# POODLE, PFS etc
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'AES128+EECDH:AES128+EDH';

# Diffie Hellman
ssl_dhparam /etc/ssl/certs/dhparam.pem;

# SSL stapling
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/certs/combined_startssl.pem;

resolver 8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 3s;

# Enable HSTS
add_header Strict-Transport-Security max-age=63072000;

# Do not permit Content-Type sniffing.
add_header X-Content-Type-Options nosniff;

# https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;