From 020851039bbf7cdea98c74dfbde90722f7df6f27 Mon Sep 17 00:00:00 2001
From: Aitte <aitte@server.fake>
Date: Sun, 24 Feb 2013 15:59:30 -0500
Subject: [PATCH] nginx.conf: protect server against the BEAST SSL attack (ref:
 http://nginx.org/en/docs/http/configuring_https_servers.html)

---
 nginx/nginx.conf | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index cb7f488..22af29d 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -90,5 +90,11 @@ http {
   # a specific directory, or on an individual server{} level.
   # gzip_static on;
 
+  # Protect against the BEAST attack by preferring RC4-SHA when using SSLv3 and TLS protocols.
+  # Note that TLSv1.1 and TLSv1.2 are immune to the beast attack but only work with OpenSSL v1.0.1 and higher and has limited client support.
+  ssl_protocols              SSLv3 TLSv1 TLSv1.1 TLSv1.2;
+  ssl_ciphers                RC4:HIGH:!aNULL:!MD5;
+  ssl_prefer_server_ciphers  on;
+
   include sites-enabled/*;
 }