/gist:28d4d5554a59ffddfb54
Last active Oct 20, 2015
Nginx TLS configuration
| server { | |
| listen 80; | |
| server_name www.example.com example.com; | |
| return 301 https://$host$request_uri; | |
| } | |
| server { | |
| listen 443 ssl default_server; | |
| server_name www.example.com example.com; | |
| ssl on; | |
| # ocsp | |
| ssl_stapling on; | |
| ssl_stapling_verify on; | |
| resolver 8.8.8.8 8.8.4.4 valid=300s; | |
| resolver_timeout 5s; | |
| # intermedia certificates concatenated with server certificate | |
| ssl_certificate /etc/ssl/private/example.com.chained.crt; | |
| ssl_certificate_key /etc/ssl/private/example.com.key; | |
| ssl_session_cache shared:SSL:10m; | |
| ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
| ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; | |
| ssl_prefer_server_ciphers on; | |
| ssl_dhparam /etc/ssl/private/dhparams.pem; | |
| # hpkp, see https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning how to get base64 hashes for your certificates | |
| add_header Public-Key-Pins 'pin-sha256="base64+primary=="; pin-sha256="base64+backup=="; max-age=5184000; includeSubDomains'; | |
| add_header X-Frame-Options DENY; | |
| add_header X-Content-Type-Options nosniff; | |
| # hsts, see https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security | |
| add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; | |
| location / { | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment