This is my example Nginx reverse-proxy + hardened https config (you need nginx/1.9.9):
# redirect all http requests to https
server {
listen 80;
server_name www.werise.de;
server_name alias.werise.de;
return 301 https://$server_name$request_uri;
}
# define a new cache (use different names and paths for different caches!
proxy_cache_path /var/nginx_cache/blog.werise.de levels=1:2 keys_zone=blog_cache:10m max_size=512m inactive=60m use_temp_path=off;
# https server block
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name blog.werise.de;
ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 60m;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
# create a new dhparam by executing:
# openssl dhparam -out /etc/nginx/cert/dhparam.pem_4096.pem 4096
ssl_dhparam /etc/nginx/cert/dhparam_4096.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
resolver 8.8.8.8 8.8.4.4;
add_header Strict-Transport-Security "max-age=31536000" always;
location / {
proxy_cache blog_cache;
proxy_cache_min_uses 3;
proxy_cache_lock on;
proxy_pass http://my-upstream-server/;
}
}