[IMP]Improve base configuration for TLS/SSL on Nginx

This commit is contained in:
Fabien Bourgeois 2017-04-07 12:13:43 +02:00
parent 2a50029fa1
commit 535b44c7d5
2 changed files with 20 additions and 12 deletions

View File

@ -1,13 +1,13 @@
-----BEGIN DH PARAMETERS----- -----BEGIN DH PARAMETERS-----
MIICCAKCAgEAynPYUK31ldXv9FAsoM9wPfzpvjTYV3efTCe7ZOuPWcIa67X09XrZ MIICCAKCAgEAwaknGWEJqKxLkz/NvzklXrF0QIKItTHvI0tS1iF8vw24OASqODgn
spp9LUrJGUCsBlDIYF+bRCDcXGKGlCfvQA1vV5E6IzXS5HhmKOoFGFN6g3ySpU+5 qF1NfF83I8zr+/t7INi3Vq5fBnR83sUGgPxrKikaMbzlFhuXpfKYAf0J0TVZbGzA
O2zkvJOTtXzJIGtvdwwKI07ivWvB6w+7TMu1T7GPaOXT8+NSx2RCBGSUJLwD4MSD DwQvG0hle5Xndjw/5osj8CTZ22yQPxCYXuboSawwHiRVw0X2ZMzcgQVRkarNRpO5
3qJYkLMzfwQLXa7Nh70BoOVTpZwHRo1gxSvhAhzAG8W88RKX1jQndgph6ixtMzFD we8JIQYVd92qUtQz0cCmXqbCQLquTGrSbEBort01YsOt1xuR6tP+5eIUWeA4UdD4
ZHugtEwzFVf5aGfC8cOpdDlTUxYbDxKpLk1dV0Gs7HKr0btZ+gNzBxMBjzfHLiud DCOxjll2wvX+Uk0Mu8JeYzRVF/+sqf2OLF5m/uYpRmWWoAe6VUEGMGJ24jsn8xB8
Tss2caAv9eyfvupWes6mjauF8D9yltb0iVsNr+kIsAQanw/aC3SGkzNBk8aKRMhO vq5tIamPl5Xf9SNlDhmYOTi21fTWdGgHICRx9jGwFH7AkL7094R2D6MKG9RMqUKh
NfAh0MI4wI/2z2E7jNZP4TNNpwhhC35YlB6DRsgQ9ucIHoV7tXT+HsSg4W4FZRAC E8MpZDCg/6KPXnV2JHHrZWS/s0yvpDxy8G8ow5qtUZsdX/K7QYl5Z/layXsj2U8p
xNIPOnzfFlOsKPpM9LuKRTC0QgOEWBTjzCwuFNVcPSlK98NV7P2koLKs2RKzIw+L xhN+3m9/V60fxuVeDPpbkQ+vzpkiXgk2+otnPYQ/3/2Y6O95G8JClA5HcReWnF8d
g25r4c+Q9yUFHzo1qV9y6PDMVFYUekr9lX40cRoHAmgB/dTdqTdmOOQDeEmluPfu FEeRdYcSr7ZwaG1V2RM0WdV5/IbLNiZZ2srBuzsdUGXFiCf4w6FVxtvaIVlpQtC4
ekn4vZrXBrLLqI05UnWs7NPkvdZOe65sU+wzLts/Lsp2TMn+vPuCkevqGqY/Bw7L snnonNj6fgu9smb/0GOaMVzFDrEjj2qzJ1wILNCiNB+I1fDBkVPh2q81FLGy6gsY
Mm9mP3LhMtnNfREYSzEcKbIQl0GPjDiRjCa8q+8r6OqQs8YHxMKcp6sCAQI= qhTFN412RyfPC1H2u4N3r3XVF6rQs37FyKCZYpWSuy2f9EhRDTbR0RsCAQI=
-----END DH PARAMETERS----- -----END DH PARAMETERS-----

View File

@ -5,9 +5,17 @@ server {
ssl_certificate /etc/nginx/certs/req.pem; ssl_certificate /etc/nginx/certs/req.pem;
ssl_certificate_key /etc/nginx/certs/cert.key; ssl_certificate_key /etc/nginx/certs/cert.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # dont use SSLv3 ref: POODLE ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # dont use SSLv3 ref: POODLE
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; # Logjam ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:RSA+AESGCM:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS; # Logjam and co
ssl_prefer_server_ciphers on; # Logjam ssl_prefer_server_ciphers on; # Logjam
ssl_dhparam /etc/nginx/certs/dhparams.pem; # Logjam ssl_dhparam /etc/nginx/certs/dhparams.pem; # Logjam
ssl_session_cache shared:TLS:2m;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8;
# Set HSTS to 365 days
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains';
client_max_body_size 200M; client_max_body_size 200M;
location / { location / {