Last active
October 20, 2015 11:39
-
-
Save stiggg/28d4d5554a59ffddfb54 to your computer and use it in GitHub Desktop.
Nginx TLS configuration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
server { | |
listen 80; | |
server_name www.example.com example.com; | |
return 301 https://$host$request_uri; | |
} | |
server { | |
listen 443 ssl default_server; | |
server_name www.example.com example.com; | |
ssl on; | |
# ocsp | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
resolver 8.8.8.8 8.8.4.4 valid=300s; | |
resolver_timeout 5s; | |
# intermedia certificates concatenated with server certificate | |
ssl_certificate /etc/ssl/private/example.com.chained.crt; | |
ssl_certificate_key /etc/ssl/private/example.com.key; | |
ssl_session_cache shared:SSL:10m; | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; | |
ssl_prefer_server_ciphers on; | |
ssl_dhparam /etc/ssl/private/dhparams.pem; | |
# hpkp, see https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning how to get base64 hashes for your certificates | |
add_header Public-Key-Pins 'pin-sha256="base64+primary=="; pin-sha256="base64+backup=="; max-age=5184000; includeSubDomains'; | |
add_header X-Frame-Options DENY; | |
add_header X-Content-Type-Options nosniff; | |
# hsts, see https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security | |
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; | |
location / { | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment