You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
24 lines
1.1 KiB
24 lines
1.1 KiB
# from https://cipherli.st/
|
|
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
|
|
# https://ssl-config.mozilla.org & https://observatory.mozilla.org
|
|
# https://securityheaders.com
|
|
# TLSv1.2
|
|
ssl_protocols TLSv1.3; # Requires nginx >= 1.13.0 else use TLSv1.2
|
|
ssl_prefer_server_ciphers off;
|
|
#ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
|
|
#ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
|
|
ssl_session_cache shared:SSL:10m;
|
|
ssl_session_tickets off;
|
|
ssl_stapling off; # Turn on Prod systems
|
|
ssl_stapling_verify off;
|
|
resolver 127.0.0.1 valid=300s;
|
|
resolver_timeout 5s;
|
|
# Disable preloading HSTS for now. You can use the commented out header line that includes
|
|
# the "preload" directive if you understand the implications.
|
|
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
|
|
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always;
|
|
|
|
ssl_dhparam /etc/ssl/certs/dhparam.pem;
|
|
|
|
# IMPORTANT: disable HSTS in dev (or explicitly clear it)
|
|
add_header Strict-Transport-Security "max-age=0" always;
|
|
|