############################################################################## # _ __ _ # # / |/ /__ _(_)__ __ __ # # / / _ `/ / _ \\ \ / # # /_/|_/\_, /_/_//_/_\_\ # # __/___/ __ ___ __ ___ __ __ # # / _ )___ ____/ / / _ )___ / /_ / _ )/ /__ ____/ /_____ ____ # # / _ / _ `/ _ / / _ / _ \/ __/ / _ / / _ \/ __/ '_/ -_) __/ # # /____/\_,_/\_,_/ /____/\___/\__/ /____/_/\___/\__/_/\_\\__/_/ # # # ############################################################################## # ------------------------------------------------------------------------------ # MIT License # ------------------------------------------------------------------------------ # Copyright (c) 2017 Mitchell Krog - mitchellkrog@gmail.com # https://github.com/mitchellkrogza # ------------------------------------------------------------------------------ # Permission is hereby granted, free of charge, to any person obtaining a copy # of this software and associated documentation files (the "Software"), to deal # in the Software without restriction, including without limitation the rights # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell # copies of the Software, and to permit persons to whom the Software is # furnished to do so, subject to the following conditions: # ------------------------------------------------------------------------------ # The above copyright notice and this permission notice shall be included in all # copies or substantial portions of the Software. # ------------------------------------------------------------------------------ # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE # SOFTWARE. # ------------------------------------------------------------------------------ # ---------------------------------------- # Recommended SSL Settings for Nginx Sites # ---------------------------------------- # Last Updated: 2019-07-04 # globalssl.conf # Global ssl configuration file. # Should be included in each and every server {} block of your https/ssl sites. # Only use this if you know what you are doing with SSL, this is merely an example of # good SSL settings for nginx ssl sites. # NO SUPPORT IS OFFERED IN THIS REPO FOR SETTING UP AND RUNNING SSL # There is lots of help for Let's Encrypt at: https://community.letsencrypt.org/ # To use this set of rules, add the include below into each server block. # add this at the very top of your HTTPS server blocks before any other location rules # include /etc/nginx/ssl.d/globalssl.conf; ## # DIFFIE HELMAN ENCRYPTION / DHE ## # Diffie-Hellman parameter for DHE ciphersuites, recommended 4096 bits # Requires generating your dhparam.pem # INSTRUCTIONS: # ------------- # cd /etc/nginx/ssl # sudo openssl dhparam -out dhparam.pem 4096 # WAIT FOR IT TO FINISH - Can take a long time ssl_dhparam /etc/nginx/ssl/dhparam.pem; ## # SSL SESSION SETTINGS ## ssl_session_timeout 10m; ssl_session_cache shared:SSL:128m; ssl_session_tickets off; ## # SSL PROTOCOL SUPPORT # Support modern and intermediate browsers # If you want to allow some older browsers add TLSv1 (but then you will need to review the ciphers below and use the OLD set of ciphers from Mozilla) ## ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; ## # ----------- # SSL CIPHERS # ----------- # Ciphers below are the strongest and most recommened set as of 2019-07-04 (cipher recommendations change regularly) # This is my own set of ciphers based on recommendations from https://www.immuniweb.com/ssl/ # and https://www.ssllabs.com/ssltest/ # You can optionally use ciphers recommended by https://mozilla.github.io/server-side-tls/ssl-config-generator/ # As we approach wider implementation and use of TLSv1.3 things will change even more # As of this version and writing - Nginx only supports TLSv1.3 with openssl 1.1.1+ ## ## # CIPHER COMPLIANCE # ------------------------------------ # COMPLIANT to PCI DSS compliance # COMPLIANT to HIPAA guidance # COMPLIANT to NIST guidelines # COMPLIANT to industry best practices # ------------------------------------ ## # Enable modern TLS cipher suites - without ECDHE-RSA-CHACHA20-POLY1305 (POLY1305 is not recommended anymore) # This cipher set is highly tested and supports modern and older clients without using weak ciphers of any sort ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; # TLSv1.2 only recommends this to be off ssl_prefer_server_ciphers on; ## # HSTS (HTTP Strict Transport Security) # https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security ## add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload; always;"; ## # OCSP Stapling # fetch OCSP records from URL in ssl_certificate and cache them ## ssl_stapling on; ssl_stapling_verify on; # Do not use resolvers for OCSP see comment in - https://scotthelme.co.uk/ocsp-stapling-speeding-up-ssl/ # http://disq.us/url?url=http%3A%2F%2Fblog.zorinaq.com%2Fnginx-resolver-vulns%2F%3AP2dn26U8hf5EMF__e_ZIRGBpc3E&cuid=2541595 # resolver 8.8.8.8 8.8.4.4 valid=300s; # resolver_timeout 5s;