aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAaron LI <aly@aaronly.me>2019-10-03 20:15:18 +0800
committerAaron LI <aly@aaronly.me>2019-10-03 20:15:18 +0800
commit46c40aa13c9b5e4174ea6a0ff2b6ebe6afbe1e0c (patch)
treefb95352ffaf94a6e49257976ad639cd67defd8a0
parent6cbc71299aafa86ae574db6ae1c27069d72a4dfa (diff)
downloadansible-dfly-vps-46c40aa13c9b5e4174ea6a0ff2b6ebe6afbe1e0c.tar.bz2
web: Clean up nginx ssl.conf a bitHEADmaster
-rw-r--r--roles/web/files/nginx/conf.d/ssl.conf13
1 files changed, 3 insertions, 10 deletions
diff --git a/roles/web/files/nginx/conf.d/ssl.conf b/roles/web/files/nginx/conf.d/ssl.conf
index acda0eb..8f28636 100644
--- a/roles/web/files/nginx/conf.d/ssl.conf
+++ b/roles/web/files/nginx/conf.d/ssl.conf
@@ -34,23 +34,16 @@
# Diffie-Hellman group:
-# $ openssl dhparam -out /usr/local/etc/ssl/dhparam2048.pem 2048
-# or even go with 4096-bit DH pool:
# $ openssl dhparam -out /usr/local/etc/ssl/dhparam4096.pem 4096
-# NOTE: This may take up to tens of minutes ...
-#ssl_dhparam /usr/local/etc/ssl/dhparam2048.pem;
ssl_dhparam /usr/local/etc/ssl/dhparam4096.pem;
# Only use the latest TLS protocols
-# TLSv1.3 requires nginx >= 1.13
-#ssl_protocols TLSv1.2 TLSv1.3;
-ssl_protocols TLSv1.2;
+# NOTE: TLSv1.3 requires Nginx >=1.13 and OpenSSL 1.1.1 with TLSv1.3
+ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
-# Credit: https://mozilla.github.io/server-side-tls/ssl-config-generator/
-ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_session_timeout 1d;
-ssl_session_cache shared:SSL:50m;
+ssl_session_cache shared:SSL:10m;
# Credit: https://github.com/mozilla/server-side-tls/issues/135
ssl_session_tickets off;