-
-
Save loodachina/f6255ef4db4e8384f0a5c0e11af04f0e to your computer and use it in GitHub Desktop.
My nginx include for TLS/SSL A+ rating at ssllabs.com/ssltest using nginx/1.13.10
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # version 2018 april 09 | |
| ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
| ssl_prefer_server_ciphers on; | |
| # Tolerant (compatibility with WinXP and pre android 5 is bad, but still supports wide range of clients: Compatible with Firefox 1, Chrome 1, IE 7, Opera 5 and Safari 1!): | |
| ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS; | |
| ssl_certificate /etc/letsencrypt/live/yardomain.org/fullchain.pem; | |
| ssl_certificate_key /etc/letsencrypt/live/yardomain.org/privkey.pem; | |
| ssl_trusted_certificate /etc/letsencrypt/live/yardomain.org/chain.pem; | |
| # Diffie–Hellman key generated using:$ openssl dhparam -dsaparam -out /etc/ssl/dh4096.pem 4096 | |
| ssl_dhparam /etc/ssl/dh4096.pem; | |
| ssl_stapling on; | |
| ssl_stapling_verify on; | |
| # I use dnsmasq for faster lookups, highly recommend it! | |
| resolver 127.0.0.1 [::1]; | |
| resolver_timeout 6s; | |
| # if you don't have ipv6 on your network, like with many cable-ISPs: | |
| # resolver 127.0.0.1 valid=300s ipv6=off; | |
| is also an option if you don't have ipv6 support. | |
| ssl_session_cache shared:SSL:40m; | |
| ssl_session_timeout 21h; | |
| ssl_session_tickets off; | |
| ssl_buffer_size 4k; | |
| # HTTP Strict Transport Security: Tell browsers to require https:// without first checking http:// for a redirect. | |
| # Warning: Set this only after all else is correct, all browsers will remember this setting.. | |
| # | |
| # max-age: length of requirement in seconds (31536000 = 1 year) | |
| # includeSubdomains: force TLS for *ALL* subdomains (remove if different servers host subdomains of the same domainname!) | |
| # preload: indicates you want browsers to ship with HSTS preloaded for your domain. | |
| # | |
| # Submit your domain for preloading in browsers at: https://hstspreload.appspot.com | |
| add_header Strict-Transport-Security "max-age=31536000; preload" always; | |
| # See https://securityheaders.io/ for referer-options: | |
| add_header Referrer-Policy no-referrer-when-downgrade; | |
| # Content Security Policy (CSP) | |
| # https://www.owasp.org/index.php/Content_Security_Policy | |
| add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:;"; | |
| # https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options | |
| add_header X-Frame-Options "SAMEORIGIN"; | |
| # http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx | |
| add_header X-Content-Type-Options "nosniff"; | |
| # https://wiki.mozilla.org/Security/Features/XSS_Filter | |
| # http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx | |
| add_header X-XSS-Protection "1; mode=block"; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment