SammyEnigma · December 2, 2020 13:05 · Oct 31, 2015 · Oct 31, 2015 · Oct 31, 2015 · Oct 29, 2015
diff --git a/ssl.rules b/ssl.rules
@@ -50,7 +50,7 @@ server {
     # Allows all modern and legacy clients to connect over TLS.
     ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
 
-    # Uncomment to use only the latest TLS, if you don't have to support IE8, IE9, IE10, and Android 4.3 and below.
+    # Uncomment for only the latest TLS, if you can drop IE8-IE10 and Android 4.3.
     # ssl_protocols TLSv1.2;
 
     # Turn on session resumption, using a 10 min cache shared across nginx processes,

diff --git a/ssl.rules b/ssl.rules
@@ -18,9 +18,6 @@ server {
     listen 443 ssl http2;
     server_name konklone.com;
 
-    # (You'll need to add your own commands to actually serve your website,
-    #  like a root to static files, or a reverse proxy to an app process.)
-
     # Path to certificate and intermediates, *omitting* the root.
     ssl_certificate /path/to/example.com.chained.crt;
 
@@ -31,7 +28,7 @@ server {
     # the http:// version for a redirect. Warning: it is difficult to change your mind.
     # 
     #    max-age: length of requirement in seconds (31536000 = 1 year)
-    #    includeSubdomains: force SSL for *ALL* subdomains (remove if this is not what you want)
+    #    includeSubdomains: force TLS for *ALL* subdomains (remove if this is not what you want)
     #    preload: indicates you want browsers to ship with HSTS preloaded for your domain.
     # 
     #    Submit your domain for preloading in browsers at: https://hstspreload.appspot.com

diff --git a/ssl.rules b/ssl.rules
@@ -42,18 +42,18 @@ server {
 
     ssl_prefer_server_ciphers on;
 
-    # Forces forward secrecy in all browsers and clients that can use TLS,
-    # but with a small exception (DES-CBC3-SHA) for IE8/XP users.
-    ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';
+    # This requires strong forward secrecy (ECDHE) for all connections.
+    # However, it blocks IE8+XP and Android 2.3.
+    ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';
 
-    # If you can drop IE8/XP and Android 2.3, uncomment and remove DHE and the IE8/XP carveout.
-    # This requires strong forward secrecy, without having to worry about weak/common DH groups.
-    # ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';
+    # Uncomment to require strong forward secrecy (ECDHE) in most clients, with a 
+    # non-FS exception (DES-CBC3-SHA) for IE8/XP, and plain DHE for Android 2.3 users.
+    # ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';
 
-    # If you need to support IE8-10, and Android 4.3 and below.
+    # Allows all modern and legacy clients to connect over TLS.
     ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
 
-    # If you don't have to support legacy browsers, uncomment and stick to TLSv1.2 only.
+    # Uncomment to use only the latest TLS, if you don't have to support IE8, IE9, IE10, and Android 4.3 and below.
     # ssl_protocols TLSv1.2;
 
     # Turn on session resumption, using a 10 min cache shared across nginx processes,
@@ -69,7 +69,6 @@ server {
     # root certificate, and *excluding* the cert for your domain.
     # 
     # See https://sslmate.com/blog/post/ocsp_stapling_in_apache_and_nginx
-    # for more details on how nginx handles OCSP.
     ssl_stapling on;
     ssl_stapling_verify on;
     resolver 8.8.8.8 8.8.4.4 valid=86400;

diff --git a/ssl.rules b/ssl.rules
@@ -13,19 +13,19 @@ server {
     return 301 https://$host$request_uri;
 }
 
-# The 'spdy' at the end of the listen command below turns on SPDY support.
-
 server {
-    listen 443 ssl spdy;
+    # 'http2' requires nginx 1.9.5+. If using older nginx, replace with 'spdy'.
+    listen 443 ssl http2;
     server_name konklone.com;
 
     # (You'll need to add your own commands to actually serve your website,
     #  like a root to static files, or a reverse proxy to an app process.)
 
-    # Path to certificate and private key.
-    # The .crt may omit the root CA cert, if it's a standard CA that ships with clients.
-    ssl_certificate /path/to/unified.crt;
-    ssl_certificate_key /path/to/my-private-decrypted.key;
+    # Path to certificate and intermediates, *omitting* the root.
+    ssl_certificate /path/to/example.com.chained.crt;
+
+    # Path to private key used to create certificate.
+    ssl_certificate_key /path/to/example.com.key;
 
     # HTTP Strict Transport Security: tells browsers to require https:// without first checking
     # the http:// version for a redirect. Warning: it is difficult to change your mind.
@@ -40,55 +40,39 @@ server {
     # If you won't/can't turn on HTTPS for *all* subdomains, use this simpler version:
     # add_header Strict-Transport-Security 'max-age=31536000';
 
-    # Prefer certain ciphersuites, to enforce Forward Secrecy and avoid known vulnerabilities.
-    # 
+    ssl_prefer_server_ciphers on;
+
     # Forces forward secrecy in all browsers and clients that can use TLS,
     # but with a small exception (DES-CBC3-SHA) for IE8/XP users.
-    # 
-    # Reference client: https://www.ssllabs.com/ssltest/analyze.html
-    ssl_prefer_server_ciphers on;
     ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';
 
-    # Cut out the old, broken, insecure SSLv2 and SSLv3 entirely. 
+    # If you can drop IE8/XP and Android 2.3, uncomment and remove DHE and the IE8/XP carveout.
+    # This requires strong forward secrecy, without having to worry about weak/common DH groups.
+    # ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';
+
+    # If you need to support IE8-10, and Android 4.3 and below.
     ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
+
+    # If you don't have to support legacy browsers, uncomment and stick to TLSv1.2 only.
+    # ssl_protocols TLSv1.2;
 
     # Turn on session resumption, using a 10 min cache shared across nginx processes,
     # as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html
     ssl_session_cache   shared:SSL:10m;
     ssl_session_timeout 10m;
     keepalive_timeout   70;
 
-    # Buffer size of 1400 bytes fits in one MTU.
-    # nginx 1.5.9+ ONLY
-    ssl_buffer_size 1400; 
-
-    # SPDY header compression (0 for none, 9 for slow/heavy compression). Preferred is 6. 
-    # 
-    # BUT: header compression is flawed and vulnerable in SPDY versions 1 - 3.
-    # Disable with 0, until using a version of nginx with SPDY 4.
-    spdy_headers_comp 0;
-
-    # Now let's really get fancy, and pre-generate a 2048 bit random parameter
-    # for DH elliptic curves. If not created and specified, default is only 1024 bits. 
+    # OCSP stapling: nginx will poll the CA for signed OCSP responses, and
+    # send them to clients so clients don't make their own OCSP calls.
     #
-    # Generated by OpenSSL with the following command:
-    #   openssl dhparam -outform pem -out dhparam2048.pem 2048
-    ssl_dhparam /path/to/dhparam2048.pem;
-
-
-    # OCSP stapling - means nginx will poll the CA for signed OCSP responses, 
-    # and send them to clients so clients don't make their own OCSP calls.
-    # https://en.wikipedia.org/wiki/OCSP_stapling
+    # The ssl_trusted_certificate is a chain of intermediates *including* the
+    # root certificate, and *excluding* the cert for your domain.
     # 
-    # while the ssl_certificate above may omit the root cert if the CA is trusted,
-    # ssl_trusted_certificate below must point to a chain of **all** certs
-    # in the trust path - (your cert, intermediary certs, root cert)
-    #
-    # 8.8.8.8 and 8.8.4.4 below are Google's public IPv4 DNS servers. 
-    # nginx will use them to talk to the CA.
+    # See https://sslmate.com/blog/post/ocsp_stapling_in_apache_and_nginx
+    # for more details on how nginx handles OCSP.
     ssl_stapling on;
     ssl_stapling_verify on;
     resolver 8.8.8.8 8.8.4.4 valid=86400;
     resolver_timeout 10;
-    ssl_trusted_certificate /path/to/all-certs-in-chain.crt;
+    ssl_trusted_certificate /path/to/example.com.chain+root.crt;
 }
diff --git a/nginx.conf → ssl.rules b/nginx.conf → ssl.rules
diff --git a/nginx.conf b/nginx.conf
@@ -1,5 +1,6 @@
 # Basically the nginx configuration I use at konklone.com. 
 # I check it using https://www.ssllabs.com/ssltest/analyze.html?d=konklone.com
+# 
 # To provide feedback, please tweet at @konklone or email [email protected].
 # Comments on gists don't notify the author. 
 # 

