diff options
author | Jesse Luehrs <doy@tozt.net> | 2020-07-11 00:31:22 -0400 |
---|---|---|
committer | Jesse Luehrs <doy@tozt.net> | 2020-07-11 00:31:22 -0400 |
commit | 3b3928d3fa8dd8186ba1f751d382866618bc4c3e (patch) | |
tree | a344354dbe2dc0d18bf89f2274f0ca49ca088cff /modules/nginx | |
parent | 2742b92356a71d0582698f777897b46037567216 (diff) | |
download | puppet-tozt-3b3928d3fa8dd8186ba1f751d382866618bc4c3e.tar.gz puppet-tozt-3b3928d3fa8dd8186ba1f751d382866618bc4c3e.zip |
improve nginx tls config
Diffstat (limited to 'modules/nginx')
-rw-r--r-- | modules/nginx/files/ssl | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/modules/nginx/files/ssl b/modules/nginx/files/ssl index acb1643..e8e3437 100644 --- a/modules/nginx/files/ssl +++ b/modules/nginx/files/ssl @@ -1,11 +1,16 @@ +# generated by https://ssl-config.mozilla.org/ ssl_certificate /media/persistent/certbot/live/tozt.net/fullchain.pem; ssl_certificate_key /media/persistent/certbot/live/tozt.net/privkey.pem; -ssl_protocols TLSv1.1 TLSv1.2; -ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_dhparam /etc/nginx/dhparam.pem; -ssl_prefer_server_ciphers on; +ssl_prefer_server_ciphers off; ssl_session_cache shared:SSL:10m; ssl_stapling on; ssl_stapling_verify on; +ssl_trusted_certificate /etc/ssl/cert.pem; +ssl_session_timeout 1d; +ssl_session_tickets off; +add_header Strict-Transport-Security "max-age=63072000" always; # vim:ft=nginx |