|
|
@@ -18,4 +18,10 @@ ssl_certificate_key /config/keys/cert.key;
|
|
|
# protocols
|
|
|
ssl_protocols TLSv1.2;
|
|
|
ssl_prefer_server_ciphers on;
|
|
|
-ssl_ciphers ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS;
|
|
|
+ssl_ecdh_curve secp384r1;
|
|
|
+ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDH+CHACHA20:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK;
|
|
|
+
|
|
|
+# headers
|
|
|
+add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
|
|
|
+add_header X-Content-Type-Options nosniff;
|
|
|
+add_header X-XSS-Protection "1; mode=block";
|
netaskd