diff --git a/nginx.conf b/nginx.conf
@@ -1,6 +1,5 @@
 # Basically the nginx configuration I use at konklone.com. 
 # I check it using https://www.ssllabs.com/ssltest/analyze.html?d=konklone.com
-#
 # To provide feedback, please tweet at @konklone or email [email protected].
 # Comments on gists don't notify the author. 
 # 

diff --git a/nginx.conf b/nginx.conf
@@ -49,9 +49,7 @@ server {
     ssl_prefer_server_ciphers on;
     ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';
 
-    # Cut out (the old, broken) SSLv3 entirely. 
-    # This **excludes IE6 users** and (apparently) Yandexbot.
-    # Just comment out if you need to support IE6, bless your soul.
+    # Cut out the old, broken, insecure SSLv2 and SSLv3 entirely. 
     ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
 
     # Turn on session resumption, using a 10 min cache shared across nginx processes,

diff --git a/nginx.conf b/nginx.conf
@@ -31,7 +31,7 @@ server {
     # the http:// version for a redirect. Warning: it is difficult to change your mind.
     # 
     #    max-age: length of requirement in seconds (31536000 = 1 year)
-    #    includeSubdomains: force SSL for *ALL* subdomains (remove if this not what you want)
+    #    includeSubdomains: force SSL for *ALL* subdomains (remove if this is not what you want)
     #    preload: indicates you want browsers to ship with HSTS preloaded for your domain.
     # 
     #    Submit your domain for preloading in browsers at: https://hstspreload.appspot.com

diff --git a/nginx.conf b/nginx.conf
@@ -75,8 +75,6 @@ server {
     #
     # Generated by OpenSSL with the following command:
     #   openssl dhparam -outform pem -out dhparam2048.pem 2048
-    # 
-    # Note: raising the bits to 2048 excludes Java 6 clients. Comment out if a problem.
     ssl_dhparam /path/to/dhparam2048.pem;
 
 

diff --git a/nginx.conf b/nginx.conf
@@ -37,6 +37,9 @@ server {
     #    Submit your domain for preloading in browsers at: https://hstspreload.appspot.com
     add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
 
+    # If you won't/can't turn on HTTPS for *all* subdomains, use this simpler version:
+    # add_header Strict-Transport-Security 'max-age=31536000';
+
     # Prefer certain ciphersuites, to enforce Forward Secrecy and avoid known vulnerabilities.
     # 
     # Forces forward secrecy in all browsers and clients that can use TLS,

diff --git a/nginx.conf b/nginx.conf
@@ -31,7 +31,7 @@ server {
     # the http:// version for a redirect. Warning: it is difficult to change your mind.
     # 
     #    max-age: length of requirement in seconds (31536000 = 1 year)
-    #    includeSubdomains: force for all subdomains (remove if this not what you want)
+    #    includeSubdomains: force SSL for *ALL* subdomains (remove if this not what you want)
     #    preload: indicates you want browsers to ship with HSTS preloaded for your domain.
     # 
     #    Submit your domain for preloading in browsers at: https://hstspreload.appspot.com

diff --git a/nginx.conf b/nginx.conf
@@ -27,8 +27,15 @@ server {
     ssl_certificate /path/to/unified.crt;
     ssl_certificate_key /path/to/my-private-decrypted.key;
 
-    # Tell browsers to require SSL (warning: difficult to change your mind)
-    add_header Strict-Transport-Security max-age=31536000;
+    # HTTP Strict Transport Security: tells browsers to require https:// without first checking
+    # the http:// version for a redirect. Warning: it is difficult to change your mind.
+    # 
+    #    max-age: length of requirement in seconds (31536000 = 1 year)
+    #    includeSubdomains: force for all subdomains (remove if this not what you want)
+    #    preload: indicates you want browsers to ship with HSTS preloaded for your domain.
+    # 
+    #    Submit your domain for preloading in browsers at: https://hstspreload.appspot.com
+    add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
 
