diff options
author | Aaron LI <aly@aaronly.me> | 2019-10-03 20:15:18 +0800 |
---|---|---|
committer | Aaron LI <aly@aaronly.me> | 2019-10-03 20:15:18 +0800 |
commit | 46c40aa13c9b5e4174ea6a0ff2b6ebe6afbe1e0c (patch) | |
tree | fb95352ffaf94a6e49257976ad639cd67defd8a0 | |
parent | 6cbc71299aafa86ae574db6ae1c27069d72a4dfa (diff) | |
download | ansible-dfly-vps-46c40aa13c9b5e4174ea6a0ff2b6ebe6afbe1e0c.tar.bz2 |
-rw-r--r-- | roles/web/files/nginx/conf.d/ssl.conf | 13 |
1 files changed, 3 insertions, 10 deletions
diff --git a/roles/web/files/nginx/conf.d/ssl.conf b/roles/web/files/nginx/conf.d/ssl.conf index acda0eb..8f28636 100644 --- a/roles/web/files/nginx/conf.d/ssl.conf +++ b/roles/web/files/nginx/conf.d/ssl.conf @@ -34,23 +34,16 @@ # Diffie-Hellman group: -# $ openssl dhparam -out /usr/local/etc/ssl/dhparam2048.pem 2048 -# or even go with 4096-bit DH pool: # $ openssl dhparam -out /usr/local/etc/ssl/dhparam4096.pem 4096 -# NOTE: This may take up to tens of minutes ... -#ssl_dhparam /usr/local/etc/ssl/dhparam2048.pem; ssl_dhparam /usr/local/etc/ssl/dhparam4096.pem; # Only use the latest TLS protocols -# TLSv1.3 requires nginx >= 1.13 -#ssl_protocols TLSv1.2 TLSv1.3; -ssl_protocols TLSv1.2; +# NOTE: TLSv1.3 requires Nginx >=1.13 and OpenSSL 1.1.1 with TLSv1.3 +ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; -# Credit: https://mozilla.github.io/server-side-tls/ssl-config-generator/ -ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; ssl_session_timeout 1d; -ssl_session_cache shared:SSL:50m; +ssl_session_cache shared:SSL:10m; # Credit: https://github.com/mozilla/server-side-tls/issues/135 ssl_session_tickets off; |