aurore/ansible
aurore/ansible
11
2
Fork 0
Code Issues 1 Pull requests 13 Releases Wiki Activity

Better SSL conf

Browse source
This commit is contained in:
Alexandre Iooss 2019-03-14 11:53:55 +01:00
parent a8fa5d69ff
commit af07bb7c0a
1 changed files with 5 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common-ssl.conf.j2
View file

@ -14,10 +14,13 @@ real_ip_header P-Real-Ip;
# SSL # SSL
ssl on; ssl on;
ssl_session_timeout 5m; ssl_session_timeout 5m;
ssl_ciphers "HIGH:!aNULL:!eNULL:!EXP:!LOW:!MD5:!DES:!3DES"; ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256-GCM-SHA256:!AES256-GCM-SHA128:!aNULL:!MD5";
ssl_prefer_server_ciphers off; ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m; ssl_session_cache shared:SSL:10m;
# Use more secure ECDH curve
ssl_ecdh_curve secp521r1:secp384r1;
# In buster we will be able to use TLSv1.3 # In buster we will be able to use TLSv1.3
ssl_protocols TLSv1.2; ssl_protocols TLSv1.2;