server-configs-nginx/h5bp/ssl/ssl_engine.conf

# ----------------------------------------------------------------------
# | SSL engine                                                         |
# ----------------------------------------------------------------------

# (1) Optimize SSL by caching session parameters for 10 minutes.
#     This cuts down on the number of expensive SSL handshakes.
#     By enabling a cache, we tell the client to re-use the already
#     negotiated state.
#     A 1Mb cache can hold about 4000 sessions, so we can hold 40000 sessions.
#
# (2) Use a higher keepalive timeout to reduce the need for repeated handshakes
#     (!) Shouldn't be done unless you serve primarily HTTPS.
#     Default is 75s
#
# (3) SSL buffer size
#     Set 1400 bytes to fit in one MTU.
#     https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size
#
# (4) Disable session tickets
#     Session tickets keys are not auto-rotated. Only a HUP / restart will do
#     so and when a restart is performed the previous key is lost, which resets
#     all previous sessions.
#     Only enable session tickets if you set up a manual rotation mechanism.
#     https://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
#     https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets
#
# (5) Basic security improvements

# (1)
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 24h;

# (2)
keepalive_timeout 300s;

# (3)
# ssl_buffer_size 1400;

# (4)
ssl_session_tickets off;

# (5)
ssl_prefer_server_ciphers on;
Split SSL config Prepare #180 2018-11-25 19:13:33 +01:00			`# ----------------------------------------------------------------------`
			`# \| SSL engine \|`
			`# ----------------------------------------------------------------------`

Improve SSL directives declarations, order and descriptions 2018-12-02 12:47:06 +01:00			`# (1) Optimize SSL by caching session parameters for 10 minutes.`
			`# This cuts down on the number of expensive SSL handshakes.`
			`# By enabling a cache, we tell the client to re-use the already`
			`# negotiated state.`
			`# A 1Mb cache can hold about 4000 sessions, so we can hold 40000 sessions.`
Split SSL config Prepare #180 2018-11-25 19:13:33 +01:00			`#`
Improve SSL directives declarations, order and descriptions 2018-12-02 12:47:06 +01:00			`# (2) Use a higher keepalive timeout to reduce the need for repeated handshakes`
			`# (!) Shouldn't be done unless you serve primarily HTTPS.`
			`# Default is 75s`
			`#`
			`# (3) SSL buffer size`
Documentation formatting and reviewing (#232) No code changes, some config reordering 2019-05-15 18:38:05 +02:00			`# Set 1400 bytes to fit in one MTU.`
Improve SSL directives declarations, order and descriptions 2018-12-02 12:47:06 +01:00			`# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size`
			`#`
			`# (4) Disable session tickets`
Documentation formatting and reviewing (#232) No code changes, some config reordering 2019-05-15 18:38:05 +02:00			`# Session tickets keys are not auto-rotated. Only a HUP / restart will do`
			`# so and when a restart is performed the previous key is lost, which resets`
			`# all previous sessions.`
			`# Only enable session tickets if you set up a manual rotation mechanism.`
Improve SSL directives declarations, order and descriptions 2018-12-02 12:47:06 +01:00			`# https://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx`
			`# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets`
			`#`
			`# (5) Basic security improvements`

			`# (1)`
Split SSL config Prepare #180 2018-11-25 19:13:33 +01:00			`ssl_session_cache shared:SSL:10m;`
			`ssl_session_timeout 24h;`

Improve SSL directives declarations, order and descriptions 2018-12-02 12:47:06 +01:00			`# (2)`
			`keepalive_timeout 300s;`

			`# (3)`
Split SSL config Prepare #180 2018-11-25 19:13:33 +01:00			`# ssl_buffer_size 1400;`

Improve SSL directives declarations, order and descriptions 2018-12-02 12:47:06 +01:00			`# (4)`
Split SSL config Prepare #180 2018-11-25 19:13:33 +01:00			`ssl_session_tickets off;`

Improve SSL directives declarations, order and descriptions 2018-12-02 12:47:06 +01:00			`# (5)`
			`ssl_prefer_server_ciphers on;`