Best nginx configuration for improved security (and performance).

nginx.conf

http {
    # nginx won't resolve URLs correctly so we have to provide google's public DNS
    resolver 8.8.8.8;

    #######################
    ### Server side SSL ###
    #######################
    
    # based on: https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
    # Test using: https://www.ssllabs.com/ssltest/

    # disable SSLv2 and SSLv3
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    
    # use max compatibility and favour performance (excludes DH suites and RC4)
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!CAMELLIA:!RC4:!MD5:!PSK:!aECDH:!kEDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    
    # enables server-side protection from BEAST attacks
    ssl_prefer_server_ciphers on;

    # enable session resumption to improve https performance
    ssl_session_cache   shared:SSL:10m;
    ssl_session_timeout 10m;

    ssl_certificate     /etc/nginx/ssl/domain.crt;
    ssl_certificate_key /etc/nginx/ssl/domain.key;
}