Skip to content

Instantly share code, notes, and snippets.

@hellekin
Last active December 19, 2015 09:39
Show Gist options
  • Select an option

  • Save hellekin/5934325 to your computer and use it in GitHub Desktop.

Select an option

Save hellekin/5934325 to your computer and use it in GitHub Desktop.
Get an 'A' at SSL Labs with Nginx, and protect your users with perfect forward secrecy. https://www.ssllabs.com/ssltest/index.html
server {
listen 443 ssl;
server_name snowden.example.net;
root /privacy/matters;
index index.html;
ssl on;
ssl_certificate ssl/example.net/snowden.crt.pem;
ssl_certificate_key ssl/example.net/snowden.key.pem;
# --------------------%<---------------------------------
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:RC4:HIGH:!MD5:!aNULL:!EDH;
# --------------------%<---------------------------------
# Future ciphers (no browser seems to pick it up yet, and they must be quite slow on low-end computers anyway)
# ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:RC4:HIGH:!MD5:!aNULL:!EDH;
# Extra security... YMMV.
add_header X-Frame-Options SAMEORIGIN;
add_header Access-Control-Allow-Origin *.example.net;
add_header Strict-Transport-Security "max-age=31536000;includeSubdomains";
# Beware of CSP: if you're using CDN, video providers, etc., you need to allow them too.
# If you're paranoid, use self-hosting. You have many reasons to be. Especially non-US businesses,
# or if you're a small, brown-skinned, fat guy who speaks Spanish.
add_header X-Content-Security-Policy "default-src 'self'; connect-src: none";
# Limit requests to HEAD, GET, and POST
# Recommended if you're not using WebDAV
if ($request_method !~ ^(GET|HEAD|POST)$) {
return 405;
}
# More configuration...
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment