chrismeller/gist:4748033

## gistfile1.nginxconf
# we want to enable ssl session resumption to avoid
# having to start the handshake from scratch each page load
# so first we enable a shared cache, named SSL (creative!) that is 10mb large
ssl_session_cache shared:SSL:10m;

# save things in the cache for 3 minutes
# if you're not making a request at least every 3 minutes, this isn't going
# to accomplish anything anyway
ssl_session_timeout 3m;

# now we're going to change a bunch related to SSL ciphers and protocol
# the primary goal here is to be more secure, and i've generally tried to
# go with things that comply with the Federal Information Processing Standard (FIPS)
# set by the US government for non-military government use

# we don't want to support SSLv3, it's known to be insecure
# FIPS 140-2 compliance, TLS1+ only
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

# now we go through a couple different options for the SSL ciphers to support, mainly just to
# give you a bunch of options to pick from

# this is a very concise definition of ciphers that don't allow anonymous DH or MD5 - the big weaknesses
#	per: https://calomel.org/nginx.html
#ssl_ciphers HIGH:!ADH!MD5:@STRENGTH;

# this is a very (not so) short list of very secure ciphers that may be incompatible with older browsers
#	per: https://calomel.org/nginx.html
#ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:AES128-SHA;

# this excludes insecure ciphers and sorts the others by strength
# it is BEAST-resistant, prioritizing RC4
#	per: http://groups.drupal.org/node/179344
#ssl_ciphers !aNULL:!LOW:!MD5:!EXP:RC4:CAMELLIA:AES128:3DES:SEED:AES256@STRENGTH;

# this is a combination of everything above and openssl docs - very secure, FIPS-compliant, ordered by strength
ssl_ciphers !aNULL:!eNULL:FIPS@STRENGTH;

# don't let the client decide what ciphers to use, we've told the server which to allow
ssl_prefer_server_ciphers on;
	# we want to enable ssl session resumption to avoid
	# having to start the handshake from scratch each page load
	# so first we enable a shared cache, named SSL (creative!) that is 10mb large
	ssl_session_cache shared:SSL:10m;

	# save things in the cache for 3 minutes
	# if you're not making a request at least every 3 minutes, this isn't going
	# to accomplish anything anyway
	ssl_session_timeout 3m;

	# now we're going to change a bunch related to SSL ciphers and protocol
	# the primary goal here is to be more secure, and i've generally tried to
	# go with things that comply with the Federal Information Processing Standard (FIPS)
	# set by the US government for non-military government use

	# we don't want to support SSLv3, it's known to be insecure
	# FIPS 140-2 compliance, TLS1+ only
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

	# now we go through a couple different options for the SSL ciphers to support, mainly just to
	# give you a bunch of options to pick from

	# this is a very concise definition of ciphers that don't allow anonymous DH or MD5 - the big weaknesses
	# per: https://calomel.org/nginx.html
	#ssl_ciphers HIGH:!ADH!MD5:@STRENGTH;

	# this is a very (not so) short list of very secure ciphers that may be incompatible with older browsers
	# per: https://calomel.org/nginx.html
	#ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:AES128-SHA;

	# this excludes insecure ciphers and sorts the others by strength
	# it is BEAST-resistant, prioritizing RC4
	# per: http://groups.drupal.org/node/179344
	#ssl_ciphers !aNULL:!LOW:!MD5:!EXP:RC4:CAMELLIA:AES128:3DES:SEED:AES256@STRENGTH;

	# this is a combination of everything above and openssl docs - very secure, FIPS-compliant, ordered by strength
	ssl_ciphers !aNULL:!eNULL:FIPS@STRENGTH;

	# don't let the client decide what ciphers to use, we've told the server which to allow
	ssl_prefer_server_ciphers on;