Skip to content

Instantly share code, notes, and snippets.

@dkubb
Last active April 11, 2019 03:56
Show Gist options
  • Save dkubb/7473330 to your computer and use it in GitHub Desktop.
Save dkubb/7473330 to your computer and use it in GitHub Desktop.
Nginx SSL configuration (PFS, HSTS, SPDY, BREACH mitigation, FIPS compliant)
ssl_certificate cert.pem;
ssl_certificate_key cert.key.pem;
ssl_trusted_certificate cert.ca.pem;
ssl_dhparam cert.dh.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers FIPS@STRENGTH:!aNULL:!eNULL;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4;
spdy_headers_comp 9;
# Work-around for BREACH attack: http://breachattack.com/
gzip off;
# Enable Strict Transport Security (HSTS) (requires ngx_headers_more extension)
more_set_headers "Strict-Transport-Security: max-age=31536000; includeSubDomains";
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment