goodtiding5 · January 15, 2016 23:02
diff --git a/README.md b/README.md
diff --git a/example.com.conf b/example.com.conf
 server {
 	listen		443	ssl;
 	server_name	example.com;

 	# required: path to certificate and private key
 	ssl_certificate			/opt/keys/example.com/example.com.unified.crt;
 	ssl_certificate_key		/opt/keys/example.com/example.com.decrypted.key;
 		
 	# required for OCSP stapling, if any of your vhosts don't have this line, you have to inactivate OCSP stapling in ssl.conf
 	ssl_trusted_certificate		/opt/keys/example.com/example.com.unified+root.crt;

 	# Include global SSL settings
 	include /etc/nginx/ssl.conf;

 	root   /usr/share/nginx/html;
 	index  index.html index.htm;

 	location / {
 		proxy_pass  http://upstream;
 	}
 }
diff --git a/example.org-default.conf b/example.org-default.conf
 server {
 	listen		443	ssl    default_server;
 	server_name	example.org;

 	# required: path to certificate and private key
 	ssl_certificate			/opt/keys/example.org/example.org.unified.crt;
 	ssl_certificate_key		/opt/keys/example.org/example.org.decrypted.key;
 	
 	# required for OCSP stapling, if any of your vhosts don't have this line, you have to inactivate OCSP stapling in ssl.conf
 	ssl_trusted_certificate		/opt/keys/example.org/example.org.unified+root.crt;

 	# Include global SSL settings
 	include /etc/nginx/ssl.conf;

 	root   /usr/share/nginx/html;
 	index  index.html index.htm;

 	location / {
 		proxy_pass  http://upstream;
 	}
 }
diff --git a/ssl.conf b/ssl.conf
 # Basically the nginx configuration I use at konklone.com. 
 # I check it using https://www.ssllabs.com/ssltest/analyze.html?d=konklone.com
 #
 # To provide feedback, please tweet at @konklone or email [email protected].
 # Comments on gists don't notify the author. 
 # 
 # Thanks to WubTheCaptain (https://wubthecaptain.eu) for his help and ciphersuites.
 # Thanks to Ilya Grigorik (https://www.igvita.com) for constant inspiration.

 # HTTP Strict Transport Security: tells browsers to require https:// without first checking
 # the http:// version for a redirect. Warning: it is difficult to change your mind.
 #
 #    max-age: length of requirement in seconds (31536000 = 1 year)
 #    includeSubdomains: force SSL for *ALL* subdomains (remove if this is not what you want)
 #    preload: indicates you want browsers to ship with HSTS preloaded for your domain.
 #
 #    Submit your domain for preloading in browsers at: https://hstspreload.appspot.com
 #add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';

 # If you won't/can't turn on HTTPS for *all* subdomains, use this simpler version:
 add_header Strict-Transport-Security 'max-age=31536000';

 # Prefer certain ciphersuites, to enforce Forward Secrecy and avoid known vulnerabilities.
 #
 # Forces forward secrecy in all browsers and clients that can use TLS,
 # but with a small exception (DES-CBC3-SHA) for IE8/XP users.
 #
 # Reference client: https://www.ssllabs.com/ssltest/analyze.html
 ssl_prefer_server_ciphers on;
 ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';

 # Now let's really get fancy, and pre-generate a 2048 bit random parameter
 # for DH elliptic curves. If not created and specified, default is only 1024 bits.
 #
 # Generated by OpenSSL with the following command:
 #   openssl dhparam -outform pem -out dhparam2048.pem 2048
 ssl_dhparam /path/to/dhparam2048.pem;

 # Cut out the old, broken, insecure SSLv2 and SSLv3 entirely.
 ssl_protocols TLSv1.2 TLSv1.1 TLSv1;


 # optional: turn on session resumption, using a 10 min cache shared across nginx processes
 # as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html
 ssl_session_cache   shared:SSL:10m;
 ssl_session_timeout 10m;
 keepalive_timeout   70;

 # Buffer size of 1400 bytes fits in one MTU.
 # nginx 1.5.9+ ONLY
 ssl_buffer_size 1400;

 # OCSP stapling - means nginx will poll the CA for signed OCSP responses,
 # and send them to clients so clients don't make their own OCSP calls.
 # https://en.wikipedia.org/wiki/OCSP_stapling
 #
 # while the ssl_certificate above may omit the root cert if the CA is trusted,
 # ssl_trusted_certificate below must point to a chain of **all** certs
 # in the trust path - (your cert, intermediary certs, root cert)
 #
 # 8.8.8.8 and 8.8.4.4 below are Google's public IPv4 DNS servers.
 # nginx will use them to talk to the CA.
 ssl_stapling on;
 ssl_stapling_verify on;
 resolver 8.8.8.8 8.8.4.4 valid=86400;
 resolver_timeout 10;
	server {
	listen 443 ssl;
	server_name example.com;

	# required: path to certificate and private key
	ssl_certificate /opt/keys/example.com/example.com.unified.crt;
	ssl_certificate_key /opt/keys/example.com/example.com.decrypted.key;

	# required for OCSP stapling, if any of your vhosts don't have this line, you have to inactivate OCSP stapling in ssl.conf
	ssl_trusted_certificate /opt/keys/example.com/example.com.unified+root.crt;

	# Include global SSL settings
	include /etc/nginx/ssl.conf;

	root /usr/share/nginx/html;
	index index.html index.htm;

	location / {
	proxy_pass http://upstream;
	}
	}
	server {
	listen 443 ssl default_server;
	server_name example.org;

	# required: path to certificate and private key
	ssl_certificate /opt/keys/example.org/example.org.unified.crt;
	ssl_certificate_key /opt/keys/example.org/example.org.decrypted.key;

	# required for OCSP stapling, if any of your vhosts don't have this line, you have to inactivate OCSP stapling in ssl.conf
	ssl_trusted_certificate /opt/keys/example.org/example.org.unified+root.crt;

	# Include global SSL settings
	include /etc/nginx/ssl.conf;

	root /usr/share/nginx/html;
	index index.html index.htm;

	location / {
	proxy_pass http://upstream;
	}
	}
	# Basically the nginx configuration I use at konklone.com.
	# I check it using https://www.ssllabs.com/ssltest/analyze.html?d=konklone.com
	#
	# To provide feedback, please tweet at @konklone or email [email protected].
	# Comments on gists don't notify the author.
	#
	# Thanks to WubTheCaptain (https://wubthecaptain.eu) for his help and ciphersuites.
	# Thanks to Ilya Grigorik (https://www.igvita.com) for constant inspiration.

	# HTTP Strict Transport Security: tells browsers to require https:// without first checking
	# the http:// version for a redirect. Warning: it is difficult to change your mind.
	#
	# max-age: length of requirement in seconds (31536000 = 1 year)
	# includeSubdomains: force SSL for ALL subdomains (remove if this is not what you want)
	# preload: indicates you want browsers to ship with HSTS preloaded for your domain.
	#
	# Submit your domain for preloading in browsers at: https://hstspreload.appspot.com
	#add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';

	# If you won't/can't turn on HTTPS for all subdomains, use this simpler version:
	add_header Strict-Transport-Security 'max-age=31536000';

	# Prefer certain ciphersuites, to enforce Forward Secrecy and avoid known vulnerabilities.
	#
	# Forces forward secrecy in all browsers and clients that can use TLS,
	# but with a small exception (DES-CBC3-SHA) for IE8/XP users.
	#
	# Reference client: https://www.ssllabs.com/ssltest/analyze.html
	ssl_prefer_server_ciphers on;
	ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';

	# Now let's really get fancy, and pre-generate a 2048 bit random parameter
	# for DH elliptic curves. If not created and specified, default is only 1024 bits.
	#
	# Generated by OpenSSL with the following command:
	# openssl dhparam -outform pem -out dhparam2048.pem 2048
	ssl_dhparam /path/to/dhparam2048.pem;

	# Cut out the old, broken, insecure SSLv2 and SSLv3 entirely.
	ssl_protocols TLSv1.2 TLSv1.1 TLSv1;


	# optional: turn on session resumption, using a 10 min cache shared across nginx processes
	# as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html
	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 10m;
	keepalive_timeout 70;

	# Buffer size of 1400 bytes fits in one MTU.
	# nginx 1.5.9+ ONLY
	ssl_buffer_size 1400;

	# OCSP stapling - means nginx will poll the CA for signed OCSP responses,
	# and send them to clients so clients don't make their own OCSP calls.
	# https://en.wikipedia.org/wiki/OCSP_stapling
	#
	# while the ssl_certificate above may omit the root cert if the CA is trusted,
	# ssl_trusted_certificate below must point to a chain of all certs
	# in the trust path - (your cert, intermediary certs, root cert)
	#
	# 8.8.8.8 and 8.8.4.4 below are Google's public IPv4 DNS servers.
	# nginx will use them to talk to the CA.
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 8.8.8.8 8.8.4.4 valid=86400;
	resolver_timeout 10;