kennwhite/nginx_1.6.x.conf

## nginx_1.6.x.conf
# Strong nginx config for SSL Labs rating A as of 3-2015
#  Broad legacy compatibility including IE8, Android 2.3+, openssl 0.9.8 clients
#  Blocks most bot scan IP probes.
#
# *** Assumes: _HOSTNAME_ is replaced ***
# *** Assumes: Diffie-Hellman parameters have been generated (see: dhparam below)
#
#  Includes OCSP stapling, HSTS Strict Transport security,
#  session resumption, legacy backwards compatibility (XP, Android 2.3-4.3)
#
# Requires nginx 1.6+ See: http://nginx.org/en/linux_packages.html, e.g.:
#  $ rpm -ivh http://nginx.org/packages/rhel/6/noarch/RPMS/nginx-release-rhel-6-0.el6.ngx.noarch.rpm
#  $ yum install nginx
#
user   nginx;
worker_processes  auto;
error_log  /var/log/nginx/error.log;
pid        /var/run/nginx.pid;
events {
    worker_connections  1024;
}
http {
  root      /usr/share/nginx/_HOSTNAME_;
  include   /etc/nginx/mime.types;
  default_type  application/octet-stream;
  log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status  "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for"';
  access_log  /var/log/nginx/access.log  main;
  sendfile  on;
  keepalive_timeout  65;
  gzip  on;
  server_tokens off;
  server_names_hash_bucket_size  64;
  ssl_certificate          /etc/nginx/ssl/server.crt;
  ssl_certificate_key      /etc/nginx/ssl/server.key;
#  Required for some CAs with Intermediate trust chains
#  ssl_trusted_certificate  /etc/nginx/ssl/AddTrustExternalCARoot.crt;
  ssl_dhparam              /etc/nginx/ssl/dhparam.pem;
  # Generate: openssl dhparam 2048 -out /etc/nginx/ssl/dhparam.pem
  # Session Resumption
  ssl_session_timeout  20m;
  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:20m;
  # Enable OCSP stapling (req. nginx v 1.3.7+)
  ssl_stapling on;
  ssl_stapling_verify on;
  resolver 8.8.4.4 8.8.8.8 valid=300s;
  resolver_timeout 10s;
  # For additional CORS DENY, ALLOW, SAMEORIGIN, etc. options see: http://enable-cors.org/
  add_header X-Frame-Options DENY;
  ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
  #
  # Cipher suites enabled below. Here's the rationale:
  #
  # *TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  #    Android 4.4.2, Chrome 39 OSX, FF 31.3 ESR Win7, FF 34 OSX, IE 11 Win 10
  #    Java 8b132, OpenSSL 1.0.1h, Yahoo crawler, Yandex
  #  ^-- HTTP/2-compatible [AEAD]
  #
  # TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  #    IE 11 Win7-8.1, IE 11 Win Phone 8.1, Safari 6 IOS 6.0.1, Safari 7 IOS 7.1
  #    Safari 8 IOS 8, Safari 7 OSX 10.9
  #
  # TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  #    Android 4.0 - 4.4.2, Bing crawler, Google crawler, IE7 Vista, IE 8-10 Win7
  #    IE Mobile 10 Win Phone 8.0, Java 7u25, Safari 5.1 OS 10.6.8
  #    Safari 6, 10.8.4
  #  ^-- strong, but lacks authentication (AEAD)
  #
  # TLS_RSA_WITH_AES_128_CBC_SHA
  #    Java 6, Android 2.3.x, OpenSSL 0.9.8y [DEPRECATED - included for legacy API/mobile support]
  #  ^-- removed from TLS 1.3 & HTTP/2 standards, lacks Forward Secrecy & authentication (AEAD)
  #
  # TLS_RSA_WITH_3DES_EDE_CBC_SHA
  #    IE 8/XP [DEPRECATED - ONLY add (to end) of ssl_ciphers list for legacy IE8/XP support]
  #  ^-- STRONGLY discouraged unless IE8 on XP is absolutely required

  ssl_ciphers "ECDHE_RSA_AES128_GCM_SHA256 ECDHE_RSA_AES128_CBC_SHA256 ECDHE_RSA_AES_128_CBC_SHA RSA_AES_128_CBC_SHA";

  client_max_body_size 16M;
  # Block IP-based bot/scanner requests (ie, GETs lacking a domain/hostname)
  server {
    listen 80 default_server;
    return 444;
  }
  server {
    listen 443 ssl;
    return 444;
  }
  server {
    listen  80;
    server_name         _HOSTNAME_;
    return 301  https://_HOSTNAME_;
  }
  server {
    listen  443 ssl;
    server_name         _HOSTNAME_;

    # Enable Strict Transport Security (HSTS) (SSL-only)
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
  }
}
	# Strong nginx config for SSL Labs rating A as of 3-2015
	# Broad legacy compatibility including IE8, Android 2.3+, openssl 0.9.8 clients
	# Blocks most bot scan IP probes.
	#
	# * Assumes: _HOSTNAME_ is replaced *
	# *** Assumes: Diffie-Hellman parameters have been generated (see: dhparam below)
	#
	# Includes OCSP stapling, HSTS Strict Transport security,
	# session resumption, legacy backwards compatibility (XP, Android 2.3-4.3)
	#
	# Requires nginx 1.6+ See: http://nginx.org/en/linux_packages.html, e.g.:
	# $ rpm -ivh http://nginx.org/packages/rhel/6/noarch/RPMS/nginx-release-rhel-6-0.el6.ngx.noarch.rpm
	# $ yum install nginx
	#
	user nginx;
	worker_processes auto;
	error_log /var/log/nginx/error.log;
	pid /var/run/nginx.pid;
	events {
	worker_connections 1024;
	}
	http {
	root /usr/share/nginx/_HOSTNAME_;
	include /etc/nginx/mime.types;
	default_type application/octet-stream;
	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
	'$status "$http_referer" '
	'"$http_user_agent" "$http_x_forwarded_for"';
	access_log /var/log/nginx/access.log main;
	sendfile on;
	keepalive_timeout 65;
	gzip on;
	server_tokens off;
	server_names_hash_bucket_size 64;
	ssl_certificate /etc/nginx/ssl/server.crt;
	ssl_certificate_key /etc/nginx/ssl/server.key;
	# Required for some CAs with Intermediate trust chains
	# ssl_trusted_certificate /etc/nginx/ssl/AddTrustExternalCARoot.crt;
	ssl_dhparam /etc/nginx/ssl/dhparam.pem;
	# Generate: openssl dhparam 2048 -out /etc/nginx/ssl/dhparam.pem
	# Session Resumption
	ssl_session_timeout 20m;
	ssl_prefer_server_ciphers on;
	ssl_session_cache shared:SSL:20m;
	# Enable OCSP stapling (req. nginx v 1.3.7+)
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 8.8.4.4 8.8.8.8 valid=300s;
	resolver_timeout 10s;
	# For additional CORS DENY, ALLOW, SAMEORIGIN, etc. options see: http://enable-cors.org/
	add_header X-Frame-Options DENY;
	ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
	#
	# Cipher suites enabled below. Here's the rationale:
	#
	# *TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	# Android 4.4.2, Chrome 39 OSX, FF 31.3 ESR Win7, FF 34 OSX, IE 11 Win 10
	# Java 8b132, OpenSSL 1.0.1h, Yahoo crawler, Yandex
	# ^-- HTTP/2-compatible [AEAD]
	#
	# TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
	# IE 11 Win7-8.1, IE 11 Win Phone 8.1, Safari 6 IOS 6.0.1, Safari 7 IOS 7.1
	# Safari 8 IOS 8, Safari 7 OSX 10.9
	#
	# TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
	# Android 4.0 - 4.4.2, Bing crawler, Google crawler, IE7 Vista, IE 8-10 Win7
	# IE Mobile 10 Win Phone 8.0, Java 7u25, Safari 5.1 OS 10.6.8
	# Safari 6, 10.8.4
	# ^-- strong, but lacks authentication (AEAD)
	#
	# TLS_RSA_WITH_AES_128_CBC_SHA
	# Java 6, Android 2.3.x, OpenSSL 0.9.8y [DEPRECATED - included for legacy API/mobile support]
	# ^-- removed from TLS 1.3 & HTTP/2 standards, lacks Forward Secrecy & authentication (AEAD)
	#
	# TLS_RSA_WITH_3DES_EDE_CBC_SHA
	# IE 8/XP [DEPRECATED - ONLY add (to end) of ssl_ciphers list for legacy IE8/XP support]
	# ^-- STRONGLY discouraged unless IE8 on XP is absolutely required

	ssl_ciphers "ECDHE_RSA_AES128_GCM_SHA256 ECDHE_RSA_AES128_CBC_SHA256 ECDHE_RSA_AES_128_CBC_SHA RSA_AES_128_CBC_SHA";

	client_max_body_size 16M;
	# Block IP-based bot/scanner requests (ie, GETs lacking a domain/hostname)
	server {
	listen 80 default_server;
	return 444;
	}
	server {
	listen 443 ssl;
	return 444;
	}
	server {
	listen 80;
	server_name _HOSTNAME_;
	return 301 https://_HOSTNAME_;
	}
	server {
	listen 443 ssl;
	server_name _HOSTNAME_;

	# Enable Strict Transport Security (HSTS) (SSL-only)
	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
	}
	}