rl421403 · August 29, 2015 14:06
diff --git a/nginx.conf b/nginx.conf
 #don't send the nginx version number in error pages and Server header
 server_tokens off;

 # config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
 # to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
 add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
 # config to don't allow the browser to render the page inside an frame or iframe
 # and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
 # if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
 # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
 add_header X-Frame-Options DENY;

 server {
  listen 443 ssl default deferred;
  server_name .forgott.com;

  ssl_certificate /etc/nginx/ssl/star_forgott_com.crt;
  ssl_certificate_key /etc/nginx/ssl/star_forgott_com.key;

  # enable session resumption to improve https performance
  # http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 10m;

  # enables server-side protection from BEAST attacks
  # http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
  ssl_prefer_server_ciphers on;
  # disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  # ciphers chosen for forward secrecy and compatibility
  # http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html
  ssl_ciphers 'EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS';

  # enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner)
  # http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
  resolver 8.8.8.8;
  ssl_stapling on;
  ssl_trusted_certificate /etc/nginx/ssl/star_forgott_com.crt;

  #... the rest of your configuration
 }

 # redirect all http traffic to https
 server {
  listen 80;
  server_name .forgott.com;
  rewrite ^(.*)$ https://$host$request_uri permanent;
 }
	#don't send the nginx version number in error pages and Server header
	server_tokens off;

	# config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
	# to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
	# config to don't allow the browser to render the page inside an frame or iframe
	# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
	# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
	# https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
	add_header X-Frame-Options DENY;

	server {
	listen 443 ssl default deferred;
	server_name .forgott.com;

	ssl_certificate /etc/nginx/ssl/star_forgott_com.crt;
	ssl_certificate_key /etc/nginx/ssl/star_forgott_com.key;

	# enable session resumption to improve https performance
	# http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 10m;

	# enables server-side protection from BEAST attacks
	# http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
	ssl_prefer_server_ciphers on;
	# disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	# ciphers chosen for forward secrecy and compatibility
	# http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html
	ssl_ciphers 'EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS';

	# enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner)
	# http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
	resolver 8.8.8.8;
	ssl_stapling on;
	ssl_trusted_certificate /etc/nginx/ssl/star_forgott_com.crt;

	#... the rest of your configuration
	}

	# redirect all http traffic to https
	server {
	listen 80;
	server_name .forgott.com;
	rewrite ^(.*)$ https://$host$request_uri permanent;
	}