SlyDen · March 3, 2016 11:38 · Nov 6, 2014 · Nov 5, 2014 · Nov 5, 2014 · Nov 5, 2014
diff --git a/README.md b/README.md
@@ -1,6 +1,9 @@
 # Configuring nginx for SSL SNI vhosts
 ## Gotchas
-**Be aware that mandatory https on SNI vhosts eliminate [Internet Explorer on Windows XP, among others](http://en.wikipedia.org/wiki/Server_Name_Indication#Web_browsers.5B6.5D)**
+* Note that SHA2 hash algorithm may be not supported on older systems (Windows XP, Windows 2003, among others).
+* Be aware that mandatory https on SNI vhosts eliminate [Internet Explorer on Windows XP, among others]
+(http://en.wikipedia.org/wiki/Server_Name_Indication#Web_browsers.5B6.5D).
+
 ## Remarks
 * My version of konklones SSL config does not have SPDY support(my nginx+openssl does not support it)
 * You need a default ssl server (*example.org-default.conf*).

diff --git a/README.md b/README.md
@@ -1,6 +1,8 @@
 # Configuring nginx for SSL SNI vhosts
-**Be aware that mandatory https on SNI vhosts eliminate [Internet Explorer on Windows XP, among others](http://en.wikipedia.org/wiki/Server_Name_Indication#Web_browsers.5B6.5D)**
 ## Gotchas
+**Be aware that mandatory https on SNI vhosts eliminate [Internet Explorer on Windows XP, among others](http://en.wikipedia.org/wiki/Server_Name_Indication#Web_browsers.5B6.5D)**
+## Remarks
+* My version of konklones SSL config does not have SPDY support(my nginx+openssl does not support it)
 * You need a default ssl server (*example.org-default.conf*).
 * Some SSL-options have to be unique across your instance, so it's easier to have them in a common file(*ssl.conf*).
 * For updated ssl_ciphers, I refer you to these two sources

diff --git a/README.md b/README.md
@@ -4,5 +4,5 @@
 * You need a default ssl server (*example.org-default.conf*).
 * Some SSL-options have to be unique across your instance, so it's easier to have them in a common file(*ssl.conf*).
 * For updated ssl_ciphers, I refer you to these two sources
-** [The original of this fork](https://gist.github.com/konklone/6532544)
-** [The Mozilla SSL Config Generator](http://mozilla.github.io/server-side-tls/ssl-config-generator/)
+  * [The original of this fork](https://gist.github.com/konklone/6532544)
+  * [The Mozilla SSL Config Generator](http://mozilla.github.io/server-side-tls/ssl-config-generator/)
diff --git a/README.md b/README.md
@@ -1,8 +1,8 @@
-Configuring nginx for SSL SNI vhosts
-====================================
-
-* You need a default ssl server (example.org-default.conf).
-* Some SSL-options have to be unique across your instance, so it's easier to have them in a common file(ssl.conf).
+# Configuring nginx for SSL SNI vhosts
+**Be aware that mandatory https on SNI vhosts eliminate [Internet Explorer on Windows XP, among others](http://en.wikipedia.org/wiki/Server_Name_Indication#Web_browsers.5B6.5D)**
+## Gotchas
+* You need a default ssl server (*example.org-default.conf*).
+* Some SSL-options have to be unique across your instance, so it's easier to have them in a common file(*ssl.conf*).
 * For updated ssl_ciphers, I refer you to these two sources
-** https://gist.github.com/konklone/6532544 (the original of this fork)
-** http://mozilla.github.io/server-side-tls/ssl-config-generator/   
+** [The original of this fork](https://gist.github.com/konklone/6532544)
+** [The Mozilla SSL Config Generator](http://mozilla.github.io/server-side-tls/ssl-config-generator/)
diff --git a/README.md b/README.md
@@ -0,0 +1,8 @@
+Configuring nginx for SSL SNI vhosts
+====================================
+
+* You need a default ssl server (example.org-default.conf).
+* Some SSL-options have to be unique across your instance, so it's easier to have them in a common file(ssl.conf).
+* For updated ssl_ciphers, I refer you to these two sources
+** https://gist.github.com/konklone/6532544 (the original of this fork)
+** http://mozilla.github.io/server-side-tls/ssl-config-generator/   
diff --git a/example.com.conf b/example.com.conf
@@ -5,6 +5,8 @@ server {
 	# required: path to certificate and private key
 	ssl_certificate			/opt/keys/example.com/example.com.unified.crt;
 	ssl_certificate_key		/opt/keys/example.com/example.com.decrypted.key;
+
+	# required for OCSP stapling, if any of your vhosts don't have this line, you have to inactivate OCSP stapling in ssl.conf
 	ssl_trusted_certificate		/opt/keys/example.com/example.com.unified+root.crt;
 
 	# Include global SSL settings

diff --git a/example.org-default.conf b/example.org-default.conf
@@ -5,6 +5,8 @@ server {
 	# required: path to certificate and private key
 	ssl_certificate			/opt/keys/example.org/example.org.unified.crt;
 	ssl_certificate_key		/opt/keys/example.org/example.org.decrypted.key;
+
+	# required for OCSP stapling, if any of your vhosts don't have this line, you have to inactivate OCSP stapling in ssl.conf
 	ssl_trusted_certificate		/opt/keys/example.org/example.org.unified+root.crt;
 
 	# Include global SSL settings

diff --git a/example.com.conf b/example.com.conf
@@ -0,0 +1,19 @@
+server {
+	listen		443	ssl;
+	server_name	example.com;
+
+	# required: path to certificate and private key
+	ssl_certificate			/opt/keys/example.com/example.com.unified.crt;
+	ssl_certificate_key		/opt/keys/example.com/example.com.decrypted.key;
+	ssl_trusted_certificate		/opt/keys/example.com/example.com.unified+root.crt;
+
+	# Include global SSL settings
+	include /etc/nginx/ssl.conf;
+
+	root   /usr/share/nginx/html;
+	index  index.html index.htm;
+
+	location / {
+		proxy_pass  http://upstream;
+	}
+}
diff --git a/example.org-default.conf b/example.org-default.conf
@@ -0,0 +1,19 @@
+server {
+	listen		443	ssl    default_server;
+	server_name	example.org;
+
+	# required: path to certificate and private key
+	ssl_certificate			/opt/keys/example.org/example.org.unified.crt;
+	ssl_certificate_key		/opt/keys/example.org/example.org.decrypted.key;
+	ssl_trusted_certificate		/opt/keys/example.org/example.org.unified+root.crt;
+
+	# Include global SSL settings
+	include /etc/nginx/ssl.conf;
+
+	root   /usr/share/nginx/html;
+	index  index.html index.htm;
+
+	location / {
+		proxy_pass  http://upstream;
+	}
+}
diff --git a/nginx.conf b/nginx.conf
@@ -1,94 +0,0 @@
-# Basically the nginx configuration I use at konklone.com. 
-# I check it using https://www.ssllabs.com/ssltest/analyze.html?d=konklone.com
-#
-# To provide feedback, please tweet at @konklone or email eric@konklone.com.
-# Comments on gists don't notify the author. 
-# 
-# Thanks to WubTheCaptain (https://wubthecaptain.eu) for his help and ciphersuites.
-# Thanks to Ilya Grigorik (https://www.igvita.com) for constant inspiration.
-
-server {
-    listen 80;
-    server_name konklone.com;
-    return 301 https://$host$request_uri;
-}
-
-# The 'spdy' at the end of the listen command below turns on SPDY support.
-
-server {
-    listen 443 ssl spdy;
-    server_name konklone.com;
-
-    # (You'll need to add your own commands to actually serve your website,
-    #  like a root to static files, or a reverse proxy to an app process.)
-
-    # Path to certificate and private key.
-    # The .crt may omit the root CA cert, if it's a standard CA that ships with clients.
-    ssl_certificate /path/to/unified.crt;
-    ssl_certificate_key /path/to/my-private-decrypted.key;
-
-    # HTTP Strict Transport Security: tells browsers to require https:// without first checking
-    # the http:// version for a redirect. Warning: it is difficult to change your mind.
-    # 
-    #    max-age: length of requirement in seconds (31536000 = 1 year)
-    #    includeSubdomains: force SSL for *ALL* subdomains (remove if this is not what you want)
-    #    preload: indicates you want browsers to ship with HSTS preloaded for your domain.
-    # 
-    #    Submit your domain for preloading in browsers at: https://hstspreload.appspot.com
-    add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
-
-    # If you won't/can't turn on HTTPS for *all* subdomains, use this simpler version:
-    # add_header Strict-Transport-Security 'max-age=31536000';
-
-    # Prefer certain ciphersuites, to enforce Forward Secrecy and avoid known vulnerabilities.
-    # 
-    # Forces forward secrecy in all browsers and clients that can use TLS,
-    # but with a small exception (DES-CBC3-SHA) for IE8/XP users.
-    # 
-    # Reference client: https://www.ssllabs.com/ssltest/analyze.html
-    ssl_prefer_server_ciphers on;
-    ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';
-
-    # Cut out the old, broken, insecure SSLv2 and SSLv3 entirely. 
-    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
-
-    # Turn on session resumption, using a 10 min cache shared across nginx processes,
-    # as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html
-    ssl_session_cache   shared:SSL:10m;
-    ssl_session_timeout 10m;
-    keepalive_timeout   70;
-
-    # Buffer size of 1400 bytes fits in one MTU.
-    # nginx 1.5.9+ ONLY
-    ssl_buffer_size 1400; 
-
-    # SPDY header compression (0 for none, 9 for slow/heavy compression). Preferred is 6. 
-    # 
-    # BUT: header compression is flawed and vulnerable in SPDY versions 1 - 3.
-    # Disable with 0, until using a version of nginx with SPDY 4.
-    spdy_headers_comp 0;
-
-    # Now let's really get fancy, and pre-generate a 2048 bit random parameter
-    # for DH elliptic curves. If not created and specified, default is only 1024 bits. 
-    #
-    # Generated by OpenSSL with the following command:
-    #   openssl dhparam -outform pem -out dhparam2048.pem 2048
-    ssl_dhparam /path/to/dhparam2048.pem;
-
-
-    # OCSP stapling - means nginx will poll the CA for signed OCSP responses, 
-    # and send them to clients so clients don't make their own OCSP calls.
-    # https://en.wikipedia.org/wiki/OCSP_stapling
-    # 
-    # while the ssl_certificate above may omit the root cert if the CA is trusted,
-    # ssl_trusted_certificate below must point to a chain of **all** certs
-    # in the trust path - (your cert, intermediary certs, root cert)
-    #
-    # 8.8.8.8 and 8.8.4.4 below are Google's public IPv4 DNS servers. 
-    # nginx will use them to talk to the CA.
-    ssl_stapling on;
-    ssl_stapling_verify on;
-    resolver 8.8.8.8 8.8.4.4 valid=86400;
-    resolver_timeout 10;
-    ssl_trusted_certificate /path/to/all-certs-in-chain.crt;
-}

diff --git a/ssl.conf b/ssl.conf
@@ -0,0 +1,66 @@
+# Basically the nginx configuration I use at konklone.com. 
+# I check it using https://www.ssllabs.com/ssltest/analyze.html?d=konklone.com
+#
+# To provide feedback, please tweet at @konklone or email eric@konklone.com.
+# Comments on gists don't notify the author. 
+# 
+# Thanks to WubTheCaptain (https://wubthecaptain.eu) for his help and ciphersuites.
+# Thanks to Ilya Grigorik (https://www.igvita.com) for constant inspiration.
+
+# HTTP Strict Transport Security: tells browsers to require https:// without first checking
+# the http:// version for a redirect. Warning: it is difficult to change your mind.
+#
+#    max-age: length of requirement in seconds (31536000 = 1 year)
+#    includeSubdomains: force SSL for *ALL* subdomains (remove if this is not what you want)
+#    preload: indicates you want browsers to ship with HSTS preloaded for your domain.
+#
+#    Submit your domain for preloading in browsers at: https://hstspreload.appspot.com
+#add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
+
+# If you won't/can't turn on HTTPS for *all* subdomains, use this simpler version:
+add_header Strict-Transport-Security 'max-age=31536000';
+
+# Prefer certain ciphersuites, to enforce Forward Secrecy and avoid known vulnerabilities.
+#
+# Forces forward secrecy in all browsers and clients that can use TLS,
+# but with a small exception (DES-CBC3-SHA) for IE8/XP users.
+#
+# Reference client: https://www.ssllabs.com/ssltest/analyze.html
+ssl_prefer_server_ciphers on;
+ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';
+
+# Now let's really get fancy, and pre-generate a 2048 bit random parameter
+# for DH elliptic curves. If not created and specified, default is only 1024 bits.
+#
+# Generated by OpenSSL with the following command:
+#   openssl dhparam -outform pem -out dhparam2048.pem 2048
+ssl_dhparam /path/to/dhparam2048.pem;
+
+# Cut out the old, broken, insecure SSLv2 and SSLv3 entirely.
+ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
+
+
+# optional: turn on session resumption, using a 10 min cache shared across nginx processes
+# as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html
+ssl_session_cache   shared:SSL:10m;
+ssl_session_timeout 10m;
+keepalive_timeout   70;
+
+# Buffer size of 1400 bytes fits in one MTU.
+# nginx 1.5.9+ ONLY
+ssl_buffer_size 1400;
+
+# OCSP stapling - means nginx will poll the CA for signed OCSP responses,
+# and send them to clients so clients don't make their own OCSP calls.
+# https://en.wikipedia.org/wiki/OCSP_stapling
+#
+# while the ssl_certificate above may omit the root cert if the CA is trusted,
+# ssl_trusted_certificate below must point to a chain of **all** certs
+# in the trust path - (your cert, intermediary certs, root cert)
+#
+# 8.8.8.8 and 8.8.4.4 below are Google's public IPv4 DNS servers.
+# nginx will use them to talk to the CA.
+ssl_stapling on;
+ssl_stapling_verify on;
+resolver 8.8.8.8 8.8.4.4 valid=86400;
+resolver_timeout 10;
diff --git a/nginx.conf b/nginx.conf
@@ -49,9 +49,7 @@ server {
     ssl_prefer_server_ciphers on;
     ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';
 
-    # Cut out (the old, broken) SSLv3 entirely. 
-    # This **excludes IE6 users** and (apparently) Yandexbot.
-    # Just comment out if you need to support IE6, bless your soul.
+    # Cut out the old, broken, insecure SSLv2 and SSLv3 entirely. 
     ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
 
     # Turn on session resumption, using a 10 min cache shared across nginx processes,

diff --git a/nginx.conf b/nginx.conf
@@ -31,7 +31,7 @@ server {
     # the http:// version for a redirect. Warning: it is difficult to change your mind.
     # 
     #    max-age: length of requirement in seconds (31536000 = 1 year)
-    #    includeSubdomains: force SSL for *ALL* subdomains (remove if this not what you want)
+    #    includeSubdomains: force SSL for *ALL* subdomains (remove if this is not what you want)
     #    preload: indicates you want browsers to ship with HSTS preloaded for your domain.
     # 
     #    Submit your domain for preloading in browsers at: https://hstspreload.appspot.com

diff --git a/nginx.conf b/nginx.conf
@@ -75,8 +75,6 @@ server {
     #
     # Generated by OpenSSL with the following command:
     #   openssl dhparam -outform pem -out dhparam2048.pem 2048
-    # 
-    # Note: raising the bits to 2048 excludes Java 6 clients. Comment out if a problem.
     ssl_dhparam /path/to/dhparam2048.pem;
 
 

diff --git a/nginx.conf b/nginx.conf
@@ -37,6 +37,9 @@ server {
     #    Submit your domain for preloading in browsers at: https://hstspreload.appspot.com
     add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
 
+    # If you won't/can't turn on HTTPS for *all* subdomains, use this simpler version:
+    # add_header Strict-Transport-Security 'max-age=31536000';
+
     # Prefer certain ciphersuites, to enforce Forward Secrecy and avoid known vulnerabilities.
     # 
     # Forces forward secrecy in all browsers and clients that can use TLS,

diff --git a/nginx.conf b/nginx.conf
@@ -31,7 +31,7 @@ server {
     # the http:// version for a redirect. Warning: it is difficult to change your mind.
     # 
     #    max-age: length of requirement in seconds (31536000 = 1 year)
-    #    includeSubdomains: force for all subdomains (remove if this not what you want)
+    #    includeSubdomains: force SSL for *ALL* subdomains (remove if this not what you want)
     #    preload: indicates you want browsers to ship with HSTS preloaded for your domain.
     # 
     #    Submit your domain for preloading in browsers at: https://hstspreload.appspot.com

diff --git a/nginx.conf b/nginx.conf
@@ -27,8 +27,15 @@ server {
     ssl_certificate /path/to/unified.crt;
     ssl_certificate_key /path/to/my-private-decrypted.key;
 
-    # Tell browsers to require SSL (warning: difficult to change your mind)
-    add_header Strict-Transport-Security max-age=31536000;
+    # HTTP Strict Transport Security: tells browsers to require https:// without first checking
+    # the http:// version for a redirect. Warning: it is difficult to change your mind.
+    # 
+    #    max-age: length of requirement in seconds (31536000 = 1 year)
+    #    includeSubdomains: force for all subdomains (remove if this not what you want)
+    #    preload: indicates you want browsers to ship with HSTS preloaded for your domain.
+    # 
+    #    Submit your domain for preloading in browsers at: https://hstspreload.appspot.com
+    add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
 
     # Prefer certain ciphersuites, to enforce Forward Secrecy and avoid known vulnerabilities.
     # 

diff --git a/nginx.conf b/nginx.conf
@@ -72,7 +72,7 @@ server {
 
     # OCSP stapling - means nginx will poll the CA for signed OCSP responses, 
     # and send them to clients so clients don't make their own OCSP calls.
-    # http://en.wikipedia.org/wiki/OCSP_stapling
+    # https://en.wikipedia.org/wiki/OCSP_stapling
     # 
     # while the ssl_certificate above may omit the root cert if the CA is trusted,
     # ssl_trusted_certificate below must point to a chain of **all** certs

diff --git a/nginx.conf b/nginx.conf
@@ -19,6 +19,9 @@ server {
     listen 443 ssl spdy;
     server_name konklone.com;
 
+    # (You'll need to add your own commands to actually serve your website,
+    #  like a root to static files, or a reverse proxy to an app process.)
+
     # Path to certificate and private key.
     # The .crt may omit the root CA cert, if it's a standard CA that ships with clients.
     ssl_certificate /path/to/unified.crt;

diff --git a/nginx.conf b/nginx.conf
@@ -61,7 +61,7 @@ server {
     # for DH elliptic curves. If not created and specified, default is only 1024 bits. 
     #
     # Generated by OpenSSL with the following command:
-    #   openssl dhparam -outform pem -out dhparam2048.pem
+    #   openssl dhparam -outform pem -out dhparam2048.pem 2048
     # 
     # Note: raising the bits to 2048 excludes Java 6 clients. Comment out if a problem.
     ssl_dhparam /path/to/dhparam2048.pem;

diff --git a/nginx.conf b/nginx.conf
@@ -75,9 +75,11 @@ server {
     # ssl_trusted_certificate below must point to a chain of **all** certs
     # in the trust path - (your cert, intermediary certs, root cert)
     #
-    # 8.8.8.8 below is Google's public DNS server. nginx will use it to talk to the CA.
+    # 8.8.8.8 and 8.8.4.4 below are Google's public IPv4 DNS servers. 
+    # nginx will use them to talk to the CA.
     ssl_stapling on;
     ssl_stapling_verify on;
-    resolver 8.8.8.8;
+    resolver 8.8.8.8 8.8.4.4 valid=86400;
+    resolver_timeout 10;
     ssl_trusted_certificate /path/to/all-certs-in-chain.crt;
 }
diff --git a/nginx.conf b/nginx.conf
@@ -1,4 +1,5 @@
-# Basically the nginx configuration I use at konklone.com.
+# Basically the nginx configuration I use at konklone.com. 
+# I check it using https://www.ssllabs.com/ssltest/analyze.html?d=konklone.com
 #
 # To provide feedback, please tweet at @konklone or email eric@konklone.com.
 # Comments on gists don't notify the author. 

diff --git a/nginx.conf b/nginx.conf
@@ -36,7 +36,7 @@ server {
     ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';
 
     # Cut out (the old, broken) SSLv3 entirely. 
-    # This **excludes IE6 users**, Java 6 clients, and (apparently) Yandexbot.
+    # This **excludes IE6 users** and (apparently) Yandexbot.
     # Just comment out if you need to support IE6, bless your soul.
     ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
 
@@ -62,6 +62,7 @@ server {
     # Generated by OpenSSL with the following command:
     #   openssl dhparam -outform pem -out dhparam2048.pem
     # 
+    # Note: raising the bits to 2048 excludes Java 6 clients. Comment out if a problem.
     ssl_dhparam /path/to/dhparam2048.pem;
 
 

diff --git a/nginx.conf b/nginx.conf
@@ -46,11 +46,13 @@ server {
     ssl_session_timeout 10m;
     keepalive_timeout   70;
 
+    # Buffer size of 1400 bytes fits in one MTU.
     # nginx 1.5.9+ ONLY
-    ssl_buffer_size 1400; # 1400 bytes to fit in one MTU
+    ssl_buffer_size 1400; 
 
-    # SPDY header compression (0 for none, 9 for slow/heavy compression).
-    # Preferred is 6. BUT: header compression is flawed in SPDY versions 1 - 3.
+    # SPDY header compression (0 for none, 9 for slow/heavy compression). Preferred is 6. 
+    # 
+    # BUT: header compression is flawed and vulnerable in SPDY versions 1 - 3.
     # Disable with 0, until using a version of nginx with SPDY 4.
     spdy_headers_comp 0;
 

diff --git a/nginx.conf b/nginx.conf
@@ -1,31 +1,46 @@
+# Basically the nginx configuration I use at konklone.com.
+#
+# To provide feedback, please tweet at @konklone or email eric@konklone.com.
+# Comments on gists don't notify the author. 
+# 
+# Thanks to WubTheCaptain (https://wubthecaptain.eu) for his help and ciphersuites.
+# Thanks to Ilya Grigorik (https://www.igvita.com) for constant inspiration.
+
 server {
     listen 80;
     server_name konklone.com;
     return 301 https://$host$request_uri;
 }
 
-# optional: the 'spdy' at the end of the listen command below turns on SPDY support.
+# The 'spdy' at the end of the listen command below turns on SPDY support.
 
 server {
     listen 443 ssl spdy;
     server_name konklone.com;
 
-    # required: path to certificate and private key
-    # the .crt may omit the root CA cert, if it's a standard CA that ships with clients.
+    # Path to certificate and private key.
+    # The .crt may omit the root CA cert, if it's a standard CA that ships with clients.
     ssl_certificate /path/to/unified.crt;
     ssl_certificate_key /path/to/my-private-decrypted.key;
 
-    # optional: tell browsers to require SSL (warning: difficult to change your mind)
+    # Tell browsers to require SSL (warning: difficult to change your mind)
     add_header Strict-Transport-Security max-age=31536000;
 
-    # optional: prefer certain ciphersuites, to enforce Perfect Forward Secrecy and avoid known vulnerabilities.
-    # done in consultation with:
-    #   http://ggramaize.wordpress.com/2013/08/02/tls-perfect-forward-secrecy-support-with-apache/
-    #   https://www.ssllabs.com/ssltest/analyze.html
+    # Prefer certain ciphersuites, to enforce Forward Secrecy and avoid known vulnerabilities.
+    # 
+    # Forces forward secrecy in all browsers and clients that can use TLS,
+    # but with a small exception (DES-CBC3-SHA) for IE8/XP users.
+    # 
+    # Reference client: https://www.ssllabs.com/ssltest/analyze.html
     ssl_prefer_server_ciphers on;
-    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA;
+    ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';
+
+    # Cut out (the old, broken) SSLv3 entirely. 
+    # This **excludes IE6 users**, Java 6 clients, and (apparently) Yandexbot.
+    # Just comment out if you need to support IE6, bless your soul.
+    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
 
-    # optional: turn on session resumption, using a 10 min cache shared across nginx processes
+    # Turn on session resumption, using a 10 min cache shared across nginx processes,
     # as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html
     ssl_session_cache   shared:SSL:10m;
     ssl_session_timeout 10m;
@@ -34,15 +49,26 @@ server {
     # nginx 1.5.9+ ONLY
     ssl_buffer_size 1400; # 1400 bytes to fit in one MTU
 
-    # SPDY header compression (0 for none, 1 for fast/less compression, 9 for slow/heavy compression)
-    spdy_headers_comp 6;
+    # SPDY header compression (0 for none, 9 for slow/heavy compression).
+    # Preferred is 6. BUT: header compression is flawed in SPDY versions 1 - 3.
+    # Disable with 0, until using a version of nginx with SPDY 4.
+    spdy_headers_comp 0;
+
+    # Now let's really get fancy, and pre-generate a 2048 bit random parameter
+    # for DH elliptic curves. If not created and specified, default is only 1024 bits. 
+    #
+    # Generated by OpenSSL with the following command:
+    #   openssl dhparam -outform pem -out dhparam2048.pem
+    # 
+    ssl_dhparam /path/to/dhparam2048.pem;
+
 