     # Prefer certain ciphersuites, to enforce Forward Secrecy and avoid known vulnerabilities.
     # 

diff --git a/nginx.conf b/nginx.conf
@@ -72,7 +72,7 @@ server {
 
     # OCSP stapling - means nginx will poll the CA for signed OCSP responses, 
     # and send them to clients so clients don't make their own OCSP calls.
-    # http://en.wikipedia.org/wiki/OCSP_stapling
+    # https://en.wikipedia.org/wiki/OCSP_stapling
     # 
     # while the ssl_certificate above may omit the root cert if the CA is trusted,
     # ssl_trusted_certificate below must point to a chain of **all** certs

diff --git a/nginx.conf b/nginx.conf
@@ -19,6 +19,9 @@ server {
     listen 443 ssl spdy;
     server_name konklone.com;
 
+    # (You'll need to add your own commands to actually serve your website,
+    #  like a root to static files, or a reverse proxy to an app process.)
+
     # Path to certificate and private key.
     # The .crt may omit the root CA cert, if it's a standard CA that ships with clients.
     ssl_certificate /path/to/unified.crt;

diff --git a/nginx.conf b/nginx.conf
@@ -61,7 +61,7 @@ server {
     # for DH elliptic curves. If not created and specified, default is only 1024 bits. 
     #
     # Generated by OpenSSL with the following command:
-    #   openssl dhparam -outform pem -out dhparam2048.pem
+    #   openssl dhparam -outform pem -out dhparam2048.pem 2048
     # 
     # Note: raising the bits to 2048 excludes Java 6 clients. Comment out if a problem.
     ssl_dhparam /path/to/dhparam2048.pem;

diff --git a/nginx.conf b/nginx.conf
@@ -75,9 +75,11 @@ server {
     # ssl_trusted_certificate below must point to a chain of **all** certs
     # in the trust path - (your cert, intermediary certs, root cert)
     #
-    # 8.8.8.8 below is Google's public DNS server. nginx will use it to talk to the CA.
+    # 8.8.8.8 and 8.8.4.4 below are Google's public IPv4 DNS servers. 
+    # nginx will use them to talk to the CA.
     ssl_stapling on;
     ssl_stapling_verify on;
-    resolver 8.8.8.8;
+    resolver 8.8.8.8 8.8.4.4 valid=86400;
+    resolver_timeout 10;
     ssl_trusted_certificate /path/to/all-certs-in-chain.crt;
 }
diff --git a/nginx.conf b/nginx.conf
@@ -1,4 +1,5 @@
-# Basically the nginx configuration I use at konklone.com.
+# Basically the nginx configuration I use at konklone.com. 
+# I check it using https://www.ssllabs.com/ssltest/analyze.html?d=konklone.com
 #
 # To provide feedback, please tweet at @konklone or email [email protected].
 # Comments on gists don't notify the author. 

diff --git a/nginx.conf b/nginx.conf
@@ -36,7 +36,7 @@ server {
     ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';
 
     # Cut out (the old, broken) SSLv3 entirely. 
-    # This **excludes IE6 users**, Java 6 clients, and (apparently) Yandexbot.
+    # This **excludes IE6 users** and (apparently) Yandexbot.
     # Just comment out if you need to support IE6, bless your soul.
     ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
 
@@ -62,6 +62,7 @@ server {
     # Generated by OpenSSL with the following command:
     #   openssl dhparam -outform pem -out dhparam2048.pem
     # 
+    # Note: raising the bits to 2048 excludes Java 6 clients. Comment out if a problem.
     ssl_dhparam /path/to/dhparam2048.pem;
 
 

diff --git a/nginx.conf b/nginx.conf
@@ -46,11 +46,13 @@ server {
     ssl_session_timeout 10m;
     keepalive_timeout   70;
 
