aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--roles/web/files/nginx/conf.d/ssl.conf13
1 files changed, 3 insertions, 10 deletions
diff --git a/roles/web/files/nginx/conf.d/ssl.conf b/roles/web/files/nginx/conf.d/ssl.conf
index acda0eb..8f28636 100644
--- a/roles/web/files/nginx/conf.d/ssl.conf
+++ b/roles/web/files/nginx/conf.d/ssl.conf
@@ -34,23 +34,16 @@
# Diffie-Hellman group:
-# $ openssl dhparam -out /usr/local/etc/ssl/dhparam2048.pem 2048
-# or even go with 4096-bit DH pool:
# $ openssl dhparam -out /usr/local/etc/ssl/dhparam4096.pem 4096
-# NOTE: This may take up to tens of minutes ...
-#ssl_dhparam /usr/local/etc/ssl/dhparam2048.pem;
ssl_dhparam /usr/local/etc/ssl/dhparam4096.pem;
# Only use the latest TLS protocols
-# TLSv1.3 requires nginx >= 1.13
-#ssl_protocols TLSv1.2 TLSv1.3;
-ssl_protocols TLSv1.2;
+# NOTE: TLSv1.3 requires Nginx >=1.13 and OpenSSL 1.1.1 with TLSv1.3
+ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
-# Credit: https://mozilla.github.io/server-side-tls/ssl-config-generator/
-ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_session_timeout 1d;
-ssl_session_cache shared:SSL:50m;
+ssl_session_cache shared:SSL:10m;
# Credit: https://github.com/mozilla/server-side-tls/issues/135
ssl_session_tickets off;