[IMP]Improve base configuration for TLS/SSL on Nginx
This commit is contained in:
parent
2a50029fa1
commit
535b44c7d5
@ -1,13 +1,13 @@
|
|||||||
-----BEGIN DH PARAMETERS-----
|
-----BEGIN DH PARAMETERS-----
|
||||||
MIICCAKCAgEAynPYUK31ldXv9FAsoM9wPfzpvjTYV3efTCe7ZOuPWcIa67X09XrZ
|
MIICCAKCAgEAwaknGWEJqKxLkz/NvzklXrF0QIKItTHvI0tS1iF8vw24OASqODgn
|
||||||
spp9LUrJGUCsBlDIYF+bRCDcXGKGlCfvQA1vV5E6IzXS5HhmKOoFGFN6g3ySpU+5
|
qF1NfF83I8zr+/t7INi3Vq5fBnR83sUGgPxrKikaMbzlFhuXpfKYAf0J0TVZbGzA
|
||||||
O2zkvJOTtXzJIGtvdwwKI07ivWvB6w+7TMu1T7GPaOXT8+NSx2RCBGSUJLwD4MSD
|
DwQvG0hle5Xndjw/5osj8CTZ22yQPxCYXuboSawwHiRVw0X2ZMzcgQVRkarNRpO5
|
||||||
3qJYkLMzfwQLXa7Nh70BoOVTpZwHRo1gxSvhAhzAG8W88RKX1jQndgph6ixtMzFD
|
we8JIQYVd92qUtQz0cCmXqbCQLquTGrSbEBort01YsOt1xuR6tP+5eIUWeA4UdD4
|
||||||
ZHugtEwzFVf5aGfC8cOpdDlTUxYbDxKpLk1dV0Gs7HKr0btZ+gNzBxMBjzfHLiud
|
DCOxjll2wvX+Uk0Mu8JeYzRVF/+sqf2OLF5m/uYpRmWWoAe6VUEGMGJ24jsn8xB8
|
||||||
Tss2caAv9eyfvupWes6mjauF8D9yltb0iVsNr+kIsAQanw/aC3SGkzNBk8aKRMhO
|
vq5tIamPl5Xf9SNlDhmYOTi21fTWdGgHICRx9jGwFH7AkL7094R2D6MKG9RMqUKh
|
||||||
NfAh0MI4wI/2z2E7jNZP4TNNpwhhC35YlB6DRsgQ9ucIHoV7tXT+HsSg4W4FZRAC
|
E8MpZDCg/6KPXnV2JHHrZWS/s0yvpDxy8G8ow5qtUZsdX/K7QYl5Z/layXsj2U8p
|
||||||
xNIPOnzfFlOsKPpM9LuKRTC0QgOEWBTjzCwuFNVcPSlK98NV7P2koLKs2RKzIw+L
|
xhN+3m9/V60fxuVeDPpbkQ+vzpkiXgk2+otnPYQ/3/2Y6O95G8JClA5HcReWnF8d
|
||||||
g25r4c+Q9yUFHzo1qV9y6PDMVFYUekr9lX40cRoHAmgB/dTdqTdmOOQDeEmluPfu
|
FEeRdYcSr7ZwaG1V2RM0WdV5/IbLNiZZ2srBuzsdUGXFiCf4w6FVxtvaIVlpQtC4
|
||||||
ekn4vZrXBrLLqI05UnWs7NPkvdZOe65sU+wzLts/Lsp2TMn+vPuCkevqGqY/Bw7L
|
snnonNj6fgu9smb/0GOaMVzFDrEjj2qzJ1wILNCiNB+I1fDBkVPh2q81FLGy6gsY
|
||||||
Mm9mP3LhMtnNfREYSzEcKbIQl0GPjDiRjCa8q+8r6OqQs8YHxMKcp6sCAQI=
|
qhTFN412RyfPC1H2u4N3r3XVF6rQs37FyKCZYpWSuy2f9EhRDTbR0RsCAQI=
|
||||||
-----END DH PARAMETERS-----
|
-----END DH PARAMETERS-----
|
||||||
|
|||||||
@ -5,9 +5,17 @@ server {
|
|||||||
ssl_certificate /etc/nginx/certs/req.pem;
|
ssl_certificate /etc/nginx/certs/req.pem;
|
||||||
ssl_certificate_key /etc/nginx/certs/cert.key;
|
ssl_certificate_key /etc/nginx/certs/cert.key;
|
||||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don’t use SSLv3 ref: POODLE
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don’t use SSLv3 ref: POODLE
|
||||||
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; # Logjam
|
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:RSA+AESGCM:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS; # Logjam and co
|
||||||
ssl_prefer_server_ciphers on; # Logjam
|
ssl_prefer_server_ciphers on; # Logjam
|
||||||
ssl_dhparam /etc/nginx/certs/dhparams.pem; # Logjam
|
ssl_dhparam /etc/nginx/certs/dhparams.pem; # Logjam
|
||||||
|
ssl_session_cache shared:TLS:2m;
|
||||||
|
# OCSP stapling
|
||||||
|
ssl_stapling on;
|
||||||
|
ssl_stapling_verify on;
|
||||||
|
resolver 8.8.8.8;
|
||||||
|
# Set HSTS to 365 days
|
||||||
|
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains';
|
||||||
|
|
||||||
client_max_body_size 200M;
|
client_max_body_size 200M;
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user