|
@@ -0,0 +1,30 @@
|
|
1
|
+# Values here are based on Mozilla's "Modern compatibility" configuration.
|
|
2
|
+# https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
|
|
3
|
+#
|
|
4
|
+# NB: This configuration severely limits older browsers and configurations.
|
|
5
|
+# Specifically, the following are the oldest supported versions:
|
|
6
|
+#
|
|
7
|
+# * Firefox 27
|
|
8
|
+# * Chrome 30
|
|
9
|
+# * IE 11 on Windows 7
|
|
10
|
+# * Edge
|
|
11
|
+# * Opera 17
|
|
12
|
+# * Safari 9
|
|
13
|
+# * Android 5.0
|
|
14
|
+# * Java 8
|
|
15
|
+#
|
|
16
|
+# Older browsers or platforms won't be able to negotiate a connection.
|
|
17
|
+
|
|
18
|
+http {
|
|
19
|
+
|
|
20
|
+ ssl_protocols TLSv1.2;
|
|
21
|
+ ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256";
|
|
22
|
+ ssl_prefer_server_ciphers on;
|
|
23
|
+ ssl_session_timeout 1d;
|
|
24
|
+ ssl_session_cache shared:SSL:50m;
|
|
25
|
+ ssl_session_tickets off;
|
|
26
|
+ ssl_stapling on;
|
|
27
|
+ ssl_stapling_verify on;
|
|
28
|
+ resolver 8.8.8.8;
|
|
29
|
+
|
|
30
|
+}
|