Instantly share code, notes, and snippets.

Embed
What would you like to do?
Nginx TLS configuration
server {
listen 80;
server_name www.example.com example.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl default_server;
server_name www.example.com example.com;
ssl on;
# ocsp
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# intermedia certificates concatenated with server certificate
ssl_certificate /etc/ssl/private/example.com.chained.crt;
ssl_certificate_key /etc/ssl/private/example.com.key;
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/private/dhparams.pem;
# hpkp, see https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning how to get base64 hashes for your certificates
add_header Public-Key-Pins 'pin-sha256="base64+primary=="; pin-sha256="base64+backup=="; max-age=5184000; includeSubDomains';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
# hsts, see https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
location / {
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment