Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Protect against the BEAST and POODLE attacks by not using SSLv3 at all. If you need to support older browsers (IE6) you may need to add
- # SSLv3 to the list of protocols below.
- ssl_protocols TLSv1.3 TLSv1.2;
- # Ciphers set to best allow protection from Beast, while providing forwarding secrecy, as defined by Mozilla (Intermediate Set) - https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
- ssl_ciphers TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
- ssl_prefer_server_ciphers on;
- ssl_ecdh_curve secp384r1;
- # Optimize SSL by caching session parameters for 10 minutes. This cuts down on the number of expensive SSL handshakes.
- # The handshake is the most CPU-intensive operation, and by default it is re-negotiated on every new/parallel connection.
- # By enabling a cache (of type "shared between all Nginx workers"), we tell the client to re-use the already negotiated state.
- # Further optimization can be achieved by raising keepalive_timeout, but that shouldn't be done unless you serve primarily HTTPS.
- ssl_session_cache shared:SSL:10m; # a 1mb cache can hold about 4000 sessions, so we can hold 40000 sessions
- ssl_session_timeout 24h;
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement