Commit 4bb19541 authored by MichiK's avatar MichiK

More SSL stuff

parent 62d0c037
......@@ -2,6 +2,9 @@ nginx_ssl_protocols: "TLSv1.3 TLSv1.2"
nginx_ssl_ciphers: "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256"
nginx_ssl_dhparam: "/etc/ssl/certs/dh4096.pem"
nginx_ssl_dhparam_bits: 4096
nginx_ssl_ecdh_curve: "secp521r1:secp384r1"
nginx_ssl_prefer_server_ciphers: true
nginx_ssl_stapling: true
nginx_https_default_headers: null
......
......@@ -6,8 +6,9 @@ listen [::]:443 ssl http2;
ssl_dhparam {{ nginx_ssl_dhparam }};
ssl_protocols {{ nginx_ssl_protocols }};
ssl_ciphers {{ nginx_ssl_ciphers }};
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_ecdh_curve {{ nginx_ssl_ecdh_curve }};
ssl_prefer_server_ciphers {{ "on" if nginx_ssl_prefer_server_ciphers else "off" }};
ssl_stapling {{ "on" if nginx_ssl_stapling else "off" }};
{% if nginx_https_default_headers %}
{% for header in nginx_https_default_headers %}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment