Update Cipher list to latest add version of STS
Updated latest "intermediate" ciphers from mozilla Add another version of the STS header including subdomains and comments Add note at base to consider ssl-stapling
This commit is contained in:
parent
8ec8a82113
commit
a97cbecd12
|
@ -2,8 +2,8 @@
|
||||||
# SSLv3 to the list of protocols below.
|
# SSLv3 to the list of protocols below.
|
||||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||||
|
|
||||||
# Ciphers set to best allow protection from Beast, while providing forwarding secrecy, as defined by Mozilla - https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
|
# Ciphers set to best allow protection from Beast, while providing forwarding secrecy, as defined by Mozilla (Intermediate Set) - https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
|
||||||
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
|
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
|
||||||
ssl_prefer_server_ciphers on;
|
ssl_prefer_server_ciphers on;
|
||||||
|
|
||||||
# Optimize SSL by caching session parameters for 10 minutes. This cuts down on the number of expensive SSL handshakes.
|
# Optimize SSL by caching session parameters for 10 minutes. This cuts down on the number of expensive SSL handshakes.
|
||||||
|
@ -32,9 +32,13 @@ keepalive_timeout 300; # up from 75 secs default
|
||||||
|
|
||||||
# HSTS (HTTP Strict Transport Security)
|
# HSTS (HTTP Strict Transport Security)
|
||||||
# This header tells browsers to cache the certificate for a year and to connect exclusively via HTTPS.
|
# This header tells browsers to cache the certificate for a year and to connect exclusively via HTTPS.
|
||||||
#add_header Strict-Transport-Security max-age=31536000;
|
#add_header Strict-Transport-Security "max-age=31536000;";
|
||||||
|
# This version tells browsers to treat all subdomains the same as this site and to load exclusively over HTTPS
|
||||||
|
#add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
|
||||||
|
|
||||||
# This default SSL certificate will be served whenever the client lacks support for SNI (Server Name Indication).
|
# This default SSL certificate will be served whenever the client lacks support for SNI (Server Name Indication).
|
||||||
# Make it a symlink to the most important certificate you have, so that users of IE 8 and below on WinXP can see your main site without SSL errors.
|
# Make it a symlink to the most important certificate you have, so that users of IE 8 and below on WinXP can see your main site without SSL errors.
|
||||||
#ssl_certificate /etc/nginx/default_ssl.crt;
|
#ssl_certificate /etc/nginx/default_ssl.crt;
|
||||||
#ssl_certificate_key /etc/nginx/default_ssl.key;
|
#ssl_certificate_key /etc/nginx/default_ssl.key;
|
||||||
|
|
||||||
|
# Consider using OCSP Stapling as shown in ssl-stapling.conf
|
||||||
|
|
Loading…
Reference in New Issue