Nginx TLS configuration
server { | |
listen 80; | |
server_name www.example.com example.com; | |
return 301 https://$host$request_uri; | |
} | |
server { | |
listen 443 ssl default_server; | |
server_name www.example.com example.com; | |
ssl on; | |
# ocsp | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
resolver 8.8.8.8 8.8.4.4 valid=300s; | |
resolver_timeout 5s; | |
# intermedia certificates concatenated with server certificate | |
ssl_certificate /etc/ssl/private/example.com.chained.crt; | |
ssl_certificate_key /etc/ssl/private/example.com.key; | |
ssl_session_cache shared:SSL:10m; | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; | |
ssl_prefer_server_ciphers on; | |
ssl_dhparam /etc/ssl/private/dhparams.pem; | |
# hpkp, see https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning how to get base64 hashes for your certificates | |
add_header Public-Key-Pins 'pin-sha256="base64+primary=="; pin-sha256="base64+backup=="; max-age=5184000; includeSubDomains'; | |
add_header X-Frame-Options DENY; | |
add_header X-Content-Type-Options nosniff; | |
# hsts, see https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security | |
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; | |
location / { | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment