Compilenix's Blog - My nginx SSL and http header config snippet

RSS Feed | Find Stuff

My nginx SSL and http header config snippet


server {
    listen [::]:443 ssl http2;
    listen 443 ssl http2;

	ssl_certificate /etc/nginx/ssl/fullchain.pem;
	ssl_certificate_key /etc/nginx/ssl/privkey.pem;
	ssl_trusted_certificate /etc/nginx/ssl/fullchain.pem;
	ssl_dhparam /etc/nginx/ssl/dhparam.pem;

	ssl_protocols TLSv1.2;

	ssl_session_cache shared:SSL:50m;
	ssl_session_timeout 1d;
	proxy_ssl_session_reuse off;

	ssl_prefer_server_ciphers on;
	ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';

	ssl_stapling on;
	ssl_stapling_verify on;

	more_set_headers "Strict-Transport-Security: max-age=15768000; includeSubDomains; preload";
	more_set_headers 'Public-Key-Pins: pin-sha256="+oXoiEF2sFHvQGpvaTU/4m0DKMnWBQoIHh7gNyZWun8="; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="sRHdihwgkaib1P1gxX8HFszlD+7/gTfNvuAybgLPNis="; pin-sha256="pM+iwkeddeZ4Dye7uu1YlGs0hj7w6QL06qDO7DcwGII="; max-age=7776000; includeSubDomains';
	more_set_headers "Content-Security-Policy: default-src 'self' data: 'unsafe-inline' 'unsafe-eval' *.compilenix.org compilenix.org dharma.no-trust.org *.googleapis.com *.gstatic.com *.gravatar.com code.jquery.com; frame-ancestors 'self' ; form-action 'self' ; upgrade-insecure-requests; block-all-mixed-content; reflected-xss block; referrer no-referrer;";
	more_set_headers "X-Frame-Options: SAMEORIGIN";
	more_set_headers 'X-XSS-Protection: 1; mode=block';
	more_set_headers "X-Content-Type-Options: nosniff";
}

Ref: