# ssl-tls-v1.3.server.conf # TSLv1.3 erfolgreich getestet mit Firefox 63 und Chrome 70 listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; # Self signed certs generated by the ssl-cert package # Don't use them in a production server! ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_certificate ssl.cert/server.crt; ssl_certificate_key ssl.cert/server.key; # Nur aktuelle TLS-Protokollversionen zulassen # s. http://nginx.org/en/docs/http/configuring_https_servers.html # und https://wiki.openssl.org/index.php/TLS1.3 # ssl_protocols TLSv1.3; # alternativ, wenn TLSv1.2 und TLSv1.3 erlaubt sind: # ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; ssl_ecdh_curve prime256v1:secp384r1; ssl_dhparam ssl.cert/dhparam.pem; add_header Strict-Transport-Security "max-age=15768000" always; add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always;