Skip to content

Instantly share code, notes, and snippets.

@ReinForce-II

ReinForce-II/nginx-ssl-qualys-100%-A+.vhost

Forked from r0mdau/nginx-ssl-qualys-100%-A+.vhost
Created March 2, 2018 07:31
Show Gist options
  • Save ReinForce-II/ce4b0aad8a32cfdc0b49ec97c7c1a278 to your computer and use it in GitHub Desktop.
Save ReinForce-II/ce4b0aad8a32cfdc0b49ec97c7c1a278 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. @r0mdau r0mdau revised this gist Jun 16, 2016. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion nginx-ssl-qualys-100%-A+.vhost
    View file
    Original file line number Diff line number Diff line change
    @@ -27,7 +27,7 @@ server {
    root /path/to/public/app;
    }

    # Initi dhparam.pem
    # Init dhparam.pem
    openssl dhparam -out /path/to/ssl/certs/dhparam.pem 4096

    # Better security
  2. @r0mdau r0mdau renamed this gist Jun 16, 2016. 1 changed file with 0 additions and 0 deletions.
    0 nginx-ssl-qualys-100-A+.vhost → nginx-ssl-qualys-100%-A+.vhost
    View file
    File renamed without changes.
  3. @r0mdau r0mdau revised this gist Jun 16, 2016. 3 changed files with 16 additions and 12 deletions.
    11 changes: 0 additions & 11 deletions better.security.vhost
    View file
    Original file line number Diff line number Diff line change
    @@ -1,11 +0,0 @@
    # I prefer putting this in `nginx.conf` for all vhosts

    server {
    ...

    server_tokens off;
    add_header Strict-Transport-Security "max-age=63072000;";
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    }
    1 change: 0 additions & 1 deletion init.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -1 +0,0 @@
    openssl dhparam -out /path/to/ssl/certs/dhparam.pem 4096
    16 changes: 16 additions & 0 deletions nginx-ssl-qualys-100-A+.vhost
    View file
    Original file line number Diff line number Diff line change
    @@ -25,4 +25,20 @@ server {

    index index.html index.php;
    root /path/to/public/app;
    }

    # Initi dhparam.pem
    openssl dhparam -out /path/to/ssl/certs/dhparam.pem 4096

    # Better security
    # I prefer putting this in `nginx.conf` for all vhosts

    server {
    ...

    server_tokens off;
    add_header Strict-Transport-Security "max-age=63072000;";
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    }
  4. @r0mdau r0mdau created this gist Jun 16, 2016.
    11 changes: 11 additions & 0 deletions better.security.vhost
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,11 @@
    # I prefer putting this in `nginx.conf` for all vhosts

    server {
    ...

    server_tokens off;
    add_header Strict-Transport-Security "max-age=63072000;";
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    }
    1 change: 1 addition & 0 deletions init.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1 @@
    openssl dhparam -out /path/to/ssl/certs/dhparam.pem 4096
    28 changes: 28 additions & 0 deletions nginx-ssl-qualys-100-A+.vhost
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,28 @@
    server {
    listen 443 ssl deferred;
    server_name example.com;

    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 24h;
    ssl_buffer_size 4k;
    ssl_session_tickets off;

    ssl_protocols TLSv1.2;

    ssl_ciphers 'AES256+EECDH:AES256+EDH:!aNULL';
    ssl_prefer_server_ciphers on;

    ssl_certificate /path/to/ssl/certificate.crt;
    ssl_trusted_certificate /path/to/ssl/certificate.crt;
    ssl_certificate_key /path/to/ssl/certificate.key;
    ssl_dhparam /path/to/ssl/certs/dhparam.pem;
    ssl_ecdh_curve secp384r1;

    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.4.4 8.8.8.8 valid=300s;
    resolver_timeout 10s;

    index index.html index.php;
    root /path/to/public/app;
    }