miynat · August 29, 2015 14:07
diff --git a/nginx_1.6.x.conf b/nginx_1.6.x.conf
 # nginx config for A+ SSL Labs rating as of 9-2014
 #  Broad legacy compatibility including IE8/XP, Android 2.3+, openssl 0.9.8 clients
 #  Blocks most bot scans IP probes.
 #
 # *** Assumes: _HOSTNAME_ is replaced ***
 #
 #  Includes OCSP stapling, HSTS Strict Transport security,
 #  session resumption, legacy backwards compatibility (XP, Android 2.3-4.3) 
 # 
 # Requires nginx 1.6.x. See: http://nginx.org/en/linux_packages.html, e.g.:
 #  $ rpm -ivh http://nginx.org/packages/rhel/6/noarch/RPMS/nginx-release-rhel-6-0.el6.ngx.noarch.rpm
 #  $ yum install nginx
 #
 user   nginx;
 worker_processes  auto;
 error_log  /var/log/nginx/error.log;
 pid        /var/run/nginx.pid;
 events {
    worker_connections  1024;
 }
 http {
  root      /usr/share/nginx/_HOSTNAME_;
  include   /etc/nginx/mime.types;
  default_type  application/octet-stream;
  log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status  "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for"';
  access_log  /var/log/nginx/access.log  main;
  sendfile  on;
  keepalive_timeout  65;
  gzip  on;
  server_tokens off;
  server_names_hash_bucket_size  64;
  ssl_certificate          /etc/nginx/ssl/server.crt;
  ssl_certificate_key      /etc/nginx/ssl/server.key;
  ssl_trusted_certificate  /etc/nginx/ssl/AddTrustExternalCARoot.crt;
  ssl_dhparam              /etc/nginx/ssl/dhparam.pem;
  # Generate: openssl dhparam 2048 -out /etc/nginx/ssl/dhparam.pem
  # Session Resumption
  ssl_session_timeout  20m;
  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:20m;
  # Enable OCSP stapling (req. nginx v 1.3.7+)
  ssl_stapling on;
  ssl_stapling_verify on;
  resolver 8.8.4.4 8.8.8.8 valid=300s;
  resolver_timeout 10s;
  # For additional CORS DENY, ALLOW, SAMEORIGIN, etc. options
  #  see: http://enable-cors.org/
  add_header X-Frame-Options DENY;
  ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
  ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:RC4-SHA;
  client_max_body_size 16M;
  # Block IP-based requests
  server {
    listen 80 default_server;
    return 444;
  }
  server {
    listen 443 ssl;
    return 444;
  }
  server {
    listen  80;
    server_name         _HOSTNAME_;
    return 301  https://_HOSTNAME_;
  }
  server {
    listen  443 ssl;
    server_name         _HOSTNAME_;

    # Enable Strict Transport Security (HSTS) (SSL-only)
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
  }
 }
	# nginx config for A+ SSL Labs rating as of 9-2014
	# Broad legacy compatibility including IE8/XP, Android 2.3+, openssl 0.9.8 clients
	# Blocks most bot scans IP probes.
	#
	# * Assumes: _HOSTNAME_ is replaced *
	#
	# Includes OCSP stapling, HSTS Strict Transport security,
	# session resumption, legacy backwards compatibility (XP, Android 2.3-4.3)
	#
	# Requires nginx 1.6.x. See: http://nginx.org/en/linux_packages.html, e.g.:
	# $ rpm -ivh http://nginx.org/packages/rhel/6/noarch/RPMS/nginx-release-rhel-6-0.el6.ngx.noarch.rpm
	# $ yum install nginx
	#
	user nginx;
	worker_processes auto;
	error_log /var/log/nginx/error.log;
	pid /var/run/nginx.pid;
	events {
	worker_connections 1024;
	}
	http {
	root /usr/share/nginx/_HOSTNAME_;
	include /etc/nginx/mime.types;
	default_type application/octet-stream;
	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
	'$status "$http_referer" '
	'"$http_user_agent" "$http_x_forwarded_for"';
	access_log /var/log/nginx/access.log main;
	sendfile on;
	keepalive_timeout 65;
	gzip on;
	server_tokens off;
	server_names_hash_bucket_size 64;
	ssl_certificate /etc/nginx/ssl/server.crt;
	ssl_certificate_key /etc/nginx/ssl/server.key;
	ssl_trusted_certificate /etc/nginx/ssl/AddTrustExternalCARoot.crt;
	ssl_dhparam /etc/nginx/ssl/dhparam.pem;
	# Generate: openssl dhparam 2048 -out /etc/nginx/ssl/dhparam.pem
	# Session Resumption
	ssl_session_timeout 20m;
	ssl_prefer_server_ciphers on;
	ssl_session_cache shared:SSL:20m;
	# Enable OCSP stapling (req. nginx v 1.3.7+)
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 8.8.4.4 8.8.8.8 valid=300s;
	resolver_timeout 10s;
	# For additional CORS DENY, ALLOW, SAMEORIGIN, etc. options
	# see: http://enable-cors.org/
	add_header X-Frame-Options DENY;
	ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
	ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:RC4-SHA;
	client_max_body_size 16M;
	# Block IP-based requests
	server {
	listen 80 default_server;
	return 444;
	}
	server {
	listen 443 ssl;
	return 444;
	}
	server {
	listen 80;
	server_name _HOSTNAME_;
	return 301 https://_HOSTNAME_;
	}
	server {
	listen 443 ssl;
	server_name _HOSTNAME_;

	# Enable Strict Transport Security (HSTS) (SSL-only)
	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
	}
	}