-
-
Save imarcelolz/6174828 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# we want to enable ssl session resumption to avoid | |
# having to start the handshake from scratch each page load | |
# so first we enable a shared cache, named SSL (creative!) that is 10mb large | |
ssl_session_cache shared:SSL:10m; | |
# save things in the cache for 3 minutes | |
# if you're not making a request at least every 3 minutes, this isn't going | |
# to accomplish anything anyway | |
ssl_session_timeout 3m; | |
# now we're going to change a bunch related to SSL ciphers and protocol | |
# the primary goal here is to be more secure, and i've generally tried to | |
# go with things that comply with the Federal Information Processing Standard (FIPS) | |
# set by the US government for non-military government use | |
# we don't want to support SSLv3, it's known to be insecure | |
# FIPS 140-2 compliance, TLS1+ only | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
# now we go through a couple different options for the SSL ciphers to support, mainly just to | |
# give you a bunch of options to pick from | |
# this is a very concise definition of ciphers that don't allow anonymous DH or MD5 - the big weaknesses | |
# per: https://calomel.org/nginx.html | |
#ssl_ciphers HIGH:!ADH!MD5:@STRENGTH; | |
# this is a very (not so) short list of very secure ciphers that may be incompatible with older browsers | |
# per: https://calomel.org/nginx.html | |
#ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:AES128-SHA; | |
# this excludes insecure ciphers and sorts the others by strength | |
# it is BEAST-resistant, prioritizing RC4 | |
# per: http://groups.drupal.org/node/179344 | |
#ssl_ciphers !aNULL:!LOW:!MD5:!EXP:RC4:CAMELLIA:AES128:3DES:SEED:AES256@STRENGTH; | |
# this is a combination of everything above and openssl docs - very secure, FIPS-compliant, ordered by strength | |
ssl_ciphers !aNULL:!eNULL:FIPS@STRENGTH; | |
# don't let the client decide what ciphers to use, we've told the server which to allow | |
ssl_prefer_server_ciphers on; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment