-
Notifications
You must be signed in to change notification settings - Fork 71
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1521 from RotherOSS/issue-#1518-nginx_config
Issue #1518 nginx config
- Loading branch information
Showing
3 changed files
with
33 additions
and
14 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,17 +1,34 @@ | ||
# See https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-in-ubuntu-18-04 | ||
# See https://ssl-config.mozilla.org/ , going for the intermediate configuration | ||
|
||
ssl_protocols TLSv1.2; | ||
ssl_prefer_server_ciphers on; | ||
# TLS 1.0, TLS 1.1, and SSL v2 are obsolete | ||
# TLS 1.2 is still used by browsers | ||
ssl_protocols TLSv1.2 TLSv1.3; | ||
|
||
# all activated ciphers are safe, the browser can specify what the fastest is for her | ||
ssl_prefer_server_ciphers off; | ||
|
||
# Presumables the diffie hellman parameters are included in the certificate. | ||
#ssl_dhparam /etc/nginx/dhparam.pem; | ||
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; | ||
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 | ||
ssl_session_timeout 10m; | ||
|
||
# ECDHE-ECDSA-CHACHA20-POLY1305 and ECDHE-RSA-CHACHA20-POLY1305 are not included even though they are | ||
# considered to be safe, however they are not included Technische Richtlinie TR-02102-2 of the BSI | ||
#ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; | ||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; | ||
|
||
# Trusting the recommendation from https://ssl-config.mozilla.org/ | ||
ssl_session_timeout 1d; | ||
ssl_session_cache shared:SSL:10m; | ||
ssl_session_tickets off; # Requires nginx >= 1.5.9 | ||
ssl_stapling on; # Requires nginx >= 1.3.7 | ||
ssl_stapling_verify on; # Requires nginx => 1.3.7 | ||
ssl_session_tickets off; | ||
|
||
# OCSP stapling is considered to be a good thing, https://en.wikipedia.org/wiki/OCSP_stapling | ||
ssl_stapling on; | ||
ssl_stapling_verify on; | ||
|
||
#resolver 8.8.8.8 8.8.4.4 valid=300s; | ||
#resolver_timeout 5s; | ||
|
||
# Disable strict transport security for now. You can uncomment the following | ||
# line if you understand the implications. | ||
# Be aware that static content migth be treated differentyl from dynamic content. | ||
# add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters