therealmarv/nginx_1.6.x.conf

## nginx_1.6.x.conf
# nginx config for A+ SSL Labs rating as of 9-2014
#  Broad legacy compatibility including IE8/XP, Android 2.3+, openssl 0.9.8 clients
#  Blocks most bot scans IP probes.
#
# *** Assumes: _HOSTNAME_ is replaced ***
#
#  Includes OCSP stapling, HSTS Strict Transport security,
#  session resumption, legacy backwards compatibility (XP, Android 2.3-4.3)
#
# Requires nginx 1.6.x. See: http://nginx.org/en/linux_packages.html, e.g.:
#  $ rpm -ivh http://nginx.org/packages/rhel/6/noarch/RPMS/nginx-release-rhel-6-0.el6.ngx.noarch.rpm
#  $ yum install nginx
#
user   nginx;
worker_processes  auto;
error_log  /var/log/nginx/error.log;
pid        /var/run/nginx.pid;
events {
    worker_connections  1024;
}
http {
  root      /usr/share/nginx/_HOSTNAME_;
  include   /etc/nginx/mime.types;
  default_type  application/octet-stream;
  log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status  "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for"';
  access_log  /var/log/nginx/access.log  main;
  sendfile  on;
  keepalive_timeout  65;
  gzip  on;
  server_tokens off;
  server_names_hash_bucket_size  64;
  ssl_certificate          /etc/nginx/ssl/server.crt;
  ssl_certificate_key      /etc/nginx/ssl/server.key;
  ssl_trusted_certificate  /etc/nginx/ssl/AddTrustExternalCARoot.crt;
  ssl_dhparam              /etc/nginx/ssl/dhparam.pem;
  # Generate: openssl dhparam 2048 -out /etc/nginx/ssl/dhparam.pem
  # Session Resumption
  ssl_session_timeout  20m;
  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:20m;
  # Enable OCSP stapling (req. nginx v 1.3.7+)
  ssl_stapling on;
  ssl_stapling_verify on;
  resolver 8.8.4.4 8.8.8.8 valid=300s;
  resolver_timeout 10s;
  add_header X-Frame-Options DENY;
  ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
  ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:RC4-SHA;
  client_max_body_size 16M;
  # Block IP-based requests
  server {
    listen 80 default_server;
    return 444;
  }
  server {
    ssl    on;
    listen 443;
    return 444;
  }
  server {
    listen  80;
    server_name         _HOSTNAME_;
    return 301  https://_HOSTNAME_;
  }
  server {
    ssl     on;
    listen  443;
    server_name         _HOSTNAME_;

    # Enable Strict Transport Security (HSTS) (SSL-only)
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
  }
}
	# nginx config for A+ SSL Labs rating as of 9-2014
	# Broad legacy compatibility including IE8/XP, Android 2.3+, openssl 0.9.8 clients
	# Blocks most bot scans IP probes.
	#
	# * Assumes: _HOSTNAME_ is replaced *
	#
	# Includes OCSP stapling, HSTS Strict Transport security,
	# session resumption, legacy backwards compatibility (XP, Android 2.3-4.3)
	#
	# Requires nginx 1.6.x. See: http://nginx.org/en/linux_packages.html, e.g.:
	# $ rpm -ivh http://nginx.org/packages/rhel/6/noarch/RPMS/nginx-release-rhel-6-0.el6.ngx.noarch.rpm
	# $ yum install nginx
	#
	user nginx;
	worker_processes auto;
	error_log /var/log/nginx/error.log;
	pid /var/run/nginx.pid;
	events {
	worker_connections 1024;
	}
	http {
	root /usr/share/nginx/_HOSTNAME_;
	include /etc/nginx/mime.types;
	default_type application/octet-stream;
	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
	'$status "$http_referer" '
	'"$http_user_agent" "$http_x_forwarded_for"';
	access_log /var/log/nginx/access.log main;
	sendfile on;
	keepalive_timeout 65;
	gzip on;
	server_tokens off;
	server_names_hash_bucket_size 64;
	ssl_certificate /etc/nginx/ssl/server.crt;
	ssl_certificate_key /etc/nginx/ssl/server.key;
	ssl_trusted_certificate /etc/nginx/ssl/AddTrustExternalCARoot.crt;
	ssl_dhparam /etc/nginx/ssl/dhparam.pem;
	# Generate: openssl dhparam 2048 -out /etc/nginx/ssl/dhparam.pem
	# Session Resumption
	ssl_session_timeout 20m;
	ssl_prefer_server_ciphers on;
	ssl_session_cache shared:SSL:20m;
	# Enable OCSP stapling (req. nginx v 1.3.7+)
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 8.8.4.4 8.8.8.8 valid=300s;
	resolver_timeout 10s;
	add_header X-Frame-Options DENY;
	ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
	ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:RC4-SHA;
	client_max_body_size 16M;
	# Block IP-based requests
	server {
	listen 80 default_server;
	return 444;
	}
	server {
	ssl on;
	listen 443;
	return 444;
	}
	server {
	listen 80;
	server_name _HOSTNAME_;
	return 301 https://_HOSTNAME_;
	}
	server {
	ssl on;
	listen 443;
	server_name _HOSTNAME_;

	# Enable Strict Transport Security (HSTS) (SSL-only)
	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
	}
	}