Permalink
Fetching contributors…
Cannot retrieve contributors at this time
34 lines (26 sloc) 1.67 KB
ssl_certificate_key {{ssl_key_path}};
ssl_certificate {{ssl_cert_path}};
## Use a shared session cache for all workers.
## A 10mb cache will support ~40,000 SSL sessions
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
## This protocol/cipher list provides maximum security but leaves some
## extremely old user agents out in the cold, namely Android <= 2.3.7
## and IE <= 8 on WinXP, and some search engine crawlers.
# ssl_ciphers "AES256+EECDH:AES256+EDH:!aNULL";
## Use OCSP Stapling unless explicitly disabled with the
## `ssl_disable_oscp_stapling` flag. Resolver is set up to use the OpenDNS
## public DNS resolution service (208.67.222.222 and 208.67.220.220)
ssl_stapling on;
ssl_stapling_verify on;
resolver 208.67.222.222 208.67.220.220 valid=300s;
resolver_timeout 10s;
## Always prefer the server cipher ordering, don't let the client choose.
ssl_prefer_server_ciphers on;
## Use a custom parameter for stronger DHE key exchange. Must be
## generated during the provisioning process with
## `openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 4096`
ssl_dhparam {{dhe_param_path}};
add_header Strict-Transport-Security max-age=63072000;
add_header X-Content-Type-Options nosniff;