[IMP]Improve base configuration for TLS/SSL on Nginx

2017-04-07 12:13:43 +02:00 · 2017-04-07 12:13:43 +02:00 · 535b44c7d5
parent 2a50029fa1
commit 535b44c7d5
2 changed files with 20 additions and 12 deletions
--- a/nginx/dhparams.pem
+++ b/nginx/dhparams.pem
@ -1,13 +1,13 @@
 -----BEGIN DH PARAMETERS-----
-MIICCAKCAgEAynPYUK31ldXv9FAsoM9wPfzpvjTYV3efTCe7ZOuPWcIa67X09XrZ
-spp9LUrJGUCsBlDIYF+bRCDcXGKGlCfvQA1vV5E6IzXS5HhmKOoFGFN6g3ySpU+5
-O2zkvJOTtXzJIGtvdwwKI07ivWvB6w+7TMu1T7GPaOXT8+NSx2RCBGSUJLwD4MSD
-3qJYkLMzfwQLXa7Nh70BoOVTpZwHRo1gxSvhAhzAG8W88RKX1jQndgph6ixtMzFD
-ZHugtEwzFVf5aGfC8cOpdDlTUxYbDxKpLk1dV0Gs7HKr0btZ+gNzBxMBjzfHLiud
-Tss2caAv9eyfvupWes6mjauF8D9yltb0iVsNr+kIsAQanw/aC3SGkzNBk8aKRMhO
-NfAh0MI4wI/2z2E7jNZP4TNNpwhhC35YlB6DRsgQ9ucIHoV7tXT+HsSg4W4FZRAC
-xNIPOnzfFlOsKPpM9LuKRTC0QgOEWBTjzCwuFNVcPSlK98NV7P2koLKs2RKzIw+L
-g25r4c+Q9yUFHzo1qV9y6PDMVFYUekr9lX40cRoHAmgB/dTdqTdmOOQDeEmluPfu
-ekn4vZrXBrLLqI05UnWs7NPkvdZOe65sU+wzLts/Lsp2TMn+vPuCkevqGqY/Bw7L
-Mm9mP3LhMtnNfREYSzEcKbIQl0GPjDiRjCa8q+8r6OqQs8YHxMKcp6sCAQI=
+MIICCAKCAgEAwaknGWEJqKxLkz/NvzklXrF0QIKItTHvI0tS1iF8vw24OASqODgn
+qF1NfF83I8zr+/t7INi3Vq5fBnR83sUGgPxrKikaMbzlFhuXpfKYAf0J0TVZbGzA
+DwQvG0hle5Xndjw/5osj8CTZ22yQPxCYXuboSawwHiRVw0X2ZMzcgQVRkarNRpO5
+we8JIQYVd92qUtQz0cCmXqbCQLquTGrSbEBort01YsOt1xuR6tP+5eIUWeA4UdD4
+DCOxjll2wvX+Uk0Mu8JeYzRVF/+sqf2OLF5m/uYpRmWWoAe6VUEGMGJ24jsn8xB8
+vq5tIamPl5Xf9SNlDhmYOTi21fTWdGgHICRx9jGwFH7AkL7094R2D6MKG9RMqUKh
+E8MpZDCg/6KPXnV2JHHrZWS/s0yvpDxy8G8ow5qtUZsdX/K7QYl5Z/layXsj2U8p
+xhN+3m9/V60fxuVeDPpbkQ+vzpkiXgk2+otnPYQ/3/2Y6O95G8JClA5HcReWnF8d
+FEeRdYcSr7ZwaG1V2RM0WdV5/IbLNiZZ2srBuzsdUGXFiCf4w6FVxtvaIVlpQtC4
+snnonNj6fgu9smb/0GOaMVzFDrEjj2qzJ1wILNCiNB+I1fDBkVPh2q81FLGy6gsY
+qhTFN412RyfPC1H2u4N3r3XVF6rQs37FyKCZYpWSuy2f9EhRDTbR0RsCAQI=
 -----END DH PARAMETERS-----
--- a/nginx/root.conf
+++ b/nginx/root.conf
@ -5,9 +5,17 @@ server {
    ssl_certificate /etc/nginx/certs/req.pem;
    ssl_certificate_key /etc/nginx/certs/cert.key;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;  # don’t use SSLv3 ref: POODLE
-    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; # Logjam
+    ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:RSA+AESGCM:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS; # Logjam and co
    ssl_prefer_server_ciphers on; # Logjam
    ssl_dhparam /etc/nginx/certs/dhparams.pem; # Logjam
+    ssl_session_cache shared:TLS:2m;
+    # OCSP stapling
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    resolver 8.8.8.8;
+    # Set HSTS to 365 days
+    add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains';
+
    client_max_body_size 200M;

    location / {