From af07bb7c0afad053ebca1654d4e4e585319a46f5 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Thu, 14 Mar 2019 11:53:55 +0100 Subject: [PATCH] Better SSL conf --- .../templates/nginx/snippets/proxy-common-ssl.conf.j2 | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common-ssl.conf.j2 b/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common-ssl.conf.j2 index 1385eb0..3c670a1 100644 --- a/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common-ssl.conf.j2 +++ b/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common-ssl.conf.j2 @@ -14,10 +14,13 @@ real_ip_header P-Real-Ip; # SSL ssl on; ssl_session_timeout 5m; -ssl_ciphers "HIGH:!aNULL:!eNULL:!EXP:!LOW:!MD5:!DES:!3DES"; -ssl_prefer_server_ciphers off; +ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256-GCM-SHA256:!AES256-GCM-SHA128:!aNULL:!MD5"; +ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; +# Use more secure ECDH curve +ssl_ecdh_curve secp521r1:secp384r1; + # In buster we will be able to use TLSv1.3 ssl_protocols TLSv1.2;