-
-
Save johanneslamers/87ae61d95f70466974de542a37a1cb6d to your computer and use it in GitHub Desktop.
nginx TLS / SSL configuration options for konklone.com
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Basically the nginx configuration I use at konklone.com. | |
| # I check it using https://www.ssllabs.com/ssltest/analyze.html?d=konklone.com | |
| # | |
| # To provide feedback, please tweet at @konklone or email eric@konklone.com. | |
| # Comments on gists don't notify the author. | |
| # | |
| # Thanks to WubTheCaptain (https://wubthecaptain.eu) for his help and ciphersuites. | |
| # Thanks to Ilya Grigorik (https://www.igvita.com) for constant inspiration. | |
| server { | |
| listen 80; | |
| server_name konklone.com; | |
| return 301 https://$host$request_uri; | |
| } | |
| server { | |
| # 'http2' requires nginx 1.9.5+. If using older nginx, replace with 'spdy'. | |
| listen 443 ssl http2; | |
| server_name konklone.com; | |
| # Path to certificate and intermediates, *omitting* the root. | |
| ssl_certificate /path/to/example.com.chained.crt; | |
| # Path to private key used to create certificate. | |
| ssl_certificate_key /path/to/example.com.key; | |
| # HTTP Strict Transport Security: tells browsers to require https:// without first checking | |
| # the http:// version for a redirect. Warning: it is difficult to change your mind. | |
| # | |
| # max-age: length of requirement in seconds (31536000 = 1 year) | |
| # includeSubdomains: force TLS for *ALL* subdomains (remove if this is not what you want) | |
| # preload: indicates you want browsers to ship with HSTS preloaded for your domain. | |
| # | |
| # Submit your domain for preloading in browsers at: https://hstspreload.appspot.com | |
| add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload'; | |
| # If you won't/can't turn on HTTPS for *all* subdomains, use this simpler version: | |
| # add_header Strict-Transport-Security 'max-age=31536000'; | |
| ssl_prefer_server_ciphers on; | |
| # This requires strong forward secrecy (ECDHE) for all connections. | |
| # However, it blocks IE8+XP and Android 2.3. | |
| ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED'; | |
| # Uncomment to require strong forward secrecy (ECDHE) in most clients, with a | |
| # non-FS exception (DES-CBC3-SHA) for IE8/XP, and plain DHE for Android 2.3 users. | |
| # ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED'; | |
| # Allows all modern and legacy clients to connect over TLS. | |
| ssl_protocols TLSv1.2 TLSv1.1 TLSv1; | |
| # Uncomment for only the latest TLS, if you can drop IE8-IE10 and Android 4.3. | |
| # ssl_protocols TLSv1.2; | |
| # Turn on session resumption, using a 10 min cache shared across nginx processes, | |
| # as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html | |
| ssl_session_cache shared:SSL:10m; | |
| ssl_session_timeout 10m; | |
| keepalive_timeout 70; | |
| # OCSP stapling: nginx will poll the CA for signed OCSP responses, and | |
| # send them to clients so clients don't make their own OCSP calls. | |
| # | |
| # The ssl_trusted_certificate is a chain of intermediates *including* the | |
| # root certificate, and *excluding* the cert for your domain. | |
| # | |
| # See https://sslmate.com/blog/post/ocsp_stapling_in_apache_and_nginx | |
| ssl_stapling on; | |
| ssl_stapling_verify on; | |
| resolver 8.8.8.8 8.8.4.4 valid=86400; | |
| resolver_timeout 10; | |
| ssl_trusted_certificate /path/to/example.com.chain+root.crt; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment