claar · August 29, 2015 14:11
diff --git a/nginx.conf b/nginx.conf
        ##
        # Global SSL settings - nginx.conf in http section
        ##
        
        ##
        # For additional performance, enable SPDY support for each site by changing the:
        #
        #   listen 443 ssl;
        #
        # line to:
        #
        #   listen 443 ssl spdy;
        ##
        
        ##
        # For SSL sites, I put this in the ssl section of each site's config:
        #         
        #   Enable HSTS -- tell browser this domain and its subdomains should only be accessed via HTTPS for the next 365 days
        #   add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
        #
        # Be careful with the includeSubdomains directive -- obviously if subdomains shouldn't be forced HTTPS, don't use that
        # directive.
        ##
        # Fix POODLE
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

        # Session resuming / abbreviated handshake for 100ms performance improvement
        # Enable SSL session caching for improved performance
        # http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache
        # http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
        ssl_session_cache shared:ssl_session_cache:10m;

        # These ciphers are a subset of FIPS-complient ciphers -- note that IE8 doesn't support any of these ciphers, so 
        # if you need IE8 support, consider using:
        #
        #   ssl_ciphers FIPS@STRENGTH:!aNULL:!eNULL;    # https://community.qualys.com/thread/12182
        ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA;
        ssl_prefer_server_ciphers on;

        # Enable SSL OCSP stapling -- improves performance and helps CAs
        # http://en.wikipedia.org/wiki/OCSP_stapling
        ssl_stapling on;
        ssl_stapling_verify on;
	##
	# Global SSL settings - nginx.conf in http section
	##

	##
	# For additional performance, enable SPDY support for each site by changing the:
	#
	# listen 443 ssl;
	#
	# line to:
	#
	# listen 443 ssl spdy;
	##

	##
	# For SSL sites, I put this in the ssl section of each site's config:
	#
	# Enable HSTS -- tell browser this domain and its subdomains should only be accessed via HTTPS for the next 365 days
	# add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
	#
	# Be careful with the includeSubdomains directive -- obviously if subdomains shouldn't be forced HTTPS, don't use that
	# directive.
	##
	# Fix POODLE
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

	# Session resuming / abbreviated handshake for 100ms performance improvement
	# Enable SSL session caching for improved performance
	# http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache
	# http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
	ssl_session_cache shared:ssl_session_cache:10m;

	# These ciphers are a subset of FIPS-complient ciphers -- note that IE8 doesn't support any of these ciphers, so
	# if you need IE8 support, consider using:
	#
	# ssl_ciphers FIPS@STRENGTH:!aNULL:!eNULL; # https://community.qualys.com/thread/12182
	ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA;
	ssl_prefer_server_ciphers on;

	# Enable SSL OCSP stapling -- improves performance and helps CAs
	# http://en.wikipedia.org/wiki/OCSP_stapling
	ssl_stapling on;
	ssl_stapling_verify on;
No results found