Skip to content

Instantly share code, notes, and snippets.

@PavloBezpalov

PavloBezpalov/nginx.conf

Last active May 31, 2017 08:09
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save PavloBezpalov/64ce06c79b76482c330a01d4c5a79768 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save PavloBezpalov/64ce06c79b76482c330a01d4c5a79768 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. Pavel Bezpalov revised this gist May 31, 2017. 2 changed files with 15 additions and 14 deletions.
    26 changes: 13 additions & 13 deletions nginx.conf
    View file
    Original file line number Diff line number Diff line change
    @@ -1,15 +1,15 @@
    # ADD TO HTTP OR SERVER BLOCK

    ssl_protocols TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off; # Requires nginx >= 1.5.9
    ssl_stapling on; # Requires nginx >= 1.3.7
    ssl_stapling_verify on; # Requires nginx => 1.3.7
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
    ssl_ecdh_curve prime256v1:secp384r1;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off; # Requires nginx >= 1.5.9
    ssl_stapling on; # Requires nginx >= 1.3.7
    ssl_stapling_verify on; # Requires nginx => 1.3.7
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    3 changes: 2 additions & 1 deletion resources
    View file
    Original file line number Diff line number Diff line change
    @@ -1,2 +1,3 @@
    recommendations https://cipherli.st/
    test ssl https://www.ssllabs.com/ssltest/analyze.html
    test ssl https://www.ssllabs.com/ssltest/analyze.html
    android 7.0 secp384r1 issue https://issuetracker.google.com/issues/37122132
  2. Pavel Bezpalov created this gist May 22, 2017.
    15 changes: 15 additions & 0 deletions nginx.conf
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,15 @@
    # ADD TO HTTP OR SERVER BLOCK

    ssl_protocols TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off; # Requires nginx >= 1.5.9
    ssl_stapling on; # Requires nginx >= 1.3.7
    ssl_stapling_verify on; # Requires nginx => 1.3.7
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    2 changes: 2 additions & 0 deletions resources
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,2 @@
    recommendations https://cipherli.st/
    test ssl https://www.ssllabs.com/ssltest/analyze.html