#ssl_dhparam /etc/nginx/dhparam.pem;
# modern tweak to your needs.
- # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.14.0&openssl=1.1.1&hsts=yes&profile=modern
- #ssl_protocols TLSv1.2 TLSv1.3;
- #ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
- #ssl_prefer_server_ciphers on;
+ # https://ssl-config.mozilla.org/#server=nginx&server-version=1.17.0&config=intermediate
- # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
- #add_header Strict-Transport-Security max-age=15768000;
+ # intermediate configuration
+ # ssl_protocols TLSv1.2 TLSv1.3;
+ # ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ # ssl_prefer_server_ciphers off;
+
+ # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+ # add_header Strict-Transport-Security "max-age=63072000" always;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them