Skip to content

Instantly share code, notes, and snippets.

@dapi

dapi/SSL_OCSP_Stapling.conf

Last active October 17, 2019 21:50
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save dapi/d2fb53494dd098f0ef9224851c9535f5 to your computer and use it in GitHub Desktop.
Save dapi/d2fb53494dd098f0ef9224851c9535f5 to your computer and use it in GitHub Desktop.
Download ZIP
nginx ssl conf
Raw
SSL_OCSP_Stapling.conf
# Проверка HTTPS на Comodo:
# https://sslanalyzer.comodoca.com/?url=https%3A%2F%2Fkiiiosk.ru
# Проверка на Trusted
# https://www.digicert.com/help/
# source:
# https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/1091/1/certificate-installation--nginx
ssl_stapling on;
ssl_stapling_verify on;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
# SSLProtocol all -SSLv2 -SSLv3
# Раньше было только:
# ssl_ciphers !aNULL:!CAMELLIA:!RC4:!SEED:!DES:!MD5:!EXP:HIGH;
#
# ТОже самое то HIGHT + ciphers на 112
ssl_ciphers '!aNULL:!CAMELLIA:!RC4:!SEED:!DES:!MD5:!EXP:HIGH:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_trusted_certificate /etc/nginx/ssl/trusted.crt;
add_header Strict-Transport-Security max-age=15768000;
keepalive_timeout 65;
resolver 8.8.8.8 valid=300s;
resolver_timeout 300s;
# FastCGI SSL Params
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param SSL_VERIFIED $ssl_client_verify if_not_empty;
fastcgi_param SSL_CLIENT_SERIAL $ssl_client_serial if_not_empty;
fastcgi_param SSL_CLIENT_CERT $ssl_client_cert if_not_empty;
fastcgi_param SSL_CLIENT_S_DN $ssl_client_s_dn if_not_empty;
fastcgi_param SSL_CLIENT_I_DN $ssl_client_i_dn if_not_empty;
#fastcgi_param SSL_CLIENT_RAW_CERT $ssl_client_raw_cert if_not_empty;
fastcgi_param SSL_PROTOCOL $ssl_protocol if_not_empty;
fastcgi_param SSL_CIPHER $ssl_cipher if_not_empty;
fastcgi_param SSL_SESSION_ID $ssl_session_id if_not_empty;
fastcgi_param SSL_CLIENT_SERIAL $ssl_client_serial if_not_empty;
# Proxy SSL params
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-HTTPS $https;
proxy_set_header X-Forwarded-Ssl $https;
proxy_set_header X-SSL-Client-Verify $ssl_client_verify;
proxy_set_header X-SSL-Client-Serial $ssl_client_serial;
proxy_set_header X-SSL-Client-DN $ssl_client_s_dn;
#proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
#proxy_set_header X-SSL-Client-Cert $ssl_client_cert;
#proxy_set_header X-SSL-Client-Raw-Cert $ssl_client_raw_cert;
proxy_set_header X-SSL-Protocol $ssl_protocol;
proxy_set_header X-SSL-Cipher $ssl_cipher;
#proxy_set_header X-SSL-Session-ID $ssl_session_id;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment