-
-
Save konklone/6532544 to your computer and use it in GitHub Desktop.
# Basically the nginx configuration I use at konklone.com. | |
# I check it using https://www.ssllabs.com/ssltest/analyze.html?d=konklone.com | |
# | |
# To provide feedback, please tweet at @konklone or email eric@konklone.com. | |
# Comments on gists don't notify the author. | |
# | |
# Thanks to WubTheCaptain (https://wubthecaptain.eu) for his help and ciphersuites. | |
# Thanks to Ilya Grigorik (https://www.igvita.com) for constant inspiration. | |
server { | |
listen 80; | |
server_name konklone.com; | |
return 301 https://$host$request_uri; | |
} | |
server { | |
# 'http2' requires nginx 1.9.5+. If using older nginx, replace with 'spdy'. | |
listen 443 ssl http2; | |
server_name konklone.com; | |
# Path to certificate and intermediates, *omitting* the root. | |
ssl_certificate /path/to/example.com.chained.crt; | |
# Path to private key used to create certificate. | |
ssl_certificate_key /path/to/example.com.key; | |
# HTTP Strict Transport Security: tells browsers to require https:// without first checking | |
# the http:// version for a redirect. Warning: it is difficult to change your mind. | |
# | |
# max-age: length of requirement in seconds (31536000 = 1 year) | |
# includeSubdomains: force TLS for *ALL* subdomains (remove if this is not what you want) | |
# preload: indicates you want browsers to ship with HSTS preloaded for your domain. | |
# | |
# Submit your domain for preloading in browsers at: https://hstspreload.appspot.com | |
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload'; | |
# If you won't/can't turn on HTTPS for *all* subdomains, use this simpler version: | |
# add_header Strict-Transport-Security 'max-age=31536000'; | |
ssl_prefer_server_ciphers on; | |
# This requires strong forward secrecy (ECDHE) for all connections. | |
# However, it blocks IE8+XP and Android 2.3. | |
ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED'; | |
# Uncomment to require strong forward secrecy (ECDHE) in most clients, with a | |
# non-FS exception (DES-CBC3-SHA) for IE8/XP, and plain DHE for Android 2.3 users. | |
# ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED'; | |
# Allows all modern and legacy clients to connect over TLS. | |
ssl_protocols TLSv1.2 TLSv1.1 TLSv1; | |
# Uncomment for only the latest TLS, if you can drop IE8-IE10 and Android 4.3. | |
# ssl_protocols TLSv1.2; | |
# Turn on session resumption, using a 10 min cache shared across nginx processes, | |
# as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html | |
ssl_session_cache shared:SSL:10m; | |
ssl_session_timeout 10m; | |
keepalive_timeout 70; | |
# OCSP stapling: nginx will poll the CA for signed OCSP responses, and | |
# send them to clients so clients don't make their own OCSP calls. | |
# | |
# The ssl_trusted_certificate is a chain of intermediates *including* the | |
# root certificate, and *excluding* the cert for your domain. | |
# | |
# See https://sslmate.com/blog/post/ocsp_stapling_in_apache_and_nginx | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
resolver 8.8.8.8 8.8.4.4 valid=86400; | |
resolver_timeout 10; | |
ssl_trusted_certificate /path/to/example.com.chain+root.crt; | |
} |
@laike9m I just blindly copied it from @igrigorik's config for istlsfastyet.com, as I blindly trust him on all things regarding TLS performance. =)
https://github.com/igrigorik/istlsfastyet.com/blob/master/nginx/nginx.conf
I see. Tests on my website shows setting buffer size from 16k(default) to 1400 reduced TTFB, but increased page download time.
1492 is an ethernet jumbo frame size
@cubiclesoft or others who have the same problem: The ssl_stapling not working if it is not enabled in the default server seems to be this bug: https://trac.nginx.org/nginx/ticket/810. The actual bug is in openssl, fixed with OpenSSL 1.0.0m/1.0.1g/1.0.2, so check your openssl version (nginx -V
)
@konklone you're scoring an F at ssllabs.
OpenSSL Padding Oracle vuln.
(CVE-2016-2107) Yes INSECURE (more info).
typo at resolver section.
it has to be resolver 8.8.8.8 8.8.4.4 valid=86400s; according to the nginx manual.
and DES-CBC3-SHA is affected by BEAST, so I suggest disabling here.
Should use a privacy respecting and worlds fastest DNS resolver instead of Google's 8.8.8.8
and 8.8.4.4
IPv4 resolver what is slow and Does not respect privacy or security. Cloudflares resolver also includes both IPv4 IPv6 resolver and alternative fallback DNS resolver alternative resolver for is for IPV4 is 1.0.0.1
and IPv6 2606:4700:4700::1001
as can be found on their website privacy security and speed comes first.
Here is my code for their resolver to support both IPv4 and IPv6 (Can disable IPv6 and will still work universal setup)
#Cloudflare resolver 1dot1dot1dot1.cloudflare-dns.com
resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001];
https://1.1.1.1/#explanation
https://www.cloudflare.com/learning/dns/what-is-1.1.1.1/
https://blog.cloudflare.com/announcing-1111/
Fastest DNS resolvers in the world (1.1.1.1 is the fastest most secured and private unlike google)
https://www.dnsperf.com/#!dns-resolvers
Fantastic SSL config and discussion here, thanks guys... we used some of your suggestions in our SlickStack settings:
https://github.com/littlebizzy/slickstack/blob/master/nginx/nginx-conf.txt
I haven't found any documentation saying this is the best practice.
Here's what's in Nginx's doc:
Did you do some test before setting it to 1400?