# DOC: http://wiki.nginx.org/HttpSslModule
# DOC: https://wiki.mozilla.org/Security/Server_Side_TLS
# DOC: https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
# DOC: https://www.openssl.org/docs/apps/ciphers.html
keepalive_timeout 70;
add_header Strict-Transport-Security "max-age=31536000;";
add_header X-Frame-Options SAMEORIGIN;
ssl on;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:kEDH+AESGCM:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4;
    # NOTE: prioritizes algorithms that provide Perfect Forward Secrecy.
ssl_dhparam /etc/nginx/dhparam.4096.pem;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
#ssl_stapling on;
#ssl_stapling_verify on;

# vim: ft=sh