teocci/ssl-params.conf

## ssl-params.conf
# Configuration options are limited to SSL/TLS

# Enable SSL session caching for improving performance by avoiding the costly session negotiation process where possible
# SSL Labs doesn't assume that SNI is available to the client, so it only tests the default virtual server
# setting this globally to make it work across all the nginx virtual servers (including the default virtual server)
ssl_session_cache shared:ssl_session_cache:10m;
ssl_session_timeout 10m;

server {
        listen 443 ssl;

        # use a 4096bits sized custom DH parameters key
        # openssl dhparam -out /etc/nginx/dhparam.pem 4096
        ssl_dhparam /etc/nginx/dhparam.pem;

        # list of ssl protocols to be supported, support only known-secure cryptographic protocols
        # SSLv3 is broken by POODLE as of October 2014
        # ssl_protocols TLSv1.2; # Score=100
        # ssl_protocols TLSv1.2 TLSv1.1; # Score=90
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1; # Score=90 (recommended)

        # ssl ciphers list
        #
        # support only believed secure ciphersuites using the following priority:
        # 1.) prefer PFS enabled ciphers
        # 2.) prefer AES128 over AES256 for speed (AES128 has completely adequate security for now)
        # 3.) Support DES3 for IE8 support
        #
        # disable the following ciphersuites completely
        # 1.) null ciphers
        # 2.) ciphers with low security
        # 3.) fixed ECDH cipher (does not allow for PFS)
        # 4.) known vulnerable cipers (MD5, RC4, etc)
        # 5.) little-used ciphers (Camellia, Seed)
        ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !kECDH !DSS !MD5 !RC4 !EXP !PSK !SRP !CAMELLIA !SEED'; # Score=90 (recommended)
        # ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL; # Score=100

        # to ensure that the best possible cipher is always included over the weaker ones, chosen from the above order
        ssl_prefer_server_ciphers on;

        # add HSTS header
        # set duration for more than 1 week to get A+
        # THE "preload" DIRECTIVE WILL HAVE SEMI-PERMANENT CONSEQUENCE AND IS IRREVERSIBLE - DO NOT USE UNTIL FULLY TESTED AND YOU UNDERSTAND WHAT YOU ARE DOING!
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; # duration=365days
        # add_header Strict-Transport-Security "max-age=0; includeSubDomains"; # Delete browser cached HSTS policy (i.e. turn HSTS off)

        # OCSP stapling
        ssl_stapling on; # allow Nginx to send OCSP results during the connection process
        ssl_stapling_verify on;
        ssl_trusted_certificate /path/to/certificate/ssl.crt; #the CA & Intermediate CA file for your cert
        resolver 8.8.8.8 8.8.4.4 valid=300s; #Google DNS, use any of your choice
        resolver_timeout 10s;

        # Prevent clickjacking attacks
        add_header X-Frame-Options DENY;
        # Prevent "mime" based attacks
        add_header X-Content-Type-Options nosniff;
        # Prevent XSS attacks
        add_header X-XSS-Protection "1; mode=block";
        }
	# Configuration options are limited to SSL/TLS

	# Enable SSL session caching for improving performance by avoiding the costly session negotiation process where possible
	# SSL Labs doesn't assume that SNI is available to the client, so it only tests the default virtual server
	# setting this globally to make it work across all the nginx virtual servers (including the default virtual server)
	ssl_session_cache shared:ssl_session_cache:10m;
	ssl_session_timeout 10m;

	server {
	listen 443 ssl;

	# use a 4096bits sized custom DH parameters key
	# openssl dhparam -out /etc/nginx/dhparam.pem 4096
	ssl_dhparam /etc/nginx/dhparam.pem;

	# list of ssl protocols to be supported, support only known-secure cryptographic protocols
	# SSLv3 is broken by POODLE as of October 2014
	# ssl_protocols TLSv1.2; # Score=100
	# ssl_protocols TLSv1.2 TLSv1.1; # Score=90
	ssl_protocols TLSv1.2 TLSv1.1 TLSv1; # Score=90 (recommended)

	# ssl ciphers list
	#
	# support only believed secure ciphersuites using the following priority:
	# 1.) prefer PFS enabled ciphers
	# 2.) prefer AES128 over AES256 for speed (AES128 has completely adequate security for now)
	# 3.) Support DES3 for IE8 support
	#
	# disable the following ciphersuites completely
	# 1.) null ciphers
	# 2.) ciphers with low security
	# 3.) fixed ECDH cipher (does not allow for PFS)
	# 4.) known vulnerable cipers (MD5, RC4, etc)
	# 5.) little-used ciphers (Camellia, Seed)
	ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !kECDH !DSS !MD5 !RC4 !EXP !PSK !SRP !CAMELLIA !SEED'; # Score=90 (recommended)
	# ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL; # Score=100

	# to ensure that the best possible cipher is always included over the weaker ones, chosen from the above order
	ssl_prefer_server_ciphers on;

	# add HSTS header
	# set duration for more than 1 week to get A+
	# THE "preload" DIRECTIVE WILL HAVE SEMI-PERMANENT CONSEQUENCE AND IS IRREVERSIBLE - DO NOT USE UNTIL FULLY TESTED AND YOU UNDERSTAND WHAT YOU ARE DOING!
	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; # duration=365days
	# add_header Strict-Transport-Security "max-age=0; includeSubDomains"; # Delete browser cached HSTS policy (i.e. turn HSTS off)

	# OCSP stapling
	ssl_stapling on; # allow Nginx to send OCSP results during the connection process
	ssl_stapling_verify on;
	ssl_trusted_certificate /path/to/certificate/ssl.crt; #the CA & Intermediate CA file for your cert
	resolver 8.8.8.8 8.8.4.4 valid=300s; #Google DNS, use any of your choice
	resolver_timeout 10s;

	# Prevent clickjacking attacks
	add_header X-Frame-Options DENY;
	# Prevent "mime" based attacks
	add_header X-Content-Type-Options nosniff;
	# Prevent XSS attacks
	add_header X-XSS-Protection "1; mode=block";
	}