Skip to content

Instantly share code, notes, and snippets.

@opi

opi/ynh_nginx_ssl.md

Last active August 29, 2015 14:01
Show Gist options
  • Save opi/9d6b86894031253344f4 to your computer and use it in GitHub Desktop.
Save opi/9d6b86894031253344f4 to your computer and use it in GitHub Desktop.
Download ZIP
Experimental Nginx config that will give you an A+ grade on ssllabs.com.
Raw
ynh_nginx_ssl.md

# Yunohost Nginx fine tuning

Experimental Nginx config that will give you an A+ grade on ssllabs.com.

Most of this config could be merged into yunohost default, except the dhparam.pem file creation, because it takes too much time.

Generate dh2048.pem

openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048

## Nginx configuration

In /etc/nginx/conf.d/mydomain.conf, add into server directive:

ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ALL:!aNULL:!eNULL:!LOW:!EXP:!RC4:!3DES:+HIGH:+MEDIUM;
ssl_dhparam /etc/ssl/private/dh2048.pem;
add_header Strict-Transport-Security "max-age=31536000;";

## Sources

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment