From 46c40aa13c9b5e4174ea6a0ff2b6ebe6afbe1e0c Mon Sep 17 00:00:00 2001
From: Aaron LI <aly@aaronly.me>
Date: Thu, 3 Oct 2019 20:15:18 +0800
Subject: web: Clean up nginx ssl.conf a bit

---
 roles/web/files/nginx/conf.d/ssl.conf | 13 +++----------
 1 file changed, 3 insertions(+), 10 deletions(-)

(limited to 'roles')

diff --git a/roles/web/files/nginx/conf.d/ssl.conf b/roles/web/files/nginx/conf.d/ssl.conf
index acda0eb..8f28636 100644
--- a/roles/web/files/nginx/conf.d/ssl.conf
+++ b/roles/web/files/nginx/conf.d/ssl.conf
@@ -34,23 +34,16 @@
 
 
 # Diffie-Hellman group:
-#     $ openssl dhparam -out /usr/local/etc/ssl/dhparam2048.pem 2048
-# or even go with 4096-bit DH pool:
 #     $ openssl dhparam -out /usr/local/etc/ssl/dhparam4096.pem 4096
-# NOTE: This may take up to tens of minutes ...
-#ssl_dhparam  /usr/local/etc/ssl/dhparam2048.pem;
 ssl_dhparam  /usr/local/etc/ssl/dhparam4096.pem;
 
 # Only use the latest TLS protocols
-# TLSv1.3 requires nginx >= 1.13
-#ssl_protocols              TLSv1.2 TLSv1.3;
-ssl_protocols              TLSv1.2;
+# NOTE: TLSv1.3 requires Nginx >=1.13 and OpenSSL 1.1.1 with TLSv1.3
+ssl_protocols              TLSv1.2 TLSv1.3;
 ssl_prefer_server_ciphers  on;
-# Credit: https://mozilla.github.io/server-side-tls/ssl-config-generator/
-ssl_ciphers                'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
 
 ssl_session_timeout        1d;
-ssl_session_cache          shared:SSL:50m;
+ssl_session_cache          shared:SSL:10m;
 # Credit: https://github.com/mozilla/server-side-tls/issues/135
 ssl_session_tickets        off;
 
-- 
cgit v1.2.2