Mirek, below is the proposed content. I hope the format (markdown) is OK for you. If you need to convert it to DocBook, you can use pandoc. Feel free to adjust the styling and structure as you see fit.

I'm not sure what the current policy is wrt to linking to external resources but I feel both of them (SSL Labs, Mozilla SSL config generator) are trustworthy and contain valuable information. If we have a policy against linking to external sites though, you can remove them of course.

Let me know if you have any other questions.

------------------8<------------------
4.3.9. Securing the NGINX HTTP Server

NGINX is a high-performance HTTP and proxy server. The following sections
briefly document extra steps that can be taken to harden your NGINX
configuration. All of the configuration options should be added to the
`server` section(s) of your NGINX configuration files

Disabling Version Strings

To prevent attackers from learning the version of NGINX running on your
server, use the following configuration option:

```
server_tokens        off;
```

This has the effect of removing the version number and simply reporting the
string `nginx` in all requests served by NGINX:

```
> curl -sI http://localhost | grep Server
Server: nginx
```

Security-related Headers

Each request served by NGINX can include additional HTTP headers that
mitigate certain known web application vulnerabilities:

* `add_header X-Frame-Options SAMEORIGIN;` -- This option denies any page
  outside of your domain to frame any content served by NGINX, effectively
  mitigating clickjacking attacks.

* `add_header X-Content-Type-Options nosniff;` -- This option prevents
  MIME-type sniffing in certain older browsers.

* `add_header X-XSS-Protection "1; mode=block";` -- This option enables
  Cross-Site Scripting (XSS) filtering, preventing the browser from
  rendering potentially malicious content included in a response by NGINX.

Disable Potentially Harmful HTTP Methods

If enabled, some of the HTTP methods may allow an attacker to perform
actions on the web server that were designed for developers to test web
applications. For example, the TRACE method is known to allow Cross-Site
Tracing (XST).

Your NGINX server can disallow these harmful HTTP methods as well as any
arbitrary methods by whitelisting only those that should be allowed.
For example:

```
# Allow GET, PUT, POST; return "405 Method Not Allowed" for all others.
if ( $request_method !~ ^(GET|PUT|POST)$ ) {
    return 405;
}
```

Configuring SSL

To protect the data served by your NGINX web server, you should consider
serving it over HTTPS only. To generate a secure configuration profile for
enabling SSL in your NGINX server, see the [Mozilla SSL Configuration
Generator](https://mozilla.github.io/server-side-tls/ssl-config-generator/).
The generated configuration will assure that known vulnerable protocols
(for example, SSLv2 or SSLv3) and ciphers and hashing alrogithms (for
example, 3DES or MD5) are disabled.

You can use the [SSL Server Test](https://www.ssllabs.com/ssltest/) to
verify that your configuration meets modern security requirements.
------------------8<------------------

The update is available on the Customer Portal:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-securing_services#sec-Securing_HTTP_Servers