xenithorb · December 6, 2016 17:41
diff --git a/ssl.inc b/ssl.inc
 # Parts configured from recommmendations at:
 # https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html and
 # https://cipherli.st/

 #ssl_trusted_certificate /etc/letsencrypt/live/[ ]/chain.pem;
 ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
 #ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
 ssl_prefer_server_ciphers on;
 ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
 ssl_session_cache shared:SSL:10M;
 ssl_session_tickets off; # Requires nginx >= 1.5.9

 # Use the folliwng to gen ssl_dhparam:
 # $ sudo openssl dhparam -out /etc/pki/tls/private/dhparam.pem 4096
 ssl_dhparam /etc/pki/tls/private/dhparam.pem;

 ssl_stapling on;
 ssl_stapling_verify on;
 #resolver 127.0.0.1;
 resolver_timeout 5s;

 # Only use this with external users if you never intend on using anything but Let's Encrypt
 #add_header Public-Key-Pins 'pin-sha256="sRHdihwgkaib1P1gxX8HFszlD+7/gTfNvuAybgLPNis="; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; max-age=2592000; includeSubDomains';
 add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

 proxy_hide_header Strict-Transport-Security;
 proxy_hide_header Public-Key-Pins;
 add_header X-Frame-Options DENY;
 add_header X-Content-Type-Options nosniff;

 gzip off;
	# Parts configured from recommmendations at:
	# https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html and
	# https://cipherli.st/

	#ssl_trusted_certificate /etc/letsencrypt/live/[ ]/chain.pem;
	ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
	#ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
	ssl_prefer_server_ciphers on;
	ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
	ssl_session_cache shared:SSL:10M;
	ssl_session_tickets off; # Requires nginx >= 1.5.9

	# Use the folliwng to gen ssl_dhparam:
	# $ sudo openssl dhparam -out /etc/pki/tls/private/dhparam.pem 4096
	ssl_dhparam /etc/pki/tls/private/dhparam.pem;

	ssl_stapling on;
	ssl_stapling_verify on;
	#resolver 127.0.0.1;
	resolver_timeout 5s;

	# Only use this with external users if you never intend on using anything but Let's Encrypt
	#add_header Public-Key-Pins 'pin-sha256="sRHdihwgkaib1P1gxX8HFszlD+7/gTfNvuAybgLPNis="; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; max-age=2592000; includeSubDomains';
	add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

	proxy_hide_header Strict-Transport-Security;
	proxy_hide_header Public-Key-Pins;
	add_header X-Frame-Options DENY;
	add_header X-Content-Type-Options nosniff;

	gzip off;