SumonMSelim/secure.config

## secure.config
server {
  listen 443 default_server;
  root /var/www/web;
  # Only return Nginx in server header
  server_tokens off;

  ssl on;
  ssl_certificate /etc/nginx/ssl/server.pem;
  ssl_certificate_key /etc/nginx/ssl/server.key;
  # POODLE protection
  ## Remove SSLv3 and SSLv2
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  # Best ratio Security/Accessibility
  ssl_ciphers CDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:!DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:!DHE-RSA-AES256-SHA:AES128-GCM-SHA256:!AES256-GCM-SHA384:AES128-SHA256:!AES256-SHA256:AES128-SHA:!AES256-SHA:AES:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;

  # LOGJAM protection
  ## All TLS accepted, EECDH/EDH key exchange ciphers, force cipher order and use of 4096-bits group DH
  ssl_prefer_server_ciphers on;
  ssl_dhparam /etc/ssl/certs/dhparam.pem;

  # BREACH protection
  ## Disable of SSL compression
  gzip off;

  # Security headers
  add_header Strict-Transport-Security "max-age=15552001; includeSubdomains; preload";
  etag off;
  more_clear_headers 'ETag';
  add_header X-Frame-Options "SAMEORIGIN";
  add_header X-Content-Type-Options nosniff;
  add_header X-XSS-Protection "1; mode=block";
  add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'";

  # Enable SSL session caching for improved performance
  # http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 10m;

  # By default, the buffer size is 16k, which corresponds to minimal overhead when sending big responses.
  # To minimize Time To First Byte it may be beneficial to use smaller values
  ssl_buffer_size 8k;

  # OCSP Stapling
  ssl_stapling on;
  ssl_stapling_verify on;
}
	server {
	listen 443 default_server;
	root /var/www/web;
	# Only return Nginx in server header
	server_tokens off;

	ssl on;
	ssl_certificate /etc/nginx/ssl/server.pem;
	ssl_certificate_key /etc/nginx/ssl/server.key;
	# POODLE protection
	## Remove SSLv3 and SSLv2
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	# Best ratio Security/Accessibility
	ssl_ciphers CDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:!DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:!DHE-RSA-AES256-SHA:AES128-GCM-SHA256:!AES256-GCM-SHA384:AES128-SHA256:!AES256-SHA256:AES128-SHA:!AES256-SHA:AES:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;

	# LOGJAM protection
	## All TLS accepted, EECDH/EDH key exchange ciphers, force cipher order and use of 4096-bits group DH
	ssl_prefer_server_ciphers on;
	ssl_dhparam /etc/ssl/certs/dhparam.pem;

	# BREACH protection
	## Disable of SSL compression
	gzip off;

	# Security headers
	add_header Strict-Transport-Security "max-age=15552001; includeSubdomains; preload";
	etag off;
	more_clear_headers 'ETag';
	add_header X-Frame-Options "SAMEORIGIN";
	add_header X-Content-Type-Options nosniff;
	add_header X-XSS-Protection "1; mode=block";
	add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'";

	# Enable SSL session caching for improved performance
	# http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache
	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 10m;

	# By default, the buffer size is 16k, which corresponds to minimal overhead when sending big responses.
	# To minimize Time To First Byte it may be beneficial to use smaller values
	ssl_buffer_size 8k;

	# OCSP Stapling
	ssl_stapling on;
	ssl_stapling_verify on;
	}