summaryrefslogtreecommitdiffstats
path: root/roles/common-web/files/etc/nginx/ssl/config
blob: 863961b3e633d9c41a5c5dcc5b9ef3605fe23c8e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
ssl on;

# See http://nginx.org/en/docs/http/configuring_https_servers.html#optimization
keepalive_timeout 			75 75;
ssl_session_timeout			5m;
ssl_session_cache 			shared:SSL:5m;

# XXX: Ideally we want to get rid of TLSv1, to be immune to the BEAST
# attack. Sadly as of 2013 many clients don't support TLSv1.2, though.
# The alternative would be to reject BEAST-vulnerable ciphers from TLSv1
# in favor of RC4, but that's not satisfactory either since RC4 has
# other weaknesses.
ssl_protocols 				SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 				HIGH:!SSLv2:!aNULL:!eNULL:!3DES:!MD5:@STRENGTH;
ssl_prefer_server_ciphers 	on;

# Strict Transport Security header for enhanced security. See
# http://www.chromium.org/sts.
add_header Strict-Transport-Security "max-age=12960000";