Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #After your listen, server name and ssl certificate
- #Site with following configuration: https://www.ssllabs.com/ssltest/analyze.html?d=cellarium.org https://securityheaders.io/?q=cellarium.org&followRedirects=on
- ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305';
- #for compatibility
- # ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
- ssl_ecdh_curve secp521r1:secp384r1;
- ssl_prefer_server_ciphers on;
- ssl_session_cache shared:SSL:32m;
- ssl_buffer_size 8k;
- ssl_session_timeout 60m;
- ssl_session_tickets off;
- ssl_stapling on;
- ssl_stapling_verify on;
- resolver 9.9.9.9 valid=300s;
- resolver_timeout 5s;
- add_header X-Frame-Options "SAMEORIGIN";
- add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; ";
- add_header Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'" always;
- add_header X-Xss-Protection "1; mode=block" always;
- add_header X-Content-Type-Options "nosniff" always;
- add_header 'Referrer-Policy' 'no-referrer';
- add_header Expect-CT 'enforce; max-age=3600';
Add Comment
Please, Sign In to add comment