server { listen ${NGINX_PORT} default_server; listen ${NGINX_SSL_PORT} ssl default_server; server_name ${NGINX_HOST}; ssl_certificate /etc/nginx/certs/req.pem; ssl_certificate_key /etc/nginx/certs/cert.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don’t use SSLv3 ref: POODLE ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:RSA+AESGCM:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS; # Logjam and co ssl_prefer_server_ciphers on; # Logjam ssl_dhparam /etc/nginx/certs/dhparams.pem; # Logjam ssl_session_cache shared:TLS:2m; # OCSP stapling ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8; # Set HSTS to 365 days add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains'; client_max_body_size 200M; location / { root /var/www/html; index index.html index.htm index.php; } }