Basje · September 15, 2016 06:59
diff --git a/secure-tls b/secure-tls
 ## Include this file in your `server` block listening to secure connections, probably on port 443.
 ## You can use this statement: `include conf.d/secure-tls;`

 ## For more information about the settings, please read the following articles:
 # - https://wiki.mozilla.org/Security/Server_Side_TLS
 # - https://mozilla.github.io/server-side-tls/ssl-config-generator/
 # - https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

 # Certs sent to the client in SERVER HELLO are concatenated in ssl_certificate.
 # This improves performance by avoiding the costly session negotiation process where possible
 # Sessions expire after 10 minutes, and are put in a shared cache of 50MB
 # Session tickets are disabled because of some security concerns
 # https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache
 # https://www.imperialviolet.org/2013/06/27/botchingpfs.html
 ssl_session_timeout  10m;
 ssl_session_cache    shared:SSL:50m;
 ssl_session_tickets  off;

 # Diffie-Hellman parameter for DHE ciphersuites, recommended 4096 bits.
 ssl_dhparam  /etc/ssl/certs/dhparam.pem;

 # Intermediate configuration.
 ssl_protocols              TLSv1 TLSv1.1 TLSv1.2;
 ssl_ciphers                'DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:!DSS';
 ssl_prefer_server_ciphers  on;

 # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
 # Extra info added based on https://hstspreload.appspot.com
 add_header  Strict-Transport-Security "max-age=15768000; includeSubDomains";

 # OCSP Stapling
 # fetch OCSP records from URL in ssl_certificate and cache them
 ssl_stapling         on;
 ssl_stapling_verify  on;

 # Extra security headers
 # Based on https://observatory.mozilla.org
 add_header Content-Security-Policy "default-src 'self' https://domain.tld https://*.domain.tld; object-src 'none'; frame-src 'none'; child-src 'none'";
 add_header X-Content-Type-Options nosniff;
 add_header X-Frame-Options SAMEORIGIN always;
 add_header X-XSS-Protection "1; mode=block" always;
	## Include this file in your `server` block listening to secure connections, probably on port 443.
	## You can use this statement: `include conf.d/secure-tls;`

	## For more information about the settings, please read the following articles:
	# - https://wiki.mozilla.org/Security/Server_Side_TLS
	# - https://mozilla.github.io/server-side-tls/ssl-config-generator/
	# - https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

	# Certs sent to the client in SERVER HELLO are concatenated in ssl_certificate.
	# This improves performance by avoiding the costly session negotiation process where possible
	# Sessions expire after 10 minutes, and are put in a shared cache of 50MB
	# Session tickets are disabled because of some security concerns
	# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache
	# https://www.imperialviolet.org/2013/06/27/botchingpfs.html
	ssl_session_timeout 10m;
	ssl_session_cache shared:SSL:50m;
	ssl_session_tickets off;

	# Diffie-Hellman parameter for DHE ciphersuites, recommended 4096 bits.
	ssl_dhparam /etc/ssl/certs/dhparam.pem;

	# Intermediate configuration.
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers 'DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:!DSS';
	ssl_prefer_server_ciphers on;

	# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
	# Extra info added based on https://hstspreload.appspot.com
	add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";

	# OCSP Stapling
	# fetch OCSP records from URL in ssl_certificate and cache them
	ssl_stapling on;
	ssl_stapling_verify on;

	# Extra security headers
	# Based on https://observatory.mozilla.org
	add_header Content-Security-Policy "default-src 'self' https://domain.tld https://*.domain.tld; object-src 'none'; frame-src 'none'; child-src 'none'";
	add_header X-Content-Type-Options nosniff;
	add_header X-Frame-Options SAMEORIGIN always;
	add_header X-XSS-Protection "1; mode=block" always;