|
|
|
@ -1,6 +1,6 @@ |
|
|
|
|
# session settings |
|
|
|
|
ssl_session_timeout 1d; |
|
|
|
|
ssl_session_cache shared:SSL:50m; |
|
|
|
|
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions |
|
|
|
|
ssl_session_tickets off; |
|
|
|
|
|
|
|
|
|
# ssl certs |
|
|
|
@ -13,10 +13,14 @@ ssl_certificate_key /config/keys/cert.key; |
|
|
|
|
{{ end }} |
|
|
|
|
|
|
|
|
|
# protocols |
|
|
|
|
ssl_protocols TLSv1.2; |
|
|
|
|
ssl_prefer_server_ciphers on; |
|
|
|
|
ssl_ecdh_curve secp384r1; |
|
|
|
|
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDH+CHACHA20:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK; |
|
|
|
|
# Mozilla Guideline v5.6, nginx 1.14.2, OpenSSL 1.1.1d, intermediate configuration, no OCSP |
|
|
|
|
# https://ssl-config.mozilla.org/#server=nginx&version=1.14.2&config=intermediate&openssl=1.1.1d&ocsp=false&guideline=5.6 |
|
|
|
|
ssl_protocols TLSv1.2 TLSv1.3; |
|
|
|
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; |
|
|
|
|
ssl_prefer_server_ciphers off; |
|
|
|
|
|
|
|
|
|
# headers |
|
|
|
|
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; |
|
|
|
|
# Diffie-Hellman parameter for DHE cipher suites |
|
|
|
|
ssl_dhparam /defaults/ffdhe2048.txt; |
|
|
|
|
|
|
|
|
|
# HSTS (ngx_http_headers_module is required) (63072000 seconds) |
|
|
|
|
add_header Strict-Transport-Security "max-age=63072000" always; |
|
|
|
|