rBurgett · November 26, 2015 03:25
diff --git a/nginx-ssl.conf b/nginx-ssl.conf
 # I've used the configuration below for all my nginx instances and gotten an A+ on the Qualys SSL Test 
 # (https://www.ssllabs.com/ssltest/index.html). It satisfies requirements for PCI Compliance and
 # FIPS. Includes OCSP Stapling (http://en.wikipedia.org/wiki/OCSP_stapling) and HTTP Strict Transport
 # Security (http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security).
 # - Not vulnerable to the Heartbleed attack.
 # - Not vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224) with OpenSSL v1.0.1i 6 Aug 2014 & Nginx 1.6.0
 # - SSL Handshake takes <80ms on most modern server hardware

 # Use within the "server" scope among other directives

 server{

 ## Tell Nginx to listen on port 443, use SSL and SPDY
 listen 443 ssl spdy;

 ## Send header to tell the browser to prefer https to http traffic
 add_header Strict-Transport-Security max-age=31536000;

 ## Use TLS instead of SSL - Compatibility issues with some Java clients 
 ## and older versions of of IE, however, more secure. 
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

 ## Use more secure and less CPU tasking ciphers compared to nginx defaults
 ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;

 ## Improves TTFB by using a smaller SSL buffer than the nginx default
 ssl_buffer_size 8k;

 ## Specifies that server ciphers should be preferred over client ciphers
 ssl_prefer_server_ciphers on;

 ## Enables all nginx worker processes share SSL session information
 ssl_session_cache shared:SSL:30m;

 ## Increases the amount of time SSL session information in the cache is valid
 ssl_session_timeout 30m;

 ## File containing chain of domain and intermediate certificates
 ssl_certificate     /path/to/ssl/domain-intermediate-cert.crt;

 ## File containing private key
 ssl_certificate_key /path/to/ssl/private.key;

 ## Specifies a file with DH parameters for EDH ciphers
 ## Run "openssl dhparam -out /path/to/ssl/dhparam.pem 2048" in
 ## terminal to generate it
 ssl_dhparam /path/to/ssl/dhparam.pem;

 ## Enables OCSP stapling
 ssl_stapling on;
 resolver 8.8.8.8;
 ssl_stapling_verify on;

 ## File containing root certificate from SSL issuer
 ssl_trusted_certificate /path/to/ssl/root.crt;

 }
	# I've used the configuration below for all my nginx instances and gotten an A+ on the Qualys SSL Test
	# (https://www.ssllabs.com/ssltest/index.html). It satisfies requirements for PCI Compliance and
	# FIPS. Includes OCSP Stapling (http://en.wikipedia.org/wiki/OCSP_stapling) and HTTP Strict Transport
	# Security (http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security).
	# - Not vulnerable to the Heartbleed attack.
	# - Not vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224) with OpenSSL v1.0.1i 6 Aug 2014 & Nginx 1.6.0
	# - SSL Handshake takes <80ms on most modern server hardware

	# Use within the "server" scope among other directives

	server{

	## Tell Nginx to listen on port 443, use SSL and SPDY
	listen 443 ssl spdy;

	## Send header to tell the browser to prefer https to http traffic
	add_header Strict-Transport-Security max-age=31536000;

	## Use TLS instead of SSL - Compatibility issues with some Java clients
	## and older versions of of IE, however, more secure.
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

	## Use more secure and less CPU tasking ciphers compared to nginx defaults
	ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;

	## Improves TTFB by using a smaller SSL buffer than the nginx default
	ssl_buffer_size 8k;

	## Specifies that server ciphers should be preferred over client ciphers
	ssl_prefer_server_ciphers on;

	## Enables all nginx worker processes share SSL session information
	ssl_session_cache shared:SSL:30m;

	## Increases the amount of time SSL session information in the cache is valid
	ssl_session_timeout 30m;

	## File containing chain of domain and intermediate certificates
	ssl_certificate /path/to/ssl/domain-intermediate-cert.crt;

	## File containing private key
	ssl_certificate_key /path/to/ssl/private.key;

	## Specifies a file with DH parameters for EDH ciphers
	## Run "openssl dhparam -out /path/to/ssl/dhparam.pem 2048" in
	## terminal to generate it
	ssl_dhparam /path/to/ssl/dhparam.pem;

	## Enables OCSP stapling
	ssl_stapling on;
	resolver 8.8.8.8;
	ssl_stapling_verify on;

	## File containing root certificate from SSL issuer
	ssl_trusted_certificate /path/to/ssl/root.crt;

	}