Apply the BetterCrypto nginx configuration, related to #45

master
Pierre Jaury 8 years ago
parent 3d1e5523d4
commit e916998bb2

@ -20,14 +20,18 @@ http {
listen 80; listen 80;
listen 443 ssl; listen 443 ssl;
# TLS configuration hardened according to:
# https://bettercrypto.org/static/applied-crypto-hardening.pdf
ssl_protocols TLSv1.1 TLSv1.2; ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA';
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
ssl_session_timeout 5m; ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m; ssl_session_cache shared:SSL:50m;
ssl_certificate /certs/cert.pem; ssl_certificate /certs/cert.pem;
ssl_certificate_key /certs/key.pem; ssl_certificate_key /certs/key.pem;
add_header Strict-Transport-Security max-age=15768000;
if ($scheme = http) { if ($scheme = http) {
return 301 https://$host$request_uri; return 301 https://$host$request_uri;
} }

Loading…
Cancel
Save