server { listen ${NGINX_PORT} default_server; listen ${NGINX_SSL_PORT} ssl default_server; server_name ${NGINX_HOST}; ssl_certificate ${CERTIFICATE_PATH}; ssl_certificate_key ${CERTIFICATE_KEY_PATH}; ssl_protocols ${SSL_PROTOCOLS}; ssl_ciphers ${SSL_CIPHERS}; ssl_prefer_server_ciphers off; ssl_dhparam /etc/nginx/certs/dhparams.pem; # Logjam ssl_session_timeout 1d; ssl_session_tickets off; ssl_session_cache shared:TLS:10m; # About 40k sessions # OCSP stapling ssl_stapling on; ssl_stapling_verify on; # Set HSTS to 365 days add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains' always; # resolver 127.0.0.1; # DDoS client_body_buffer_size 1K; client_header_buffer_size 1k; client_max_body_size 1k; large_client_header_buffers 2 1k; location / { root /var/www/html; index index.html index.htm index.php; } }