From fb11981e8a932e1133f286755d036cf552f965dd Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Thu, 14 Mar 2019 12:25:27 +0100 Subject: [PATCH] Follow Mozilla guidelines --- .../nginx/snippets/proxy-common-ssl.conf.j2 | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common-ssl.conf.j2 b/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common-ssl.conf.j2 index 3c670a1..50f4977 100644 --- a/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common-ssl.conf.j2 +++ b/roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common-ssl.conf.j2 @@ -11,22 +11,22 @@ server_tokens off; set_real_ip_from 10.128.0.0/16; real_ip_header P-Real-Ip; -# SSL +# SSL based on https://mozilla.github.io/server-side-tls/ssl-config-generator/ ssl on; -ssl_session_timeout 5m; -ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256-GCM-SHA256:!AES256-GCM-SHA128:!aNULL:!MD5"; +ssl_session_timeout 1d; +ssl_session_cache shared:SSL:50m; +ssl_session_tickets off; +ssl_protocols TLSv1.2; +ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"; ssl_prefer_server_ciphers on; -ssl_session_cache shared:SSL:10m; +add_header Strict-Transport-Security max-age=15768000; + +# OCSP Stapling, +ssl_stapling on; +ssl_stapling_verify on; # Use more secure ECDH curve ssl_ecdh_curve secp521r1:secp384r1; -# In buster we will be able to use TLSv1.3 -ssl_protocols TLSv1.2; - # Executer "cd /etc/ssl/certs; openssl dhparam -out dhparam.pem 4096" avant d'activer ssl_dhparam /etc/ssl/certs/dhparam.pem; - -# Enable OCSP Stapling, point to certificate chain -ssl_stapling on; -ssl_stapling_verify on;