+    # Buffer size of 1400 bytes fits in one MTU.
     # nginx 1.5.9+ ONLY
-    ssl_buffer_size 1400; # 1400 bytes to fit in one MTU
+    ssl_buffer_size 1400; 
 
-    # SPDY header compression (0 for none, 9 for slow/heavy compression).
-    # Preferred is 6. BUT: header compression is flawed in SPDY versions 1 - 3.
+    # SPDY header compression (0 for none, 9 for slow/heavy compression). Preferred is 6. 
+    # 
+    # BUT: header compression is flawed and vulnerable in SPDY versions 1 - 3.
     # Disable with 0, until using a version of nginx with SPDY 4.
     spdy_headers_comp 0;
 

diff --git a/nginx.conf b/nginx.conf
@@ -1,31 +1,46 @@
+# Basically the nginx configuration I use at konklone.com.
+#
+# To provide feedback, please tweet at @konklone or email [email protected].
+# Comments on gists don't notify the author. 
+# 
+# Thanks to WubTheCaptain (https://wubthecaptain.eu) for his help and ciphersuites.
+# Thanks to Ilya Grigorik (https://www.igvita.com) for constant inspiration.
+
 server {
     listen 80;
     server_name konklone.com;
     return 301 https://$host$request_uri;
 }
 
-# optional: the 'spdy' at the end of the listen command below turns on SPDY support.
+# The 'spdy' at the end of the listen command below turns on SPDY support.
 
 server {
     listen 443 ssl spdy;
     server_name konklone.com;
 
-    # required: path to certificate and private key
-    # the .crt may omit the root CA cert, if it's a standard CA that ships with clients.
+    # Path to certificate and private key.
+    # The .crt may omit the root CA cert, if it's a standard CA that ships with clients.
     ssl_certificate /path/to/unified.crt;
     ssl_certificate_key /path/to/my-private-decrypted.key;
 
-    # optional: tell browsers to require SSL (warning: difficult to change your mind)
+    # Tell browsers to require SSL (warning: difficult to change your mind)
     add_header Strict-Transport-Security max-age=31536000;
 
-    # optional: prefer certain ciphersuites, to enforce Perfect Forward Secrecy and avoid known vulnerabilities.
-    # done in consultation with:
-    #   http://ggramaize.wordpress.com/2013/08/02/tls-perfect-forward-secrecy-support-with-apache/
-    #   https://www.ssllabs.com/ssltest/analyze.html
+    # Prefer certain ciphersuites, to enforce Forward Secrecy and avoid known vulnerabilities.
+    # 
+    # Forces forward secrecy in all browsers and clients that can use TLS,
+    # but with a small exception (DES-CBC3-SHA) for IE8/XP users.
+    # 
+    # Reference client: https://www.ssllabs.com/ssltest/analyze.html
     ssl_prefer_server_ciphers on;
-    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA;
+    ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';
+
+    # Cut out (the old, broken) SSLv3 entirely. 
+    # This **excludes IE6 users**, Java 6 clients, and (apparently) Yandexbot.
+    # Just comment out if you need to support IE6, bless your soul.
+    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
 
-    # optional: turn on session resumption, using a 10 min cache shared across nginx processes
+    # Turn on session resumption, using a 10 min cache shared across nginx processes,
     # as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html
     ssl_session_cache   shared:SSL:10m;
     ssl_session_timeout 10m;
@@ -34,15 +49,26 @@ server {
     # nginx 1.5.9+ ONLY
     ssl_buffer_size 1400; # 1400 bytes to fit in one MTU
 
-    # SPDY header compression (0 for none, 1 for fast/less compression, 9 for slow/heavy compression)
-    spdy_headers_comp 6;
+    # SPDY header compression (0 for none, 9 for slow/heavy compression).
+    # Preferred is 6. BUT: header compression is flawed in SPDY versions 1 - 3.
+    # Disable with 0, until using a version of nginx with SPDY 4.
+    spdy_headers_comp 0;
+
+    # Now let's really get fancy, and pre-generate a 2048 bit random parameter
+    # for DH elliptic curves. If not created and specified, default is only 1024 bits. 
+    #
+    # Generated by OpenSSL with the following command:
+    #   openssl dhparam -outform pem -out dhparam2048.pem
+    # 
+    ssl_dhparam /path/to/dhparam2048.pem;
+
 
