How to defend SSL/TLS servers against BEAST, CRIME and BREACH attack for Nginx

The information presented herein is without any guarantees and I’ll take no responsibility if any harm happens to you or your users. If you find any factual problems, please reach out to me([twitter:@hirose31]) immediately and I will fix it ASAP.

http {
  server {
    listen  80;
    listen 443 ssl;
    server_name example.com;

    # BEAST: dont's use CBC
    ssl_protocols SSLv3 TLSv1;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:RC4-SHA;
    ssl_prefer_server_ciphers on;

    # CRIME: disble TLSv1 compression: use nginx 1.0.9+/1.1.6+ w/ OpenSSL 1.0.0+ or 1.2.2+/1.3.2+ w/ older OpenSSL

    gzip on;

    location = /foo {
      # BREACH: disable HTTP compression
      if ($ssl_protocol) { gzip off; }
    }

    location / {
      # BREACH: disable HTTP compression
      if ($ssl_protocol) { gzip off; }
    }
  }
}

（ひ）メモ

How to defend SSL/TLS servers against BEAST, CRIME and BREACH attack for Nginx

see also