- Webserver
- Nginx
- ssl-nginx-strict.conf
SSLLabs A+ & no WEAK Cyphers
Just place it in /etc/nginx/conf.d/
- ssl-nginx-strict.conf
- Nginx
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
#ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDH>
ssl_ecdh_curve X25519MLKEM768:X25519:secp384r1:secp256r1; # X25519MLKEM768 OpenSSL >= 3.5
ssl_stapling on;
ssl_stapling_verify on;
resolver 127.0.0.53 valid=300s; # or 1.1.1.1 / 8.8.8.8 / your own
resolver_timeout 5s;
## The following might be set per vhost
#add_header Strict-Transport-Security "max-age=15768000; preload;"; # Required for A+ on SSLLabs SSLTest.
## Optional security:
#add_header Content-Security-Policy "default-src 'none'; frame-ancestors 'none'; script-src 'self'; img-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self';";
#add_header Referrer-Policy "no-referrer, strict-origin-when-cross-origin";
#add_header X-Frame-Options SAMEORIGIN;
#add_header X-Content-Type-Options nosniff;
#add_header X-XSS-Protection "1; mode=block";