improvement(nginx): Adjust nginx template to proper SSL/TLS cipher & protocols

Fixes: #97
author: Florian Paul Azim Hoberg 2024-01-05 21:31:11 +0100
committer: Florian Paul Azim Hoberg 2024-01-05 21:31:11 +0100
commit: f86f688a10a2db3c2264c75eb11d93e0394b9682 (patch)
tree: 6e805558fe2a5df4267541f353e0343c2f2d5270 /examples/nginx-alpine-ssl/default.conf
parent: dequeue() unlinks the file, even if it's been unable to parse it. (diff)
download: penes-snac2-f86f688a10a2db3c2264c75eb11d93e0394b9682.tar.gz
penes-snac2-f86f688a10a2db3c2264c75eb11d93e0394b9682.tar.xz
penes-snac2-f86f688a10a2db3c2264c75eb11d93e0394b9682.zip
1 files changed, 25 insertions, 0 deletions
diff --git a/examples/nginx-alpine-ssl/default.conf b/examples/nginx-alpine-ssl/default.conf
index 22db0df..c3131f0 100644
--- a/examples/nginx-alpine-ssl/default.conf
+++ b/examples/nginx-alpine-ssl/default.conf
@@ -3,8 +3,33 @@ server {
    listen [::]:80 default_server;
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;
+    # SSL configuration
+    # SSL cert/key files
    ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
    ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
+    # For production regenerate this dhparam key by running:
+    # $> openssl dhparam -out dhparam.pem 4096
+    ssl_dhparam /etc/ssl/private/dhparam.pem;
+    # SSL ciphers/protocols
+    ssl_protocols TLSv1.3 TLSv1.2;
+    ssl_prefer_server_ciphers on;
+    ssl_ecdh_curve secp521r1:secp384r1;
+    ssl_ciphers EECDH+AESGCM:EECDH+AES256;
+    # SSL misc
+    ssl_session_cache shared:TLS:2m;
+    ssl_buffer_size 4k;
+    # OCSP stapling
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]; # Cloudflare
+    # Set HSTS to 365 days
+    # Note: Activate this on production usage
+    #add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;
    location /.well-known/webfinger {
        proxy_http_version      1.1;
author	Florian Paul Azim Hoberg	2024-01-05 21:31:11 +0100
committer	Florian Paul Azim Hoberg	2024-01-05 21:31:11 +0100
commit	f86f688a10a2db3c2264c75eb11d93e0394b9682 (patch)
tree	6e805558fe2a5df4267541f353e0343c2f2d5270 /examples/nginx-alpine-ssl/default.conf
parent	dequeue() unlinks the file, even if it's been unable to parse it. (diff)
download	penes-snac2-f86f688a10a2db3c2264c75eb11d93e0394b9682.tar.gz penes-snac2-f86f688a10a2db3c2264c75eb11d93e0394b9682.tar.xz penes-snac2-f86f688a10a2db3c2264c75eb11d93e0394b9682.zip

diff --git a/examples/nginx-alpine-ssl/default.conf b/examples/nginx-alpine-ssl/default.conf index 22db0df..c3131f0 100644 --- a/examples/nginx-alpine-ssl/default.conf +++ b/examples/nginx-alpine-ssl/default.conf
@@ -3,8 +3,33 @@ server {
3	listen [::]:80 default_server;	3	listen [::]:80 default_server;
4	listen 443 ssl http2 default_server;	4	listen 443 ssl http2 default_server;
5	listen [::]:443 ssl http2 default_server;	5	listen [::]:443 ssl http2 default_server;
		6
		7	# SSL configuration
		8	# SSL cert/key files
6	ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;	9	ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
7	ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;	10	ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
		11	# For production regenerate this dhparam key by running:
		12	# $> openssl dhparam -out dhparam.pem 4096
		13	ssl_dhparam /etc/ssl/private/dhparam.pem;
		14
		15	# SSL ciphers/protocols
		16	ssl_protocols TLSv1.3 TLSv1.2;
		17	ssl_prefer_server_ciphers on;
		18	ssl_ecdh_curve secp521r1:secp384r1;
		19	ssl_ciphers EECDH+AESGCM:EECDH+AES256;
		20
		21	# SSL misc
		22	ssl_session_cache shared:TLS:2m;
		23	ssl_buffer_size 4k;
		24
		25	# OCSP stapling
		26	ssl_stapling on;
		27	ssl_stapling_verify on;
		28	resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]; # Cloudflare
		29
		30	# Set HSTS to 365 days
		31	# Note: Activate this on production usage
		32	#add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;
8		33
9	location /.well-known/webfinger {	34	location /.well-known/webfinger {
10	proxy_http_version 1.1;	35	proxy_http_version 1.1;