-
-
Save xXPhenomXx/04e45823ba3540f5b3acbcf7c48b8f23 to your computer and use it in GitHub Desktop.
Nginx SSL/TLS configuration for "A+" Qualys SSL Labs rating
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # Name: nginx-tls.conf | |
| # Auth: Gavin Lloyd <[email protected]> | |
| # Date: 02 May 2014 | |
| # Desc: Nginx SSL/TLS configuration for "A+" Qualys SSL Labs rating | |
| # | |
| # Enables PFS, HSTS and OCSP stapling. Configuration options not related to | |
| # SSL/TLS are omitted here. | |
| # | |
| # Example: https://www.ssllabs.com/ssltest/analyze.html?d=gavinhungry.io | |
| # | |
| server { | |
| listen [::]:80; | |
| listen 80; | |
| server_name domain.tld www.domain.tld; | |
| # Redirect all non-https requests | |
| rewrite ^ https://$host$request_uri? permanent; | |
| } | |
| server { | |
| listen [::]:443 default_server ssl spdy; | |
| listen 443 default_server ssl spdy; | |
| server_name domain.tld www.domain.tld; | |
| # Certificate(s) and private key | |
| ssl_certificate /etc/ssl/domain.crt; | |
| ssl_certificate_key /etc/ssl/domain.key; | |
| ssl_protocols TLSv1.2 TLSv1.1 TLSv1; | |
| ssl_prefer_server_ciphers on; | |
| ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS; | |
| ssl_session_cache shared:TLS:2m; | |
| # OCSP stapling | |
| ssl_stapling on; | |
| resolver 74.207.241.5; # resolver1.fremont.linode.com | |
| # Set HSTS to 365 days | |
| add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains'; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment