Note: The content in this article is likely deprecated. Please refer to https://ssl-config.mozilla.org for the latest SSL best practice.
# generated 2020-10-27, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.0.2k, intermediate configuration, no HSTS, no OCSP # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.0.2k&hsts=false&ocsp=false&guideline=5.6 ssl_dhparam /path/to/dhparam; # intermediate configuration ssl_protocols TLSv1.2; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; }
To add support on IE 11 on Windows 7 / 8.1, add the following ciphers to the ssl_ciphers list.
ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384
Realize that dhparam is a must for nginx to enable DHE Cipher, oopsie…