{% set domain_name = item.nginx_domain_name %} # concatenated key + cert # See: http://nginx.org/en/docs/http/configuring_https_servers.html ssl_certificate {{ tls_key_dir }}/{{ domain_name }}.crt.pem; ssl_certificate_key {{ tls_key_dir }}/{{ domain_name }}.crt.pem; ssl_session_timeout 24h; # 24 hour timeout ssl_session_cache shared:SSL:1m; # 1MB -> 4,000 sessions ssl_buffer_size 1400; # 1400 bytes to fit in one MTU ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_protocols {{ nginx_tls_protocols }}; ssl_ciphers "{{ tls_cipher_suite }}"; ssl_prefer_server_ciphers on; {# don't use OCSP stapling if we're using a self-signed cert #} {% if tls_cert is defined %} # OCSP stapling... ssl_stapling on; ssl_stapling_verify on; resolver 208.67.222.222 208.67.220.220; {% endif %} # nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and # when a restart is performed the previous key is lost, which resets all previous # sessions. The fix for this is to setup a manual rotation mechanism: # http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx # # Note that you'll have to define and rotate the keys securely by yourself. In absence # of such infrastructure, consider turning off session tickets: ssl_session_tickets off; # enable SPDY header compression spdy_headers_comp 6; # Enable this if you want HSTS (recommended, but be careful) add_header Strict-Transport-Security max-age=15768000 always;