tubbymemes/conf/nginx-ssl.conf

## SSL Certs are referenced in the actual Nginx config per-vhost
# Disable insecure SSL v2. Also disable SSLv3, as TLS 1.0 suffers a downgrade attack, allowing an attacker to force a connection to use SSLv3 and therefore disable forward secrecy.
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# Strong ciphers for PFS
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
# Use server's preferred cipher, not the client's
# ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
# Use ephemeral 4096 bit DH key for PFS
#ssl_dhparam /etc/ssl/certs/dhparam.pem;
# Use OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 1.1.1.1 valid=300s;
resolver_timeout 5s;
# Enable HTTP Strict Transport
add_header Strict-Transport-Security "max-age=0;";
add_header X-Frame-Options "DENY";
adding configs and readme details 3 years ago			`## SSL Certs are referenced in the actual Nginx config per-vhost`
			`# Disable insecure SSL v2. Also disable SSLv3, as TLS 1.0 suffers a downgrade attack, allowing an attacker to force a connection to use SSLv3 and therefore disable forward secrecy.`
			`# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;`
			`# Strong ciphers for PFS`
			`ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';`
			`# Use server's preferred cipher, not the client's`
			`# ssl_prefer_server_ciphers on;`
			`ssl_session_cache shared:SSL:10m;`
			`# Use ephemeral 4096 bit DH key for PFS`
			`#ssl_dhparam /etc/ssl/certs/dhparam.pem;`
			`# Use OCSP stapling`
			`ssl_stapling on;`
			`ssl_stapling_verify on;`
			`resolver 8.8.8.8 1.1.1.1 valid=300s;`
			`resolver_timeout 5s;`
			`# Enable HTTP Strict Transport`
			`add_header Strict-Transport-Security "max-age=0;";`
			`add_header X-Frame-Options "DENY";`