dkubb/ssl.nginxconf

## ssl.nginxconf
ssl_certificate         cert.pem;
ssl_certificate_key     cert.key.pem;
ssl_trusted_certificate cert.ca.pem;
ssl_dhparam             cert.dh.pem;

ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers               FIPS@STRENGTH:!aNULL:!eNULL;
ssl_prefer_server_ciphers on;

ssl_session_cache   shared:SSL:10m;
ssl_session_timeout 10m;

ssl_stapling        on;
ssl_stapling_verify on;

resolver 8.8.8.8 8.8.4.4;

spdy_headers_comp 9;

# Work-around for BREACH attack: http://breachattack.com/
gzip off;

# Enable Strict Transport Security (HSTS) (requires ngx_headers_more extension)
more_set_headers "Strict-Transport-Security: max-age=31536000; includeSubDomains";
	ssl_certificate cert.pem;
	ssl_certificate_key cert.key.pem;
	ssl_trusted_certificate cert.ca.pem;
	ssl_dhparam cert.dh.pem;

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers FIPS@STRENGTH:!aNULL:!eNULL;
	ssl_prefer_server_ciphers on;

	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 10m;

	ssl_stapling on;
	ssl_stapling_verify on;

	resolver 8.8.8.8 8.8.4.4;

	spdy_headers_comp 9;

	# Work-around for BREACH attack: http://breachattack.com/
	gzip off;

	# Enable Strict Transport Security (HSTS) (requires ngx_headers_more extension)
	more_set_headers "Strict-Transport-Security: max-age=31536000; includeSubDomains";