Created
February 1, 2017 08:52
-
-
Save ntrp/044a98a3fcb633c0974726c6ae0121b6 to your computer and use it in GitHub Desktop.
SSL configuration for high security rating
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# HTTP Strict Transport Security: tells browsers to require https:// without first checking | |
# the http:// version for a redirect. Warning: it is difficult to change your mind. | |
# | |
# max-age: length of requirement in seconds (31536000 = 1 year) | |
# includeSubdomains: force SSL for *ALL* subdomains (remove if this is not what you want) | |
# preload: indicates you want browsers to ship with HSTS preloaded for your domain. | |
# | |
# Submit your domain for preloading in browsers at: https://hstspreload.appspot.com | |
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload'; | |
# If you won't/can't turn on HTTPS for *all* subdomains, use this simpler version: | |
#add_header Strict-Transport-Security 'max-age=31536000'; | |
# Prefer certain ciphersuites, to enforce Forward Secrecy and avoid known vulnerabilities. | |
# | |
# Forces forward secrecy in all browsers and clients that can use TLS, | |
# but with a small exception (DES-CBC3-SHA) for IE8/XP users. | |
# | |
# Reference client: https://www.ssllabs.com/ssltest/analyze.html | |
ssl_prefer_server_ciphers on; | |
ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED'; | |
# Now let's really get fancy, and pre-generate a 2048 bit random parameter | |
# for DH elliptic curves. If not created and specified, default is only 1024 bits. | |
# | |
# Generated by OpenSSL with the following command: | |
# openssl dhparam -outform pem -out dhparam2048.pem 2048 | |
ssl_dhparam /etc/nginx/ssl/dhparam.pem; | |
# Cut out the old, broken, insecure SSLv2 and SSLv3 entirely. | |
ssl_protocols TLSv1.2 TLSv1.1 TLSv1; | |
# optional: turn on session resumption, using a 10 min cache shared across nginx processes | |
# as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html | |
ssl_session_cache shared:SSL:10m; | |
ssl_session_timeout 10m; | |
keepalive_timeout 70; | |
# Buffer size of 1400 bytes fits in one MTU. | |
# nginx 1.5.9+ ONLY | |
ssl_buffer_size 1400; | |
# OCSP stapling - means nginx will poll the CA for signed OCSP responses, | |
# and send them to clients so clients don't make their own OCSP calls. | |
# https://en.wikipedia.org/wiki/OCSP_stapling | |
# | |
# while the ssl_certificate above may omit the root cert if the CA is trusted, | |
# ssl_trusted_certificate below must point to a chain of **all** certs | |
# in the trust path - (your cert, intermediary certs, root cert) | |
# | |
# 8.8.8.8 and 8.8.4.4 below are Google's public IPv4 DNS servers. | |
# nginx will use them to talk to the CA. | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
resolver 8.8.8.8 8.8.4.4 valid=86400; | |
resolver_timeout 10; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment