How to defend SSL/TLS servers against BEAST, CRIME and BREACH attack for Nginx
The information presented herein is without any guarantees and I’ll take no responsibility if any harm happens to you or your users. If you find any factual problems, please reach out to me([twitter:@hirose31]) immediately and I will fix it ASAP.
http { server { listen 80; listen 443 ssl; server_name example.com; # BEAST: dont's use CBC ssl_protocols SSLv3 TLSv1; ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:RC4-SHA; ssl_prefer_server_ciphers on; # CRIME: disble TLSv1 compression: use nginx 1.0.9+/1.1.6+ w/ OpenSSL 1.0.0+ or 1.2.2+/1.3.2+ w/ older OpenSSL gzip on; location = /foo { # BREACH: disable HTTP compression if ($ssl_protocol) { gzip off; } } location / { # BREACH: disable HTTP compression if ($ssl_protocol) { gzip off; } } } }