From e916998bb29c0adf0e75eb3c62ebeb7e9df1268c Mon Sep 17 00:00:00 2001 From: Pierre Jaury Date: Fri, 19 Aug 2016 15:07:16 +0200 Subject: [PATCH] Apply the BetterCrypto nginx configuration, related to #45 --- nginx/nginx.conf | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/nginx/nginx.conf b/nginx/nginx.conf index eb700a4e..11e459de 100644 --- a/nginx/nginx.conf +++ b/nginx/nginx.conf @@ -20,14 +20,18 @@ http { listen 80; listen 443 ssl; + # TLS configuration hardened according to: + # https://bettercrypto.org/static/applied-crypto-hardening.pdf ssl_protocols TLSv1.1 TLSv1.2; - ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; + ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA'; ssl_prefer_server_ciphers on; ssl_session_timeout 5m; ssl_session_cache shared:SSL:50m; ssl_certificate /certs/cert.pem; ssl_certificate_key /certs/key.pem; + add_header Strict-Transport-Security max-age=15768000; + if ($scheme = http) { return 301 https://$host$request_uri; }