starchy

ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:ECDH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

starchy

Best security, but leaves older clients vulnerable to "state-level adversaries":

    SSLEngine on
    SSLProtocol All -SSLv2 -SSLv3
    SSLHonorCipherOrder On
    SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS
    Header add Strict-Transport-Security "max-age=31536000"

Best config, but no IE8 support:

starchy

Keybase proof

I hereby claim:

• I am starchy on github.
• I am starchy (https://keybase.io/starchy) on keybase.
• I have a public key ASAseCg4mlbgHVSxTu_JzEs6-7aJRHh3jFcx_xEZQR_6ygo

To claim this, I am signing this object: