dcnl1980 · June 13, 2016 12:23
diff --git a/nginx-tls.conf b/nginx-tls.conf
 #
 # Name: nginx-tls.conf
 # Auth: Chris van Steenbergen <[email protected]>
 # Date: 13 June 2016
 # Desc: Nginx SSL/TLS configuration for "A+" Qualys SSL Labs rating
 #
 # Enables HTTP2, PFS, HSTS and OCSP stapling. Configuration options not related
 # to SSL/TLS are omitted here.
 #
 # Preparation: Strong 4096 bits DHE parameters (takes time)
 # $ cd /etc/ssl/certs 
 # $ openssl dhparam -out dhparam.pem 4096
 #
 # Let's Encrypt SSL Certificate
 # $ letsencrypt-auto certonly -a webroot --webroot-path=/var/www/html -d domain.tld -d www.domain.ltd
 #
 # Example: https://www.ssllabs.com/ssltest/analyze.html?d=favoom.com
 #

 server {
  listen [::]:80;
  listen      80;
  server_name domain.tld www.domain.tld;

  # Redirect all non-https requests
  return 301 https://$server_name$request_uri;
 }

 server {
  listen [::]:443 default_server ssl http2;
  listen      443 default_server ssl http2;

  server_name domain.tld www.domain.tld;
  
  # Redirect all non-www to www
  if ($host !~* ^www\.){
        rewrite ^(.*)$ $scheme://www.$host$1;
  }

  # Certificate(s) and private key
  ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/domain.ltd/privkey.pem;

  ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
  
  ssl_prefer_server_ciphers on;
  ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
  
  ssl_session_cache shared:SSL:10m;
  ssl_session_tickets off;
  ssl_session_timeout 24h;
  ssl_buffer_size 1400;

  # OCSP stapling
  ssl_stapling on;
  ssl_stapling_verify on;

  # Set HSTS
  add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
  add_header X-Frame-Options DENY;
  add_header X-Content-Type-Options nosniff;
  
  # Set DHparam
  ssl_ecdh_curve secp384r1;
  ssl_dhparam /etc/ssl/certs/dhparam4096.pem;
  
  # Resolver
  resolver 8.8.4.4 8.8.8.8 valid=300s;
  resolver_timeout 5s;
  
 }
	#
	# Name: nginx-tls.conf
	# Auth: Chris van Steenbergen <[email protected]>
	# Date: 13 June 2016
	# Desc: Nginx SSL/TLS configuration for "A+" Qualys SSL Labs rating
	#
	# Enables HTTP2, PFS, HSTS and OCSP stapling. Configuration options not related
	# to SSL/TLS are omitted here.
	#
	# Preparation: Strong 4096 bits DHE parameters (takes time)
	# $ cd /etc/ssl/certs
	# $ openssl dhparam -out dhparam.pem 4096
	#
	# Let's Encrypt SSL Certificate
	# $ letsencrypt-auto certonly -a webroot --webroot-path=/var/www/html -d domain.tld -d www.domain.ltd
	#
	# Example: https://www.ssllabs.com/ssltest/analyze.html?d=favoom.com
	#

	server {
	listen [::]:80;
	listen 80;
	server_name domain.tld www.domain.tld;

	# Redirect all non-https requests
	return 301 https://$server_name$request_uri;
	}

	server {
	listen [::]:443 default_server ssl http2;
	listen 443 default_server ssl http2;

	server_name domain.tld www.domain.tld;

	# Redirect all non-www to www
	if ($host !~* ^www\.){
	rewrite ^(.*)$ $scheme://www.$host$1;
	}

	# Certificate(s) and private key
	ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/domain.ltd/privkey.pem;

	ssl_protocols TLSv1.2 TLSv1.1 TLSv1;

	ssl_prefer_server_ciphers on;
	ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;

	ssl_session_cache shared:SSL:10m;
	ssl_session_tickets off;
	ssl_session_timeout 24h;
	ssl_buffer_size 1400;

	# OCSP stapling
	ssl_stapling on;
	ssl_stapling_verify on;

	# Set HSTS
	add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
	add_header X-Frame-Options DENY;
	add_header X-Content-Type-Options nosniff;

	# Set DHparam
	ssl_ecdh_curve secp384r1;
	ssl_dhparam /etc/ssl/certs/dhparam4096.pem;

	# Resolver
	resolver 8.8.4.4 8.8.8.8 valid=300s;
	resolver_timeout 5s;

	}