-
-
Save deathbob/48d1e0c1b5328c87730f to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Basically the nginx configuration I use at konklone.com. | |
# I check it using https://www.ssllabs.com/ssltest/analyze.html?d=konklone.com | |
# | |
# To provide feedback, please tweet at @konklone or email eric@konklone.com. | |
# Comments on gists don't notify the author. | |
# | |
# Thanks to WubTheCaptain (https://wubthecaptain.eu) for his help and ciphersuites. | |
# Thanks to Ilya Grigorik (https://www.igvita.com) for constant inspiration. | |
server { | |
listen 80; | |
server_name konklone.com; | |
return 301 https://$host$request_uri; | |
} | |
# The 'spdy' at the end of the listen command below turns on SPDY support. | |
server { | |
listen 443 ssl spdy; | |
server_name konklone.com; | |
# Path to certificate and private key. | |
# The .crt may omit the root CA cert, if it's a standard CA that ships with clients. | |
ssl_certificate /path/to/unified.crt; | |
ssl_certificate_key /path/to/my-private-decrypted.key; | |
# Tell browsers to require SSL (warning: difficult to change your mind) | |
add_header Strict-Transport-Security max-age=31536000; | |
# Prefer certain ciphersuites, to enforce Forward Secrecy and avoid known vulnerabilities. | |
# | |
# Forces forward secrecy in all browsers and clients that can use TLS, | |
# but with a small exception (DES-CBC3-SHA) for IE8/XP users. | |
# | |
# Reference client: https://www.ssllabs.com/ssltest/analyze.html | |
ssl_prefer_server_ciphers on; | |
ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED'; | |
# Cut out (the old, broken) SSLv3 entirely. | |
# This **excludes IE6 users** and (apparently) Yandexbot. | |
# Just comment out if you need to support IE6, bless your soul. | |
ssl_protocols TLSv1.2 TLSv1.1 TLSv1; | |
# Turn on session resumption, using a 10 min cache shared across nginx processes, | |
# as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html | |
ssl_session_cache shared:SSL:10m; | |
ssl_session_timeout 10m; | |
keepalive_timeout 70; | |
# Buffer size of 1400 bytes fits in one MTU. | |
# nginx 1.5.9+ ONLY | |
ssl_buffer_size 1400; | |
# SPDY header compression (0 for none, 9 for slow/heavy compression). Preferred is 6. | |
# | |
# BUT: header compression is flawed and vulnerable in SPDY versions 1 - 3. | |
# Disable with 0, until using a version of nginx with SPDY 4. | |
spdy_headers_comp 0; | |
# Now let's really get fancy, and pre-generate a 2048 bit random parameter | |
# for DH elliptic curves. If not created and specified, default is only 1024 bits. | |
# | |
# Generated by OpenSSL with the following command: | |
# openssl dhparam -outform pem -out dhparam2048.pem 2048 | |
# | |
# Note: raising the bits to 2048 excludes Java 6 clients. Comment out if a problem. | |
ssl_dhparam /path/to/dhparam2048.pem; | |
# OCSP stapling - means nginx will poll the CA for signed OCSP responses, | |
# and send them to clients so clients don't make their own OCSP calls. | |
# http://en.wikipedia.org/wiki/OCSP_stapling | |
# | |
# while the ssl_certificate above may omit the root cert if the CA is trusted, | |
# ssl_trusted_certificate below must point to a chain of **all** certs | |
# in the trust path - (your cert, intermediary certs, root cert) | |
# | |
# 8.8.8.8 and 8.8.4.4 below are Google's public IPv4 DNS servers. | |
# nginx will use them to talk to the CA. | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
resolver 8.8.8.8 8.8.4.4 valid=86400; | |
resolver_timeout 10; | |
ssl_trusted_certificate /path/to/all-certs-in-chain.crt; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment