aboutsummaryrefslogtreecommitdiffstats
path: root/roles/web/files/conf.d/ssl.conf
diff options
context:
space:
mode:
Diffstat (limited to 'roles/web/files/conf.d/ssl.conf')
-rw-r--r--roles/web/files/conf.d/ssl.conf69
1 files changed, 69 insertions, 0 deletions
diff --git a/roles/web/files/conf.d/ssl.conf b/roles/web/files/conf.d/ssl.conf
new file mode 100644
index 0000000..acda0eb
--- /dev/null
+++ b/roles/web/files/conf.d/ssl.conf
@@ -0,0 +1,69 @@
+#
+# /usr/local/etc/nginx/conf.d/ssl.conf
+#
+# SSL/TLS settings for Nginx
+#
+# Aaron LI
+# 2017-04-25
+#
+# Credits
+# -------
+# * Cipherli.st - Strong Ciphers for Apache, nginx and Lighttpd
+# https://cipherli.st/
+# * Strong SSL Security on nginx
+# https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
+# * Mozilla - Security - Server Side TLS
+# https://wiki.mozilla.org/Security/Server_Side_TLS
+# https://mozilla.github.io/server-side-tls/ssl-config-generator/
+# * Let's Encrypt & Nginx
+# https://letsecure.me/secure-web-deployment-with-lets-encrypt-and-nginx/
+# * Nginx SSL and TLS Deployment Best Practice
+# https://www.linode.com/docs/web-servers/nginx/nginx-ssl-and-tls-deployment-best-practices
+# * Best nginx configuration for improved security (and performance)
+# https://gist.github.com/plentz/6737338
+# * Hardening your HTTP response headers
+# https://scotthelme.co.uk/hardening-your-http-response-headers/
+#
+# Tools
+# -----
+# * Qualys SSL Labs SSL Server Test
+# https://www.ssllabs.com/ssltest/
+# * Security Headers Analyzer
+# https://securityheaders.io/
+#
+
+
+# Diffie-Hellman group:
+# $ openssl dhparam -out /usr/local/etc/ssl/dhparam2048.pem 2048
+# or even go with 4096-bit DH pool:
+# $ openssl dhparam -out /usr/local/etc/ssl/dhparam4096.pem 4096
+# NOTE: This may take up to tens of minutes ...
+#ssl_dhparam /usr/local/etc/ssl/dhparam2048.pem;
+ssl_dhparam /usr/local/etc/ssl/dhparam4096.pem;
+
+# Only use the latest TLS protocols
+# TLSv1.3 requires nginx >= 1.13
+#ssl_protocols TLSv1.2 TLSv1.3;
+ssl_protocols TLSv1.2;
+ssl_prefer_server_ciphers on;
+# Credit: https://mozilla.github.io/server-side-tls/ssl-config-generator/
+ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+
+ssl_session_timeout 1d;
+ssl_session_cache shared:SSL:50m;
+# Credit: https://github.com/mozilla/server-side-tls/issues/135
+ssl_session_tickets off;
+
+# The Online Certificate Status Protocol (OCSP) was created to speed up
+# the process that operating systems and browsers use to check for
+# certificate revocation.
+# Allow the server to send its cached OCSP record to the client during
+# the TLS handshake, bypassing the OCSP responder and saving a roundtrip
+# between the client and the OCSP responder.
+#
+# NOTE: If the "ssl_certificate" file does NOT contain intermediate
+# certificates, the certificate of the server certificate issuer
+# should be present in the "ssl_trusted_certificate" file.
+#
+ssl_stapling on;
+ssl_stapling_verify on;
Copyright © 2017-2018 Aaron LI. All Rights Reserved.