templates/default/nginx.erb
<%
self.class.send(:include, Chef::SslCertificateCookbook::ServiceHelpers)
@ssl_config = ssl_config_for_service('nginx')
-%>
# ----------------- #
# SSL Configuration #
# ----------------- #
ssl on;
ssl_certificate <%= @ssl_cert %>;
ssl_certificate_key <%= @ssl_key %>;
<% if @ssl_config[:description].is_a?(String) -%>
# <%= @ssl_config[:description] %>
<% end -%>
<% if @ssl_config[:protocols].is_a?(String) -%>
ssl_protocols <%= @ssl_config[:protocols] %>;
<% end -%>
<% if @ssl_config[:cipher_suite].is_a?(String) -%>
ssl_ciphers <%= @ssl_config[:cipher_suite] %>;
<% end -%>
ssl_prefer_server_ciphers on;
<% if @ssl_config[:use_hsts] -%>
# Enable this if your want HSTS (recommended)
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
<% end -%>
<% if @ssl_config[:use_stapling] && nginx_version_satisfies?('>= 1.3.7') -%>
ssl_stapling on;
ssl_stapling_verify on;
resolver <%= @ssl_config[:stapling_resolver] %>;
<% end -%>