Created
April 8, 2019 19:10
-
-
Save jkcgs/ce1dd628b563c4964ee5841696de6ceb to your computer and use it in GitHub Desktop.
nginx settings for a 100% A+ result on qualys ssllabs ssl test, also full compatibility with handshake simulations - it requires a 4096 dhparam file and 4096 rsa keys size ("--rsa-key-size 4096" parameter with certbot, can be used with the renew mode)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
server { | |
listen 443 ssl http2; | |
server_name mak.wtf; | |
ssl_protocols TLSv1.2; | |
ssl_ciphers "ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-CHACHA20-POLY1305 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA"; | |
ssl_ecdh_curve secp384r1; | |
ssl_session_cache shared:le_nginx_SSL:1m; | |
ssl_buffer_size 8k; | |
ssl_prefer_server_ciphers on; | |
ssl_session_cache shared:TLS:2m; | |
ssl_session_timeout 10m; | |
ssl_session_tickets off; | |
ssl_dhparam /etc/nginx/ssl/dhparam4096.pem; | |
ssl_certificate /etc/letsencrypt/live/mak.wtf/fullchain.pem; | |
ssl_certificate_key /etc/letsencrypt/live/mak.wtf/privkey.pem; | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
resolver 1.1.1.1 1.0.0.1 valid=300s; | |
resolver_timeout 5s; | |
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always; | |
add_header X-Frame-Options DENY; | |
add_header X-Content-Type-Options nosniff; | |
add_header X-XSS-Protection "1; mode=block"; | |
location ~ /.well-known/ { | |
root /var/www/letsencrypt; | |
} | |
error_page 500 502 503 504 /50x.html; | |
location = /50x.html { | |
root /usr/share/nginx/html; | |
} | |
location ~ /\.ht { | |
deny all; | |
} | |
root /var/www/mak.wtf; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment