Commit 1b146165 authored by Aral Balkan's avatar Aral Balkan
Browse files

Latest SSL settings.

parent 3f6924cd
......@@ -2,8 +2,11 @@
# Better.fyi Web Site. (HTTPS server.)
#
server {
listen 443;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {SERVER_NAMES};
ssl on;
ssl_certificate /etc/letsencrypt/certs/archive.better.fyi/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/certs/archive.better.fyi/privkey.pem;
......@@ -15,16 +18,35 @@ server {
# (See https://weakdh.org/sysadmin.html for details on generating your own.)
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
# As recommended by cipherli.st (Aug, 2016).
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
# As recommended by cipherli.st (Aug, 2016).
# Also see http://security.stackexchange.com/a/100995
ssl_ecdh_curve secp384r1;
ssl_ecdh_curve secp521r1;
# Other cipherli.st recommendations
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
# Implement HSTS
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; # (63072000 seconds = 2 years)
# Implement OCSP Stapling
# (Speed up SSL and improve privacy by not requiring calls to certificate authority)
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/certs/archive.better.fyi/chain.pem;
# --- End of SSL-specific setup ---
# X-Xss-Protection
# See: https://scotthelme.co.uk/hardening-your-http-response-headers/#x-xss-protection
add_header X-Xss-Protection "1; mode=block" always;
# Serve the static site.
root /home/ubuntu/archive/;
index index.html index.htm;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment