Last active
August 29, 2015 14:10
-
-
Save craigloftus/0a70a899e82b1e9baf12 to your computer and use it in GitHub Desktop.
Example of SSL config for nginx
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ssl_session_cache shared:SSL:1m; # 1MB is ~4000 sessions, if it fills old sessions are dropped | |
| ssl_session_timeout 1440m; # Reuse sessions for 24hrs | |
| # Redirect all traffic to SSL | |
| server { | |
| listen 80 default; | |
| server_name www.example.com example.com; | |
| access_log off; | |
| error_log off; | |
| return 301 https://example.com$request_uri; | |
| } | |
| server { | |
| listen 443 ssl default_server; | |
| server_name example.com; | |
| ssl_certificate /path/to/bundle.crt; | |
| ssl_certificate_key /path/to/private.key; | |
| ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
| ssl_prefer_server_ciphers on; | |
| # Using list of ciphers from "Bulletproof SSL and TLS" | |
| ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256 EDH-RSA-DES-CBC3-SHA"; | |
| add_header Strict-Transport-Security max-age=31536000; # HSTS for 1 year | |
| # Normal stuff below here | |
| } |
I think we would eventually like to autoupdate the ciphers list from an "approved" source... like https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
For now, hardcoding in currently "good" ciphers is sufficient to begin development.
Thanks for starting to take a look at this!
# Recommended suite.
ssl_ciphers 'AES128+EECDH:AES128+EDH';
# Full suite for backwards compatibility.
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
From: https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
ssl_ciphersneeds to be replaced, preferably be someone who knows what all the combinations of abbreviations means!