diff options
| author | Aaron LI <aly@aaronly.me> | 2018-03-05 19:27:06 +0800 |
|---|---|---|
| committer | Aaron LI <aly@aaronly.me> | 2018-03-14 11:35:08 +0800 |
| commit | d9b877957c52789e494aeee1ffd4d3128dd9e597 (patch) | |
| tree | a1ad213d957d789473b4de2a444efc6ee5a47cc2 /roles/web/files/conf.d/ssl.conf | |
| parent | de51948fd19f05dbeb4eb5ea0cfd6bc46713abd1 (diff) | |
| download | ansible-dfly-vps-d9b877957c52789e494aeee1ffd4d3128dd9e597.tar.bz2 | |
web: create files/{acme,nginx} to organize files better
Diffstat (limited to 'roles/web/files/conf.d/ssl.conf')
| -rw-r--r-- | roles/web/files/conf.d/ssl.conf | 69 |
1 files changed, 0 insertions, 69 deletions
diff --git a/roles/web/files/conf.d/ssl.conf b/roles/web/files/conf.d/ssl.conf deleted file mode 100644 index acda0eb..0000000 --- a/roles/web/files/conf.d/ssl.conf +++ /dev/null @@ -1,69 +0,0 @@ -# -# /usr/local/etc/nginx/conf.d/ssl.conf -# -# SSL/TLS settings for Nginx -# -# Aaron LI -# 2017-04-25 -# -# Credits -# ------- -# * Cipherli.st - Strong Ciphers for Apache, nginx and Lighttpd -# https://cipherli.st/ -# * Strong SSL Security on nginx -# https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html -# * Mozilla - Security - Server Side TLS -# https://wiki.mozilla.org/Security/Server_Side_TLS -# https://mozilla.github.io/server-side-tls/ssl-config-generator/ -# * Let's Encrypt & Nginx -# https://letsecure.me/secure-web-deployment-with-lets-encrypt-and-nginx/ -# * Nginx SSL and TLS Deployment Best Practice -# https://www.linode.com/docs/web-servers/nginx/nginx-ssl-and-tls-deployment-best-practices -# * Best nginx configuration for improved security (and performance) -# https://gist.github.com/plentz/6737338 -# * Hardening your HTTP response headers -# https://scotthelme.co.uk/hardening-your-http-response-headers/ -# -# Tools -# ----- -# * Qualys SSL Labs SSL Server Test -# https://www.ssllabs.com/ssltest/ -# * Security Headers Analyzer -# https://securityheaders.io/ -# - - -# Diffie-Hellman group: -# $ openssl dhparam -out /usr/local/etc/ssl/dhparam2048.pem 2048 -# or even go with 4096-bit DH pool: -# $ openssl dhparam -out /usr/local/etc/ssl/dhparam4096.pem 4096 -# NOTE: This may take up to tens of minutes ... -#ssl_dhparam /usr/local/etc/ssl/dhparam2048.pem; -ssl_dhparam /usr/local/etc/ssl/dhparam4096.pem; - -# Only use the latest TLS protocols -# TLSv1.3 requires nginx >= 1.13 -#ssl_protocols TLSv1.2 TLSv1.3; -ssl_protocols TLSv1.2; -ssl_prefer_server_ciphers on; -# Credit: https://mozilla.github.io/server-side-tls/ssl-config-generator/ -ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; - -ssl_session_timeout 1d; -ssl_session_cache shared:SSL:50m; -# Credit: https://github.com/mozilla/server-side-tls/issues/135 -ssl_session_tickets off; - -# The Online Certificate Status Protocol (OCSP) was created to speed up -# the process that operating systems and browsers use to check for -# certificate revocation. -# Allow the server to send its cached OCSP record to the client during -# the TLS handshake, bypassing the OCSP responder and saving a roundtrip -# between the client and the OCSP responder. -# -# NOTE: If the "ssl_certificate" file does NOT contain intermediate -# certificates, the certificate of the server certificate issuer -# should be present in the "ssl_trusted_certificate" file. -# -ssl_stapling on; -ssl_stapling_verify on; |