     # OCSP stapling - means nginx will poll the CA for signed OCSP responses, 
     # and send them to clients so clients don't make their own OCSP calls.
     # http://en.wikipedia.org/wiki/OCSP_stapling
     # 
     # while the ssl_certificate above may omit the root cert if the CA is trusted,
-    # ssl_trusted_certificate below must point to a chain of all certs
+    # ssl_trusted_certificate below must point to a chain of **all** certs
     # in the trust path - (your cert, intermediary certs, root cert)
     #
     # 8.8.8.8 below is Google's public DNS server. nginx will use it to talk to the CA.

diff --git a/konklone.advanced.conf → nginx.conf b/konklone.advanced.conf → nginx.conf
diff --git a/konklone.advanced.conf b/konklone.advanced.conf
@@ -11,6 +11,7 @@ server {
     server_name konklone.com;
 
     # required: path to certificate and private key
+    # the .crt may omit the root CA cert, if it's a standard CA that ships with clients.
     ssl_certificate /path/to/unified.crt;
     ssl_certificate_key /path/to/my-private-decrypted.key;
 
@@ -29,4 +30,24 @@ server {
     ssl_session_cache   shared:SSL:10m;
     ssl_session_timeout 10m;
     keepalive_timeout   70;
+
+    # nginx 1.5.9+ ONLY
+    ssl_buffer_size 1400; # 1400 bytes to fit in one MTU
+
+    # SPDY header compression (0 for none, 1 for fast/less compression, 9 for slow/heavy compression)
+    spdy_headers_comp 6;
+
+    # OCSP stapling - means nginx will poll the CA for signed OCSP responses, 
+    # and send them to clients so clients don't make their own OCSP calls.
+    # http://en.wikipedia.org/wiki/OCSP_stapling
+    # 
+    # while the ssl_certificate above may omit the root cert if the CA is trusted,
+    # ssl_trusted_certificate below must point to a chain of all certs
+    # in the trust path - (your cert, intermediary certs, root cert)
+    #
+    # 8.8.8.8 below is Google's public DNS server. nginx will use it to talk to the CA.
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    resolver 8.8.8.8;
+    ssl_trusted_certificate /path/to/all-certs-in-chain.crt;
 }
diff --git a/konklone.advanced.conf b/konklone.advanced.conf
@@ -22,7 +22,7 @@ server {
     #   http://ggramaize.wordpress.com/2013/08/02/tls-perfect-forward-secrecy-support-with-apache/
     #   https://www.ssllabs.com/ssltest/analyze.html
     ssl_prefer_server_ciphers on;
-    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA;
+    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA;
 
     # optional: turn on session resumption, using a 10 min cache shared across nginx processes
     # as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html

diff --git a/konklone.advanced.conf b/konklone.advanced.conf
@@ -0,0 +1,32 @@
+server {
+    listen 80;
+    server_name konklone.com;
+    return 301 https://$host$request_uri;
+}
+
+# optional: the 'spdy' at the end of the listen command below turns on SPDY support.
+
+server {
+    listen 443 ssl spdy;
+    server_name konklone.com;
+
+    # required: path to certificate and private key
+    ssl_certificate /path/to/unified.crt;
+    ssl_certificate_key /path/to/my-private-decrypted.key;
+
+    # optional: tell browsers to require SSL (warning: difficult to change your mind)
+    add_header Strict-Transport-Security max-age=31536000;
+
+    # optional: prefer certain ciphersuites, to enforce Perfect Forward Secrecy and avoid known vulnerabilities.
+    # done in consultation with:
+    #   http://ggramaize.wordpress.com/2013/08/02/tls-perfect-forward-secrecy-support-with-apache/
+    #   https://www.ssllabs.com/ssltest/analyze.html
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA;
+
+    # optional: turn on session resumption, using a 10 min cache shared across nginx processes
+    # as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html
+    ssl_session_cache   shared:SSL:10m;
+    ssl_session_timeout 10m;
+    keepalive_timeout   70;
+}
No results found