NGINX Configuration for Django with SSL

your setup is pretty bad (performance and security), here comes why:<p>1. combine all listen 80 - serverblocks into one, and then<p>return 301 <a href="https://$host$request_uri;" rel="nofollow">https:&#x2F;&#x2F;$host$request_uri;</a> instead of rewrite, it is faster and you can skip the if (scheme) - part, because if is evil <a href="http://wiki.nginx.org/IfIsEvil" rel="nofollow">http:&#x2F;&#x2F;wiki.nginx.org&#x2F;IfIsEvil</a><p>2. where are your ciphers? they are bad anyway and doesnt seem to be the defaults, and RC4 as preferred ciphers, phew!<p>3. you are vulnerable to the latest CCS-vuln <a href="https://8ack.de/scan/result/sslvulns/71ba019e9d4bf25fd422ab0395e9fdc12a18ddf9a8e1583b769fe7f075e19290f5d9d44e23c0902fb6dd17da6e4c9bf1f647b44a3e1fd82c1ea982062a474c27" rel="nofollow">https:&#x2F;&#x2F;8ack.de&#x2F;scan&#x2F;result&#x2F;sslvulns&#x2F;71ba019e9d4bf25fd422ab0...</a><p>4. you use an quite old nginx-version; debian? you should use a newer one that supports SPDY (faster loading for all those images)<p>5. OH NOES .... <a href="https://wbsrch.com/admin/" rel="nofollow">https:&#x2F;&#x2F;wbsrch.com&#x2F;admin&#x2F;</a> rule nr. 1: never expose admin&#x2F;backend-logins to the interwebs<p>6. no HSTS<p>7. you support TLS 1.2., but no PFS, is there a reason for this? otherwise, this is a bad decision <a href="https://www.ssllabs.com/ssltest/analyze.html?d=wbsrch.com" rel="nofollow">https:&#x2F;&#x2F;www.ssllabs.com&#x2F;ssltest&#x2F;analyze.html?d=wbsrch.com</a><p>8. define STATIC - resouces with django; advantage: you dont have to try_files and can skip the regex-location for static content <a href="https://docs.djangoproject.com/en/dev/howto/static-files/" rel="nofollow">https:&#x2F;&#x2F;docs.djangoproject.com&#x2F;en&#x2F;dev&#x2F;howto&#x2F;static-files&#x2F;</a><p>9. why did you turned off ssl_session_cache??? <a href="https://www.mare-system.de/guide-to-nginx-ssl-spdy-hsts/#optimizing-for-better-ssl-performance" rel="nofollow">https:&#x2F;&#x2F;www.mare-system.de&#x2F;guide-to-nginx-ssl-spdy-hsts&#x2F;#opt...</a><p>10. use proxy_cache for &#x2F;<p>11. turn off server_tokens e3c4676d14a8ddd07d140f6d3e771ae8994ff5f4a159ba70fa5f5a9eaf026ada9a9f61021ef5ec27466718573c8a73621d119c385eb284fe322eaefaff2d1b42<p>more on nginx + ssl: <a href="https://www.mare-system.de/guide-to-nginx-ssl-spdy-hsts/" rel="nofollow">https:&#x2F;&#x2F;www.mare-system.de&#x2F;guide-to-nginx-ssl-spdy-hsts&#x2F;</a>