Configure nginx for PFS and A Rating

By | 2013/07/16

Here is a quick configuration for nginx to achieve an ‘A’ score on This example is from Debian Wheezy using OpenSSL 1.0.1e and nginx 1.2.1 and also enables Perfect Forward Secrecy as added security against the NSA or other snooping!

   listen      443;
 ssl on;
 ssl_certificate /etc/ssl/;
 ssl_certificate_key /etc/ssl/;
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_prefer_server_ciphers on;
 ssl_session_cache shared:SSL:10m;

 add_header Strict-Transport-Security max-age=43200;



If you are stuck with Apache 2.2, one option is to put nginx in front of Apache to achieve PFS since nginx and OpenSSL support is better at this point than Apache.