancakes/nginx-ssl.conf

## nginx-ssl.conf
# I've used the configuration below for all my nginx instances and gotten an A+ on the Qualys SSL Test
# (https://www.ssllabs.com/ssltest/index.html). It satisfies requirements for PCI Compliance and
# FIPS. Includes OCSP Stapling (http://en.wikipedia.org/wiki/OCSP_stapling) and HTTP Strict Transport
# Security (http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security).
# - Not vulnerable to the Heartbleed attack.
# - Not vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224) with OpenSSL v1.0.1i 6 Aug 2014 & Nginx 1.6.0
# - SSL Handshake takes <80ms on most modern server hardware

# Use within the "server" scope among other directives

server{

## Tell Nginx to listen on port 443, use SSL and SPDY
listen 443 ssl spdy;

## Send header to tell the browser to prefer https to http traffic
add_header Strict-Transport-Security max-age=31536000;

## Use TLS instead of SSL - Compatibility issues with some Java clients
## and older versions of of IE, however, more secure.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

## Use more secure and less CPU tasking ciphers compared to nginx defaults
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;

## Improves TTFB by using a smaller SSL buffer than the nginx default
ssl_buffer_size 8k;

## Specifies that server ciphers should be preferred over client ciphers
ssl_prefer_server_ciphers on;

## Enables all nginx worker processes share SSL session information
ssl_session_cache shared:SSL:30m;

## Increases the amount of time SSL session information in the cache is valid
ssl_session_timeout 30m;

## File containing chain of domain and intermediate certificates
ssl_certificate     /path/to/ssl/domain-intermediate-cert.crt;

## File containing private key
ssl_certificate_key /path/to/ssl/private.key;

## Specifies a file with DH parameters for EDH ciphers
## Run "openssl dhparam -out /path/to/ssl/dhparam.pem 2048" in
## terminal to generate it
ssl_dhparam /path/to/ssl/dhparam.pem;

## Enables OCSP stapling
ssl_stapling on;
resolver 8.8.8.8;
ssl_stapling_verify on;

## File containing root certificate from SSL issuer
ssl_trusted_certificate /path/to/ssl/root.crt;

}
	# I've used the configuration below for all my nginx instances and gotten an A+ on the Qualys SSL Test
	# (https://www.ssllabs.com/ssltest/index.html). It satisfies requirements for PCI Compliance and
	# FIPS. Includes OCSP Stapling (http://en.wikipedia.org/wiki/OCSP_stapling) and HTTP Strict Transport
	# Security (http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security).
	# - Not vulnerable to the Heartbleed attack.
	# - Not vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224) with OpenSSL v1.0.1i 6 Aug 2014 & Nginx 1.6.0
	# - SSL Handshake takes <80ms on most modern server hardware

	# Use within the "server" scope among other directives

	server{

	## Tell Nginx to listen on port 443, use SSL and SPDY
	listen 443 ssl spdy;

	## Send header to tell the browser to prefer https to http traffic
	add_header Strict-Transport-Security max-age=31536000;

	## Use TLS instead of SSL - Compatibility issues with some Java clients
	## and older versions of of IE, however, more secure.
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

	## Use more secure and less CPU tasking ciphers compared to nginx defaults
	ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;

	## Improves TTFB by using a smaller SSL buffer than the nginx default
	ssl_buffer_size 8k;

	## Specifies that server ciphers should be preferred over client ciphers
	ssl_prefer_server_ciphers on;

	## Enables all nginx worker processes share SSL session information
	ssl_session_cache shared:SSL:30m;

	## Increases the amount of time SSL session information in the cache is valid
	ssl_session_timeout 30m;

	## File containing chain of domain and intermediate certificates
	ssl_certificate /path/to/ssl/domain-intermediate-cert.crt;

	## File containing private key
	ssl_certificate_key /path/to/ssl/private.key;

	## Specifies a file with DH parameters for EDH ciphers
	## Run "openssl dhparam -out /path/to/ssl/dhparam.pem 2048" in
	## terminal to generate it
	ssl_dhparam /path/to/ssl/dhparam.pem;

	## Enables OCSP stapling
	ssl_stapling on;
	resolver 8.8.8.8;
	ssl_stapling_verify on;

	## File containing root certificate from SSL issuer
	ssl_trusted_certificate /path/to/ssl/root.crt;

	}