|
|
@@ -1,6 +1,6 @@
|
|
|
# session settings
|
|
|
ssl_session_timeout 1d;
|
|
|
-ssl_session_cache shared:SSL:50m;
|
|
|
+ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
|
|
ssl_session_tickets off;
|
|
|
|
|
|
# ssl certs
|
|
|
@@ -13,10 +13,14 @@ ssl_certificate_key /config/keys/cert.key;
|
|
|
{{ end }}
|
|
|
|
|
|
# protocols
|
|
|
-ssl_protocols TLSv1.2;
|
|
|
-ssl_prefer_server_ciphers on;
|
|
|
-ssl_ecdh_curve secp384r1;
|
|
|
-ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDH+CHACHA20:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK;
|
|
|
+# Mozilla Guideline v5.6, nginx 1.14.2, OpenSSL 1.1.1d, intermediate configuration, no OCSP
|
|
|
+# https://ssl-config.mozilla.org/#server=nginx&version=1.14.2&config=intermediate&openssl=1.1.1d&ocsp=false&guideline=5.6
|
|
|
+ssl_protocols TLSv1.2 TLSv1.3;
|
|
|
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
|
|
+ssl_prefer_server_ciphers off;
|
|
|
|
|
|
-# headers
|
|
|
-add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
|
|
|
+# Diffie-Hellman parameter for DHE cipher suites
|
|
|
+ssl_dhparam /defaults/ffdhe2048.txt;
|
|
|
+
|
|
|
+# HSTS (ngx_http_headers_module is required) (63072000 seconds)
|
|
|
+add_header Strict-Transport-Security "max-age=63072000" always;
|
Jonathan Lennox