Skip to content

Instantly share code, notes, and snippets.

@dtoubelis

dtoubelis/gist:562108c860df32f9b8cc

Last active August 29, 2015 14:27
Show Gist options
  • Save dtoubelis/562108c860df32f9b8cc to your computer and use it in GitHub Desktop.
Save dtoubelis/562108c860df32f9b8cc to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. dtoubelis revised this gist Aug 20, 2015. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion gistfile1.txt
    View file
    Original file line number Diff line number Diff line change
    @@ -23,7 +23,7 @@ server {
    ssl_trusted_certificate /etc/nginx/ssl/ocsp-chain.crt;

    # enable client certificate authentication
    ssl_client_certificate /etc/nginx/ssl/apiserver-client-trustchain.crt;
    ssl_client_certificate /etc/nginx/ssl/api-client-trustchain.crt;
    ssl_verify_client on;
    ssl_verify_depth 2;

  2. dtoubelis revised this gist Aug 20, 2015. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion gistfile1.txt
    View file
    Original file line number Diff line number Diff line change
    @@ -24,7 +24,7 @@ server {

    # enable client certificate authentication
    ssl_client_certificate /etc/nginx/ssl/apiserver-client-trustchain.crt;
    ssl_verify_client optional;
    ssl_verify_client on;
    ssl_verify_depth 2;

    ...
  3. dtoubelis created this gist Aug 20, 2015.
    31 changes: 31 additions & 0 deletions gistfile1.txt
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,31 @@
    server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name api.example.com;

    ssl_dhparam /etc/nginx/ssl/dhparam.pem;
    ssl_certificate /etc/nginx/ssl/server-chain.crt;
    ssl_certificate_key /etc/nginx/ssl/server.key;

    # ciphers
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers EECDH+AES128:EECDH+3DES:EDH+3DES:!SSLv2:!MD5:!DSS:!aNULL;
    ssl_prefer_server_ciphers on;

    # ssl session caching
    ssl_session_cache shared:SSL:15m;
    ssl_session_timeout 10m;

    # enable OCSP Stapling, point to certificate chain
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/nginx/ssl/ocsp-chain.crt;

    # enable client certificate authentication
    ssl_client_certificate /etc/nginx/ssl/apiserver-client-trustchain.crt;
    ssl_verify_client optional;
    ssl_verify_depth 2;

    ...
    }