-
-
Save be/4c1c8c8698c4ded05b04 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
server { | |
listen 80; | |
server_name konklone.com; | |
return 301 https://$host$request_uri; | |
} | |
# optional: the 'spdy' at the end of the listen command below turns on SPDY support. | |
server { | |
listen 443 ssl spdy; | |
server_name konklone.com; | |
# required: path to certificate and private key | |
# the .crt may omit the root CA cert, if it's a standard CA that ships with clients. | |
ssl_certificate /path/to/unified.crt; | |
ssl_certificate_key /path/to/my-private-decrypted.key; | |
# optional: tell browsers to require SSL (warning: difficult to change your mind) | |
add_header Strict-Transport-Security max-age=31536000; | |
# optional: prefer certain ciphersuites, to enforce Perfect Forward Secrecy and avoid known vulnerabilities. | |
# done in consultation with: | |
# http://ggramaize.wordpress.com/2013/08/02/tls-perfect-forward-secrecy-support-with-apache/ | |
# https://www.ssllabs.com/ssltest/analyze.html | |
ssl_prefer_server_ciphers on; | |
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA; | |
# optional: turn on session resumption, using a 10 min cache shared across nginx processes | |
# as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html | |
ssl_session_cache shared:SSL:10m; | |
ssl_session_timeout 10m; | |
keepalive_timeout 70; | |
# nginx 1.5.9+ ONLY | |
ssl_buffer_size 1400; # 1400 bytes to fit in one MTU | |
# SPDY header compression (0 for none, 1 for fast/less compression, 9 for slow/heavy compression) | |
spdy_headers_comp 6; | |
# OCSP stapling - means nginx will poll the CA for signed OCSP responses, | |
# and send them to clients so clients don't make their own OCSP calls. | |
# http://en.wikipedia.org/wiki/OCSP_stapling | |
# | |
# while the ssl_certificate above may omit the root cert if the CA is trusted, | |
# ssl_trusted_certificate below must point to a chain of all certs | |
# in the trust path - (your cert, intermediary certs, root cert) | |
# | |
# 8.8.8.8 below is Google's public DNS server. nginx will use it to talk to the CA. | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
resolver 8.8.8.8; | |
ssl_trusted_certificate /path/to/all-certs-in-chain.crt; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment