set ssl parameter -delySSLReneg NONSECURE

set ssl vserver nsgw-vsrv-gateway.domain.pit -ssl3 DISABLED -tls12 ENABLED

add ssl cipher CIPHER-PIT
bind ssl cipher CIPHER-PIT -cipherName TLS1-ECDHE-RSA-AES256-SHA -cipherPriority 1
bind ssl cipher CIPHER-PIT -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA -cipherPriority 2
bind ssl cipher CIPHER-PIT -cipherName TLS1-AES-256-CBC-SHA -cipherPriority 3

create ssl dhparam dh-key-2048.key 2048 -gen 2

bind ssl vserver nsgw-vsrv-gateway.domain.pit -cipherName CIPHER-PIT
set ssl vserver nsgw-vsrv-gateway.domain.pit -dh ENABLED -dhFile "/nsconfig/ssl/dh-key-2048.key" -dhCount 1000 -eRSA DISABLED

add rewrite action rw_act_InsertSTSHeader insert_http_header strict-transport-security "\"max-age=63072000; includeSubdomains; preload\"" -comment "strict-transport-security Header"
add rewrite policy rw_pol_InsertSTSHeader HTTP.RES.IS_VALID rw_act_InsertSTSHeader
bind vpn vserver nsgw-vsrv-gateway.domain.pit -policy rw_pol_InsertSTSHeader -priority 300 -gotoPriorityExpression END -type RESPONSE

add rewrite action rw_act_DeleteServerHeader delete_http_header Server
add rewrite action rw_act_InsertServerHeader insert_http_header Server "\"unknown environment\""
add rewrite policy rw_pol_DeleteServerHeader HTTP.RES.IS_VALID rw_act_DeleteServerHeader
add rewrite policy rw_pol_InsertServerHeader HTTP.RES.IS_VALID rw_act_InsertServerHeader

bind vpn vserver nsgw-vsrv-gateway.domain.pit -policy rw_pol_DeleteServerHeader -priority 100 -gotoPriorityExpression NEXT -type RESPONSE
bind vpn vserver nsgw-vsrv-gateway.domain.pit -policy rw_pol_InsertServerHeader -priority 200 -gotoPriorityExpression NEXT -type RESPONSE