Commit 257a5733 authored by Aral Balkan's avatar Aral Balkan
Browse files

Updated to HTTP2 + cipher suite that works in Chrome 53.x

parent 3b62063c
......@@ -2,7 +2,11 @@
# Better.fyi Web Site. (HTTPS server.)
#
server {
listen 443;
# Via Mozilla SSL Configuration Generator
# (https://mozilla.github.io/server-side-tls/ssl-config-generator/)
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {SERVER_NAMES};
ssl on;
ssl_certificate /etc/letsencrypt/certs/better.fyi/fullchain.pem;
......@@ -15,18 +19,29 @@ server {
# (See https://weakdh.org/sysadmin.html for details on generating your own.)
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
# As recommended by cipherli.st (Aug, 2016).
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
# As recommended by cipherli.st (Aug, 2016).
# Also see http://security.stackexchange.com/a/100995
ssl_ecdh_curve secp384r1;
ssl_ecdh_curve secp521r1;
# Other cipherli.st recommendations
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
# Implement HSTS
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; # (63072000 seconds = 2 years)
# Implement OCSP Stapling
# (Speed up SSL and improve privacy by not requiring calls to certificate authority)
ssl_stapling on;
ssl_stapling_verify on;
resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
resolver_timeout 5s;
ssl_trusted_certificate /etc/letsencrypt/certs/better.fyi/chain.pem;
# --- End of SSL-specific setup ---
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment