entrouvert
/
publik-common
17
0
Fork 0
Code Issues Pull Requests Releases Activity
publik-common/doc/nginx/snippets/publik-ssl.conf

22 lines
963 B
Plaintext
Raw Blame History

# from https://ssl-config.mozilla.org/
# nginx 1.10.3, intermediate config, OpenSSL 1.1.0l
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# openssl dhparam -out /etc/ssl/dhparam2048.pem 2048
# or fastly: curl https://ssl-config.mozilla.org/ffdhe2048.txt > /etc/ssl/dhparam2048.pem
ssl_dhparam /etc/ssl/dhparam2048.pem;
# intermediate configuration
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
View Git Blame Copy Permalink