esbullington/nginx-ssl.conf

## nginx-ssl.conf
user www-data www-data;
worker_processes 1;
pid /var/run/nginx.pid;

events {
    worker_connections 1024;
}

http {

        sendfile on;

        tcp_nopush on;
        tcp_nodelay on;

        types_hash_max_size 2048;

        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # Buffers
        ##

        client_body_buffer_size 10K;
        client_header_buffer_size 1k;
        client_max_body_size 8m;
        large_client_header_buffers 2 1k;

        ##
        # Timeouts
        ##

        client_body_timeout 12;
        client_header_timeout 12;
        keepalive_timeout 15;
        send_timeout 10;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip on;
        gzip_disable "msie6";
        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/sites-enabled/*;

        ##
        # SSL
        ##
        add_header Strict-Transport-Security max-age=31536000;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

        ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!LOW:!RC4:!MD5:!EXP:!PSK:!SRP:!DSS;

        ## Improves TTFB by using a smaller SSL buffer than the nginx default
        ssl_buffer_size 8k;

        ssl_prefer_server_ciphers on;

        ## Enables all nginx worker processes share SSL session information
        ssl_session_cache shared:SSL:30m;

        ## Increases the amount of time SSL session information in the cache is valid
        ssl_session_timeout 30m;

        ## Enables OCSP stapling
        ssl_stapling on;
        resolver 8.8.8.8;
        ssl_stapling_verify on;

}
	user www-data www-data;
	worker_processes 1;
	pid /var/run/nginx.pid;

	events {
	worker_connections 1024;
	}

	http {

	sendfile on;

	tcp_nopush on;
	tcp_nodelay on;

	types_hash_max_size 2048;

	# server_tokens off;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# Buffers
	##

	client_body_buffer_size 10K;
	client_header_buffer_size 1k;
	client_max_body_size 8m;
	large_client_header_buffers 2 1k;

	##
	# Timeouts
	##

	client_body_timeout 12;
	client_header_timeout 12;
	keepalive_timeout 15;
	send_timeout 10;

	##
	# Logging Settings
	##

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;
	gzip_disable "msie6";
	# gzip_vary on;
	# gzip_proxied any;
	# gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

	##
	# Virtual Host Configs
	##

	include /etc/nginx/sites-enabled/*;

	##
	# SSL
	##
	add_header Strict-Transport-Security max-age=31536000;

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

	ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!LOW:!RC4:!MD5:!EXP:!PSK:!SRP:!DSS;

	## Improves TTFB by using a smaller SSL buffer than the nginx default
	ssl_buffer_size 8k;

	ssl_prefer_server_ciphers on;

	## Enables all nginx worker processes share SSL session information
	ssl_session_cache shared:SSL:30m;

	## Increases the amount of time SSL session information in the cache is valid
	ssl_session_timeout 30m;

	## Enables OCSP stapling
	ssl_stapling on;
	resolver 8.8.8.8;
	ssl_stapling_verify on;

	}