xXPhenomXx · June 14, 2018 18:16 · Apr 5, 2018 · Apr 5, 2018 · Mar 2, 2018 · Sep 7, 2016
diff --git a/nginx-tls.conf b/nginx-tls.conf
@@ -40,7 +40,7 @@ server {
   # OCSP stapling
   ssl_stapling on;
   ssl_stapling_verify on;
-  resolver 8.8.8.8; # google-public-dns-a.google.com
+  resolver 1.1.1.1; # 1dot1dot1dot1.cloudflare-dns.com
 
   # Set HSTS to 365 days
   add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;

diff --git a/nginx-tls.conf b/nginx-tls.conf
@@ -6,7 +6,7 @@
 # Enables HTTP/2, PFS, HSTS and OCSP stapling. Configuration options not related
 # to SSL/TLS are omitted here.
 #
-# Example: https://www.ssllabs.com/ssltest/analyze.html?d=gav.sh
+# Example: https://www.ssllabs.com/ssltest/analyze.html?d=gavinhungry.io
 #
 
 server {

diff --git a/nginx-tls.conf b/nginx-tls.conf
@@ -3,10 +3,10 @@
 # Auth: Gavin Lloyd <[email protected]>
 # Desc: Nginx SSL/TLS configuration for "A+" Qualys SSL Labs rating
 #
-# Enables SPDY, PFS, HSTS and OCSP stapling. Configuration options not related
+# Enables HTTP/2, PFS, HSTS and OCSP stapling. Configuration options not related
 # to SSL/TLS are omitted here.
 #
-# Example: https://www.ssllabs.com/ssltest/analyze.html?d=gavinhungry.io
+# Example: https://www.ssllabs.com/ssltest/analyze.html?d=gav.sh
 #
 
 server {
@@ -19,8 +19,8 @@ server {
 }
 
 server {
-  listen [::]:443 default_server ssl spdy;
-  listen      443 default_server ssl spdy;
+  listen [::]:443 default_server ssl http2;
+  listen      443 default_server ssl http2;
 
   server_name domain.tld www.domain.tld;
 
@@ -31,7 +31,7 @@ server {
   # openssl dhparam 4096 -out /etc/ssl/dhparam.pem
   ssl_dhparam /etc/ssl/dhparam.pem;
 
-  ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
+  ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1 TLSv1;
   ssl_prefer_server_ciphers on;
   ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:RSA+AESGCM:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
 
@@ -40,8 +40,8 @@ server {
   # OCSP stapling
   ssl_stapling on;
   ssl_stapling_verify on;
-  resolver 8.8.8.8;
+  resolver 8.8.8.8; # google-public-dns-a.google.com
 
   # Set HSTS to 365 days
-  add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains';
+  add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;
 }
diff --git a/nginx-tls.conf b/nginx-tls.conf
@@ -27,7 +27,7 @@ server {
   # Certificate(s) and private key
   ssl_certificate /etc/ssl/domain.crt;
   ssl_certificate_key /etc/ssl/domain.key;
-  
+
   # openssl dhparam 4096 -out /etc/ssl/dhparam.pem
   ssl_dhparam /etc/ssl/dhparam.pem;
 

diff --git a/nginx-tls.conf b/nginx-tls.conf
@@ -27,7 +27,9 @@ server {
   # Certificate(s) and private key
   ssl_certificate /etc/ssl/domain.crt;
   ssl_certificate_key /etc/ssl/domain.key;
-  ssl_dhparam /etc/ssl/dhparam.pem; # openssl dhparam 4096 -out /etc/ssl/dhparam.pem
+
+  # openssl dhparam 4096 -out /etc/ssl/dhparam.pem
+  ssl_dhparam /etc/ssl/dhparam.pem;
 
   ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
   ssl_prefer_server_ciphers on;

diff --git a/nginx-tls.conf b/nginx-tls.conf
@@ -1,7 +1,6 @@
 #
 # Name: nginx-tls.conf
 # Auth: Gavin Lloyd <[email protected]>
-# Date: 02 May 2014
 # Desc: Nginx SSL/TLS configuration for "A+" Qualys SSL Labs rating
 #
 # Enables SPDY, PFS, HSTS and OCSP stapling. Configuration options not related
@@ -28,6 +27,7 @@ server {
   # Certificate(s) and private key
   ssl_certificate /etc/ssl/domain.crt;
   ssl_certificate_key /etc/ssl/domain.key;
+  ssl_dhparam /etc/ssl/dhparam.pem; # openssl dhparam 4096 -out /etc/ssl/dhparam.pem
 
   ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
   ssl_prefer_server_ciphers on;

diff --git a/nginx-tls.conf b/nginx-tls.conf
@@ -37,6 +37,7 @@ server {
 
   # OCSP stapling
   ssl_stapling on;
+  ssl_stapling_verify on;
   resolver 8.8.8.8;
 
   # Set HSTS to 365 days

diff --git a/nginx-tls.conf b/nginx-tls.conf
@@ -31,7 +31,7 @@ server {
 
   ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
   ssl_prefer_server_ciphers on;
-  ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
+  ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:RSA+AESGCM:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
 
   ssl_session_cache shared:TLS:2m;
 

diff --git a/nginx-tls.conf b/nginx-tls.conf
@@ -37,7 +37,7 @@ server {
 
   # OCSP stapling
   ssl_stapling on;
-  resolver 74.207.241.5; # resolver1.fremont.linode.com
+  resolver 8.8.8.8;
 
   # Set HSTS to 365 days
   add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains';

diff --git a/nginx-tls.conf b/nginx-tls.conf
@@ -4,8 +4,8 @@
 # Date: 02 May 2014
 # Desc: Nginx SSL/TLS configuration for "A+" Qualys SSL Labs rating
 #
-# Enables PFS, HSTS and OCSP stapling. Configuration options not related to
-# SSL/TLS are omitted here.
+# Enables SPDY, PFS, HSTS and OCSP stapling. Configuration options not related
+# to SSL/TLS are omitted here.
 #
 # Example: https://www.ssllabs.com/ssltest/analyze.html?d=gavinhungry.io
 #

diff --git a/nginx-tls.conf b/nginx-tls.conf
@@ -39,6 +39,6 @@ server {
   ssl_stapling on;
   resolver 74.207.241.5; # resolver1.fremont.linode.com
 
-  # Set HSTS to 180 days
-  add_header Strict-Transport-Security 'max-age=15552000';
+  # Set HSTS to 365 days
+  add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains';
 }
diff --git a/nginx-tls.conf b/nginx-tls.conf
@@ -29,7 +29,6 @@ server {
   ssl_certificate /etc/ssl/domain.crt;
   ssl_certificate_key /etc/ssl/domain.key;
 
-  # Allow only select protocols and ciphers
   ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
   ssl_prefer_server_ciphers on;
   ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;

diff --git a/nginx-tls.conf b/nginx-tls.conf
@@ -4,7 +4,8 @@
 # Date: 02 May 2014
 # Desc: Nginx SSL/TLS configuration for "A+" Qualys SSL Labs rating
 #
-# Configuration options not related to SSL/TLS are omitted
+# Enables PFS, HSTS and OCSP stapling. Configuration options not related to
+# SSL/TLS are omitted here.
 #
 # Example: https://www.ssllabs.com/ssltest/analyze.html?d=gavinhungry.io
 #

diff --git a/nginx-tls.conf b/nginx-tls.conf
@@ -0,0 +1,44 @@
+#
+# Name: nginx-tls.conf
+# Auth: Gavin Lloyd <[email protected]>
+# Date: 02 May 2014
+# Desc: Nginx SSL/TLS configuration for "A+" Qualys SSL Labs rating
+#
+# Configuration options not related to SSL/TLS are omitted
+#
+# Example: https://www.ssllabs.com/ssltest/analyze.html?d=gavinhungry.io
+#
+
+server {
+  listen [::]:80;
+  listen      80;
+  server_name domain.tld www.domain.tld;
+
+  # Redirect all non-https requests
+  rewrite ^ https://$host$request_uri? permanent;
+}
+
+server {
+  listen [::]:443 default_server ssl spdy;
+  listen      443 default_server ssl spdy;
+
+  server_name domain.tld www.domain.tld;
+
+  # Certificate(s) and private key
+  ssl_certificate /etc/ssl/domain.crt;
+  ssl_certificate_key /etc/ssl/domain.key;
+
+  # Allow only select protocols and ciphers
+  ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
+  ssl_prefer_server_ciphers on;
+  ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
+
+  ssl_session_cache shared:TLS:2m;
+
+  # OCSP stapling
+  ssl_stapling on;
+  resolver 74.207.241.5; # resolver1.fremont.linode.com
+
+  # Set HSTS to 180 days
+  add_header Strict-Transport-Security 'max-age=15552000';
+}