====== Transport Layer Security ======
This page will document some sane settings for modern TLS security in nginx. I'm not particularly interested in backwards compatibility for this environment so I won't be spending much time on supporting broken browsers or operating systems which should be deprecated. I realize this can be frustrating for some people, but given the revelations of the past couple of years regarding the use of insecure crypto you're probably better of just ignoring crypto completely than trying to implement questionable systems.
===== Basic nginx configuration =====
# SSL configuration
listen 443 ssl spdy default_server;
ssl_certificate /etc/ssl/localcerts/mycert.chained.crt;
ssl_certificate_key /etc/ssl/localcerts/mycert.key;
# OCSP stapling support
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/localcerts/ocsp-chain.crt;
# HTTP Strict Transport Security header
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
# enables all versions of TLS, but not SSLv2 or 3 which are weak and now
# deprecated or TLSv1 which has its own problems
ssl_protocols TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
# disables all weak ciphers and prefers AESGCM but fall back to other
# elliptic curve ciphers if necessary
ssl_ciphers "ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!aNULL:!eNULL:!EXPORT:!MEDIUM:!LOW:!DES:!MD5:!SHA1:!PSK:!RC4";
===== TLS/SSL tips and tricks =====
TLS/SSL Server Test: https://www.ssllabs.com/ssltest/index.html
# test OCSP configuration
echo QUIT | openssl s_client -connect quay.net:443 -status 2> /dev/null | \
grep -A 17 'OCSP response:' | grep -B 17 'Next Update'