From 46c40aa13c9b5e4174ea6a0ff2b6ebe6afbe1e0c Mon Sep 17 00:00:00 2001 From: Aaron LI Date: Thu, 3 Oct 2019 20:15:18 +0800 Subject: web: Clean up nginx ssl.conf a bit --- roles/web/files/nginx/conf.d/ssl.conf | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) (limited to 'roles/web') diff --git a/roles/web/files/nginx/conf.d/ssl.conf b/roles/web/files/nginx/conf.d/ssl.conf index acda0eb..8f28636 100644 --- a/roles/web/files/nginx/conf.d/ssl.conf +++ b/roles/web/files/nginx/conf.d/ssl.conf @@ -34,23 +34,16 @@ # Diffie-Hellman group: -# $ openssl dhparam -out /usr/local/etc/ssl/dhparam2048.pem 2048 -# or even go with 4096-bit DH pool: # $ openssl dhparam -out /usr/local/etc/ssl/dhparam4096.pem 4096 -# NOTE: This may take up to tens of minutes ... -#ssl_dhparam /usr/local/etc/ssl/dhparam2048.pem; ssl_dhparam /usr/local/etc/ssl/dhparam4096.pem; # Only use the latest TLS protocols -# TLSv1.3 requires nginx >= 1.13 -#ssl_protocols TLSv1.2 TLSv1.3; -ssl_protocols TLSv1.2; +# NOTE: TLSv1.3 requires Nginx >=1.13 and OpenSSL 1.1.1 with TLSv1.3 +ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; -# Credit: https://mozilla.github.io/server-side-tls/ssl-config-generator/ -ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; ssl_session_timeout 1d; -ssl_session_cache shared:SSL:50m; +ssl_session_cache shared:SSL:10m; # Credit: https://github.com/mozilla/server-side-tls/issues/135 ssl_session_tickets off; -- cgit v1.2.2