09-https.conf

# Recommended documentation: https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

# redirect all http traffic to https
server {
       listen 80;
       listen [::]:80;
       server_name example.com;

       # redirect all HTTP requests to HTTPS with a 301 Moved Permanently response
       return 301 https://$host$request_uri;
}

server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	server_name example.com;

	ssl on;
	ssl_certificate	     /etc/nginx/certs/example.com.crt;
	ssl_certificate_key  /etc/nginx/certs/example.com.key;

	## Session
	# enable session resumption - improve https performance
	#
	# read more:
	#   - http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
	#
	# about ssl_sesssion_cache:
	#   according http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache,
	#   1M can cache 4000 session, adjust it according your condition.
	ssl_session_cache shared:SSL:50m;
	ssl_session_timeout 5m;

	## SSL Protocols
	# specify ssl protocols - remove unsecure protocols
	#
	# disable SSLv2 due to FUBAR.
	# disable SSLv3 due to POODLE.
	#
	# read more:
	#   - http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
	#   - https://blog.qualys.com/ssllabs/2014/10/15/ssl-3-is-dead-killed-by-the-poodle-attack
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

	## Diffie-Hellman for TLS
	#
	# read more:
	#   - https://weakdh.org/sysadmin.html
	#   - http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html

	# ciphers chosen for forward secrecy and compatibility
	#
	# Following configuration is just an example, please generate proper configuration
	# for yourself by using Mozilla SSL Configuration Generator. The link is here:
	#
	#   - https://mozilla.github.io/server-side-tls/ssl-config-generator/
	ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';

	# enables server-side protection from BEAST attacks
	ssl_prefer_server_ciphers on;

	# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits,
	# dhparam.pem is generated by:
	#
	#     openssl dhparam -out dhparam.pem 2048
	ssl_dhparam /etc/nginx/ssl/dhparam.pem;

	## OCSP Stapling
	# enable ocsp stapling - convey certificate revocation information to visitors
	# in a privacy-preserving, scalable manner
	#
	# read more:
	#   - http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
	#   - https://raymii.org/s/tutorials/OCSP_Stapling_on_nginx.html
	ssl_stapling on;
	ssl_stapling_verify on;
	ssl_trusted_certificate /etc/nginx/certs/example.com.crt;
	resolver 114.114.114.114 114.114.114.115 223.5.5.5 223.6.6.6 8.8.8.8 8.8.4.4 valid=300s;
	resolver_timeout 5s;

	## HSTS
	# enable HSTS - avoid ssl stripping
	#
	# read more:
	#  - https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
	#  - https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
	#  - https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet
	#  - https://tools.ietf.org/html/rfc6797
	#
	# about max-age:
	#   max-age=31536000 means 1 year
	#   max-age=0 means clean the HSTS setting in browers, this can help you fix your wrong HSTS setting
	add_header Strict-Transport-Security "max-age=31536000;" always;

	# if you want to enable HSTS for all subdomains, use following line instead of above line.
	# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains;" always;
	...
}