Home Explore Help
Register Sign In
demure
/
dotfiles
Watch 3
Star 3
Fork 3
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
dotfiles
/
system_wide
/
etc
/
nginx
/
snippets
/
nginx.ssl.conf

nginx.ssl.conf 4.1 KB
Permalink History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798 
  1.     ####    Security Headers
    2. 

  2.     ## [WARNING] Strict-Transport-Security will stop HTTP access for specified time.
    3. 

  3.     add_header Strict-Transport-Security "max-age=63072000";
    4. 

  4.     ## [WARNING] X-Frame-Options DENY will break iframed sites.
    5. 

  5.     add_header X-Frame-Options DENY;
    6. 

  6.     add_header X-Content-Type-Options nosniff;
    7. 

  7. 

  8. 

  9.     ## [OPTION] Server Name
    10. 

  10.     ## Commented out, and will be put in each site conf, to allow the rest to work for any subdomain
    11. 

  11.     ssl_certificate /etc/letsencrypt/live/demu.red/fullchain.pem;
    12. 

  12.     ssl_certificate_key /etc/letsencrypt/live/demu.red/privkey.pem;
    13. 

  13.     ssl_trusted_certificate /etc/letsencrypt/live/demu.red/fullchain.pem;
    14. 

  14. 

  15. 

  16.     #### SSL Stapling
    17. 

  17.     ## [WARNING] Requires a valid `ssl_trusted_certificate`
    18. 

  18.     ssl_stapling on;
    19. 

  19.     ssl_stapling_verify on;
    20. 

  20.     ## Google DNS, Open DNS, Dyn DNS.
    21. 

  21.     resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 216.146.35.35 216.146.36.36 valid=300s;
    22. 

  22.     resolver_timeout 3s;
    23. 

  23. 

  24. 

  25.     ####    Session Tickets
    26. 

  26.     ssl_session_tickets on;
    27. 

  27.     ssl_session_timeout 24h;
    28. 

  28. 

  29.     ## [WARNING] Session Cache must be the same size in all `server` blocks.
    30. 

  30.     ssl_session_cache shared:SSL:100m;
    31. 

  31. 

  32.     ## [WARNING] Session Ticket Key must have been generated.
    33. 

  33.     ## $(openssl rand 48 > ticket.key)
    34. 

  34.     ssl_session_ticket_key /etc/nginx/ssl/ticket.key;
    35. 

  35. 

  36. 

  37.     ####    Diffie-Helman Parameters
    38. 

  38.     ## [WARNING] Diffie-Helman Parameters must have been generated.
    39. 

  39.     ## $(openssl dhparam -out dhparam.pem 4096)
    40. 

  40.     ssl_dhparam /etc/nginx/ssl/dhparam.pem;
    41. 

  41. 

  42. 

  43.     ####    ECDH Curve
    44. 

  44.     ## [OPTION] Select your preferred curve.
    45. 

  45. 

  46.     ## Option 1. [DEFAULT] Typically sufficient.
    47. 

  47.     ssl_ecdh_curve secp384r1;
    48. 

  48. 

  49.     ## Option 2. [WARNING] Slower and breaks some IE on mobiles.
    50. 

  50.     ## Slightly better with a larger generation.
    51. 

  51.     #ssl_ecdh_curve secp521r1;
    52. 

  52. 

  53. 

  54.     ####    Preference & Protocols
    55. 

  55.     ssl_prefer_server_ciphers on;
    56. 

  56.     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    57. 

  57. 

  58. 

  59.     ####    Cipher List
    60. 

  60.     ## [OPTION] Pick on Cipher List from Below.
    61. 

  61.     ## [WARNING] Breaks some browsers on some settings.
    62. 

  62.     ## Option 1. Super-modern, probably not suitable for production, very secure.
    63. 

  63.     ## Option 2. [DEFAULT] Modern, no XP, secure.
    64. 

  64.     ## Option 3. Intermediate, no IE <= 6, less secure.
    65. 

  65. 

  66.     ## Cipher List
    67. 

  67.     ## https://cipherli.st
    68. 

  68.     ## Grade A  (A+ with HSTS at >= 6 Months)
    69. 

  69.     ## 100 % Security
    70. 

  70.     ## Low Compatibility
    71. 

  71.     ## - No Android 2
    72. 

  72.     ## - No Java
    73. 

  73.     ## - No IE < 11
    74. 

  74.     ## Robust Forward Secrecy
    75. 

  75.     #ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
    76. 

  76. 

  77.     ## [DEFAULT] Mozilla SSL Configuration Generator
    78. 

  78.     ## https://mozilla.github.io/server-side-tls/ssl-config-generator/
    79. 

  79.     ## Nginx for Modern Browsers
    80. 

  80.     ## Grade A (A+ with HSTS at >= 6 Months)
    81. 

  81.     ## 90 % Security
    82. 

  82.     ## Medium Compatibility
    83. 

  83.     ## - No Java 6 (No DH parameters > 1024 bits)
    84. 

  84.     ## - No IE on XP
    85. 

  85.     ## Robust Forward Secrecy
    86. 

  86.     ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
    87. 

  87. 

  88.     ## Mozilla SSL Configuration Generator
    89. 

  89.     ## https://mozilla.github.io/server-side-tls/ssl-config-generator/
    90. 

  90.     ## Nginx for Intermediate Browsers
    91. 

  91.     ## Grade A-
    92. 

  92.     ## 90 % Security
    93. 

  93.     ## High Compatibility
    94. 

  94.     ## - No Java 6 (No DH parameters > 1024 bits)
    95. 

  95.     ## - No IE 6
    96. 

  96.     ## Some Forward Secrecy
    97. 

  97.     #ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
    98. 

  98.