Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
SSL Params for A+
# Configuration options are limited to SSL/TLS
# Enable SSL session caching for improving performance by avoiding the costly session negotiation process where possible
# SSL Labs doesn't assume that SNI is available to the client, so it only tests the default virtual server
# setting this globally to make it work across all the nginx virtual servers (including the default virtual server)
ssl_session_cache shared:ssl_session_cache:10m;
ssl_session_timeout 10m;
server {
listen 443 ssl;
# use a 4096bits sized custom DH parameters key
# openssl dhparam -out /etc/nginx/dhparam.pem 4096
ssl_dhparam /etc/nginx/dhparam.pem;
# list of ssl protocols to be supported, support only known-secure cryptographic protocols
# SSLv3 is broken by POODLE as of October 2014
# ssl_protocols TLSv1.2; # Score=100
# ssl_protocols TLSv1.2 TLSv1.1; # Score=90
ssl_protocols TLSv1.2 TLSv1.1 TLSv1; # Score=90 (recommended)
# ssl ciphers list
#
# support only believed secure ciphersuites using the following priority:
# 1.) prefer PFS enabled ciphers
# 2.) prefer AES128 over AES256 for speed (AES128 has completely adequate security for now)
# 3.) Support DES3 for IE8 support
#
# disable the following ciphersuites completely
# 1.) null ciphers
# 2.) ciphers with low security
# 3.) fixed ECDH cipher (does not allow for PFS)
# 4.) known vulnerable cipers (MD5, RC4, etc)
# 5.) little-used ciphers (Camellia, Seed)
ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !kECDH !DSS !MD5 !RC4 !EXP !PSK !SRP !CAMELLIA !SEED'; # Score=90 (recommended)
# ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL; # Score=100
# to ensure that the best possible cipher is always included over the weaker ones, chosen from the above order
ssl_prefer_server_ciphers on;
# add HSTS header
# set duration for more than 1 week to get A+
# THE "preload" DIRECTIVE WILL HAVE SEMI-PERMANENT CONSEQUENCE AND IS IRREVERSIBLE - DO NOT USE UNTIL FULLY TESTED AND YOU UNDERSTAND WHAT YOU ARE DOING!
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; # duration=365days
# add_header Strict-Transport-Security "max-age=0; includeSubDomains"; # Delete browser cached HSTS policy (i.e. turn HSTS off)
# OCSP stapling
ssl_stapling on; # allow Nginx to send OCSP results during the connection process
ssl_stapling_verify on;
ssl_trusted_certificate /path/to/certificate/ssl.crt; #the CA & Intermediate CA file for your cert
resolver 8.8.8.8 8.8.4.4 valid=300s; #Google DNS, use any of your choice
resolver_timeout 10s;
# Prevent clickjacking attacks
add_header X-Frame-Options DENY;
# Prevent "mime" based attacks
add_header X-Content-Type-Options nosniff;
# Prevent XSS attacks
add_header X-XSS-Protection "1; mode=block";
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment