Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
M
mailinabox
Project
Project
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Administrator
mailinabox
Commits
51dd2ed7
Commit
51dd2ed7
authored
Jun 03, 2014
by
Joshua Tauberer
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
update nginx SSL options, fixes #61
parent
c54b0cbe
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
49 additions
and
20 deletions
+49
-20
nginx-ssl.conf
conf/nginx-ssl.conf
+49
-20
No files found.
conf/nginx-ssl.conf
View file @
51dd2ed7
# https://gist.github.com/konklone/6532544
#
from:
https://gist.github.com/konklone/6532544
##########################################
##########################################
#########################################
# required: path to certificate and private key
# Basically the nginx configuration I use at konklone.com.
# the .crt may omit the root CA cert, if it's a standard CA that ships with clients.
# I check it using https://www.ssllabs.com/ssltest/analyze.html?d=konklone.com
#
# To provide feedback, please tweet at @konklone or email eric@konklone.com.
# Comments on gists don't notify the author.
#
# Thanks to WubTheCaptain (https://wubthecaptain.eu) for his help and ciphersuites.
# Thanks to Ilya Grigorik (https://www.igvita.com) for constant inspiration.
# Path to certificate and private key.
# The .crt may omit the root CA cert, if it's a standard CA that ships with clients.
#ssl_certificate /path/to/unified.crt;
#ssl_certificate /path/to/unified.crt;
#ssl_certificate_key /path/to/my-private-decrypted.key;
#ssl_certificate_key /path/to/my-private-decrypted.key;
#
optional: t
ell browsers to require SSL (warning: difficult to change your mind)
#
T
ell browsers to require SSL (warning: difficult to change your mind)
add_header
Strict
-
Transport
-
Security
max
-
age
=
31536000
;
add_header
Strict
-
Transport
-
Security
max
-
age
=
31536000
;
# optional: prefer certain ciphersuites, to enforce Perfect Forward Secrecy and avoid known vulnerabilities.
# Prefer certain ciphersuites, to enforce Forward Secrecy and avoid known vulnerabilities.
# done in consultation with:
#
# http://ggramaize.wordpress.com/2013/08/02/tls-perfect-forward-secrecy-support-with-apache/
# Forces forward secrecy in all browsers and clients that can use TLS,
# https://www.ssllabs.com/ssltest/analyze.html
# but with a small exception (DES-CBC3-SHA) for IE8/XP users.
#
# Reference client: https://www.ssllabs.com/ssltest/analyze.html
ssl_prefer_server_ciphers
on
;
ssl_prefer_server_ciphers
on
;
ssl_ciphers
ECDHE
-
RSA
-
AES256
-
GCM
-
SHA384
:
ECDHE
-
RSA
-
AES256
-
SHA384
:
ECDHE
-
RSA
-
AES128
-
GCM
-
SHA256
:
ECDHE
-
RSA
-
AES128
-
SHA256
:
ECDHE
-
RSA
-
RC4
-
SHA
:
ECDHE
-
RSA
-
AES256
-
SHA
:
RC4
-
SHA
:
AES256
-
GCM
-
SHA384
:
AES256
-
SHA256
:
CAMELLIA256
-
SHA
:
ECDHE
-
RSA
-
AES128
-
SHA
:
AES128
-
GCM
-
SHA256
:
AES128
-
SHA256
:
AES128
-
SHA
:
CAMELLIA128
-
SHA
;
ssl_ciphers
'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED'
;
# Cut out (the old, broken) SSLv3 entirely.
# This **excludes IE6 users** and (apparently) Yandexbot.
# Just comment out if you need to support IE6, bless your soul.
ssl_protocols
TLSv1
.
2
TLSv1
.
1
TLSv1
;
#
optional: turn on session resumption, using a 10 min cache shared across nginx processes
#
Turn on session resumption, using a 10 min cache shared across nginx processes,
# as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html
# as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html
ssl_session_cache
shared
:
SSL
:
10
m
;
ssl_session_cache
shared
:
SSL
:
10
m
;
ssl_session_timeout
10
m
;
ssl_session_timeout
10
m
;
keepalive_timeout
70
;
keepalive_timeout
70
;
# Buffer size of 1400 bytes fits in one MTU.
# nginx 1.5.9+ ONLY
# nginx 1.5.9+ ONLY
#ssl_buffer_size 1400; # 1400 bytes to fit in one MTU
#ssl_buffer_size 1400;
# SPDY header compression (0 for none, 9 for slow/heavy compression). Preferred is 6.
#
# BUT: header compression is flawed and vulnerable in SPDY versions 1 - 3.
# Disable with 0, until using a version of nginx with SPDY 4.
spdy_headers_comp
0
;
# Now let's really get fancy, and pre-generate a 2048 bit random parameter
# for DH elliptic curves. If not created and specified, default is only 1024 bits.
#
# Generated by OpenSSL with the following command:
# openssl dhparam -outform pem -out dhparam2048.pem 2048
#
# Note: raising the bits to 2048 excludes Java 6 clients. Comment out if a problem.
#ssl_dhparam /path/to/dhparam2048.pem;
# SPDY header compression (0 for none, 1 for fast/less compression, 9 for slow/heavy compression)
spdy_headers_comp
6
;
# OCSP stapling - means nginx will poll the CA for signed OCSP responses,
# OCSP stapling - means nginx will poll the CA for signed OCSP responses,
# and send them to clients so clients don't make their own OCSP calls.
# and send them to clients so clients don't make their own OCSP calls.
# http://en.wikipedia.org/wiki/OCSP_stapling
# http://en.wikipedia.org/wiki/OCSP_stapling
#
#
# while the ssl_certificate above may omit the root cert if the CA is trusted,
# while the ssl_certificate above may omit the root cert if the CA is trusted,
# ssl_trusted_certificate below must point to a chain of
all
certs
# ssl_trusted_certificate below must point to a chain of
**all**
certs
# in the trust path - (your cert, intermediary certs, root cert)
# in the trust path - (your cert, intermediary certs, root cert)
#
#
# 8.8.8.8 below is Google's public DNS server. nginx will use it to talk to the CA.
# 8.8.8.8 and 8.8.4.4 below are Google's public IPv4 DNS servers.
#
# nginx will use them to talk to the CA.
# If the issuer certificate is not found (e.g. the certificate is self-signed),
# nginx will skip this with the warning: '"ssl_stapling" ignored, issuer certificate not found'.
ssl_stapling
on
;
ssl_stapling
on
;
ssl_stapling_verify
on
;
ssl_stapling_verify
on
;
resolver
8
.
8
.
8
.
8
;
resolver
8
.
8
.
8
.
8
8
.
8
.
4
.
4
valid
=
86400
;
resolver_timeout
10
;
#ssl_trusted_certificate /path/to/all-certs-in-chain.crt;
#ssl_trusted_certificate /path/to/all-certs-in-chain.crt;
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment