Created
June 6, 2015 07:42
-
-
Save chrisdev/35f1ec96769a7b7e91d4 to your computer and use it in GitHub Desktop.
SSL site
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
server { | |
listen [::]:443 default_server; | |
server_name mysite.org; | |
ssl on; | |
ssl_certificate_key /svr/ssl/cert/mysite_org.pem; | |
ssl_certificate /svr/ssl/cert/ca-bundle.pem; | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
ssl_session_cache shared:SSL:10m; | |
ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL'; | |
ssl_prefer_server_ciphers on; | |
ssl_dhparam /svr/ssl/certs/dhparam.pem; | |
add_header Strict-Transport-Security max-age=63072000; | |
add_header X-Frame-Options DENY; | |
add_header X-Content-Type-Options nosniff; | |
root /usr/local/sites/mysite; | |
index index.html index.htm; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Forward Secrecy & Diffie Hellman Ephemeral Parameters
The concept of forward secrecy is simple: client and server negotiate a key that never hits the wire, and is destroyed at the end of the session.
By default Nginx will use a 1024 bit key for Ephemeral Diffie-Hellman (DHE) for the key-exchange even when your cert is 2048 bit. Hence we need to add this