Created
September 25, 2014 21:54
-
-
Save ameliaikeda/97a67e1e653099ac47be to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [21:54:02] amelia::amelia ➜ ~ | |
| » cat /etc/nginx/conf.d/* 1 ↵ | |
| # remove SSL completely; use TLS | |
| ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
| # prefer our ciphers, clients requesting something else will | |
| # be told to sod off and pick something from our list | |
| ssl_prefer_server_ciphers on; | |
| ssl_ciphers EECDH+HIGH+AES:EDH+HIGH+AES:!PSK:!SRP:!aNULL; | |
| # session cache for requests that is shared between | |
| # workers so they dont need to STARTLS | |
| ssl_session_cache shared:SSL:10m; | |
| # Strict Transport Security for browsers | |
| add_header Strict-Transport-Security max-age=15555000; | |
| # add OCSP stapling so browsers aren't pinging users' browsing habits to CAs | |
| ssl_stapling on; | |
| ssl_stapling_verify on; | |
| ssl_trusted_certificate /radio/keys/ca/ocsp.pem; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment