## SSL Certs are referenced in the actual Nginx config per-vhost # Disable insecure SSL v2. Also disable SSLv3, as TLS 1.0 suffers a downgrade attack, allowing an attacker to force a connection to use SSLv3 and therefore disable forward secrecy. # ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Strong ciphers for PFS ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; # Use server's preferred cipher, not the client's # ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; # Use ephemeral 4096 bit DH key for PFS #ssl_dhparam /etc/ssl/certs/dhparam.pem; # Use OCSP stapling ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 1.1.1.1 valid=300s; resolver_timeout 5s; # Enable HTTP Strict Transport add_header Strict-Transport-Security "max-age=0;"; add_header X-Frame-Options "DENY";