Nginx SSL Labs A+
To get a high secure SSL installation on Nginx you should use the following config. With this settings you also get on A+.
It is important to create the Forward Secrecy & Diffie Hellman Ephemeral Parameters.
You can create the dhparm.pem with openssl
openssl dhparam -out www_safematix_com_dhparam.pem 4096
ssl on; ssl_certificate /etc/nginx/ssl/safematix/www_safematix_com.crt; ssl_certificate_key /etc/nginx/ssl/safematix/www_safematix_com.key; ssl_trusted_certificate /etc/nginx/ssl/safematix/ca.pem; ssl_dhparam /etc/nginx/ssl/safematix/www_safematix_com_dhparam.pem; ssl_session_timeout 5m; ssl_session_cache shared:SSL:10m; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.4.4 8.8.8.8 valid=300s; resolver_timeout 10s; add_header Strict-Transport-Security max-age=63072000; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; ssl_prefer_server_ciphers on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'; add_header Strict-Transport-Security max-age=15768000; # six months # use this only if all subdomains support HTTPS! add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";