     # OCSP stapling - means nginx will poll the CA for signed OCSP responses, 
     # and send them to clients so clients don't make their own OCSP calls.
     # http://en.wikipedia.org/wiki/OCSP_stapling
     # 
     # while the ssl_certificate above may omit the root cert if the CA is trusted,
-    # ssl_trusted_certificate below must point to a chain of all certs
+    # ssl_trusted_certificate below must point to a chain of **all** certs
     # in the trust path - (your cert, intermediary certs, root cert)
     #
     # 8.8.8.8 below is Google's public DNS server. nginx will use it to talk to the CA.

diff --git a/konklone.advanced.conf → nginx.conf b/konklone.advanced.conf → nginx.conf
diff --git a/konklone.advanced.conf b/konklone.advanced.conf
@@ -11,6 +11,7 @@ server {
     server_name konklone.com;
 
     # required: path to certificate and private key
+    # the .crt may omit the root CA cert, if it's a standard CA that ships with clients.
     ssl_certificate /path/to/unified.crt;
     ssl_certificate_key /path/to/my-private-decrypted.key;
 
@@ -29,4 +30,24 @@ server {
     ssl_session_cache   shared:SSL:10m;
     ssl_session_timeout 10m;
     keepalive_timeout   70;
+
+    # nginx 1.5.9+ ONLY
+    ssl_buffer_size 1400; # 1400 bytes to fit in one MTU
+
+    # SPDY header compression (0 for none, 1 for fast/less compression, 9 for slow/heavy compression)
+    spdy_headers_comp 6;
+
+    # OCSP stapling - means nginx will poll the CA for signed OCSP responses, 
+    # and send them to clients so clients don't make their own OCSP calls.
+    # http://en.wikipedia.org/wiki/OCSP_stapling
+    # 
+    # while the ssl_certificate above may omit the root cert if the CA is trusted,
+    # ssl_trusted_certificate below must point to a chain of all certs
+    # in the trust path - (your cert, intermediary certs, root cert)
+    #
+    # 8.8.8.8 below is Google's public DNS server. nginx will use it to talk to the CA.
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    resolver 8.8.8.8;
+    ssl_trusted_certificate /path/to/all-certs-in-chain.crt;
 }
diff --git a/konklone.advanced.conf b/konklone.advanced.conf
@@ -22,7 +22,7 @@ server {
     #   http://ggramaize.wordpress.com/2013/08/02/tls-perfect-forward-secrecy-support-with-apache/
     #   https://www.ssllabs.com/ssltest/analyze.html
     ssl_prefer_server_ciphers on;
-    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA;
+    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA;
 
     # optional: turn on session resumption, using a 10 min cache shared across nginx processes
     # as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html

diff --git a/konklone.advanced.conf b/konklone.advanced.conf
@@ -0,0 +1,32 @@
+server {
+    listen 80;
+    server_name konklone.com;
+    return 301 https://$host$request_uri;
+}
+
+# optional: the 'spdy' at the end of the listen command below turns on SPDY support.
+
+server {
+    listen 443 ssl spdy;
+    server_name konklone.com;
+
+    # required: path to certificate and private key
+    ssl_certificate /path/to/unified.crt;
+    ssl_certificate_key /path/to/my-private-decrypted.key;
+
+    # optional: tell browsers to require SSL (warning: difficult to change your mind)
+    add_header Strict-Transport-Security max-age=31536000;
+
+    # optional: prefer certain ciphersuites, to enforce Perfect Forward Secrecy and avoid known vulnerabilities.
+    # done in consultation with:
+    #   http://ggramaize.wordpress.com/2013/08/02/tls-perfect-forward-secrecy-support-with-apache/
+    #   https://www.ssllabs.com/ssltest/analyze.html
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA;
+
+    # optional: turn on session resumption, using a 10 min cache shared across nginx processes
+    # as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html
+    ssl_session_cache   shared:SSL:10m;
+    ssl_session_timeout 10m;
+    keepalive_timeout   70;
+}
No results found