move ssl config to a seperate file
This commit is contained in:
AD7six
parent
5142e91ecf
commit
029ff47286
|
|
@ -0,0 +1,18 @@
|
|||
# Protect against the BEAST attack by preferring RC4-SHA when using SSLv3 and TLS protocols.
|
||||
# Note that TLSv1.1 and TLSv1.2 are immune to the beast attack but only work with OpenSSL v1.0.1 and higher and has limited client support.
|
||||
# Ciphers set to best allow protection from Beast, while providing forwarding secrecy, as defined by Mozilla - https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
|
||||
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
|
||||
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK;
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
# Optimize SSL by caching session parameters for 10 minutes. This cuts down on the number of expensive SSL handshakes.
|
||||
# The handshake is the most CPU-intensive operation, and by default it is re-negotiated on every new/parallel connection.
|
||||
# By enabling a cache (of type "shared between all Nginx workers"), we tell the client to re-use the already negotiated state.
|
||||
# Further optimization can be achieved by raising keepalive_timeout, but that shouldn't be done unless you serve primarily HTTPS.
|
||||
ssl_session_cache shared:SSL:10m; # a 1mb cache can hold about 4000 sessions, so we can hold 40000 sessions
|
||||
ssl_session_timeout 10m;
|
||||
|
||||
# This default SSL certificate will be served whenever the client lacks support for SNI (Server Name Indication).
|
||||
# Make it a symlink to the most important certificate you have, so that users of IE 8 and below on WinXP can see your main site without SSL errors.
|
||||
#ssl_certificate /etc/nginx/default_ssl.crt;
|
||||
#ssl_certificate_key /etc/nginx/default_ssl.key;
|
||||
19
nginx.conf
19
nginx.conf
|
|
@ -118,24 +118,7 @@ http {
|
|||
# a specific directory, or on an individual server{} level.
|
||||
# gzip_static on;
|
||||
|
||||
# Protect against the BEAST attack by preferring RC4-SHA when using SSLv3 and TLS protocols.
|
||||
# Note that TLSv1.1 and TLSv1.2 are immune to the beast attack but only work with OpenSSL v1.0.1 and higher and has limited client support.
|
||||
# Ciphers set to best allow protection from Beast, while providing forwarding secrecy, as defined by Mozilla - https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
|
||||
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
|
||||
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK;
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
# Optimize SSL by caching session parameters for 10 minutes. This cuts down on the number of expensive SSL handshakes.
|
||||
# The handshake is the most CPU-intensive operation, and by default it is re-negotiated on every new/parallel connection.
|
||||
# By enabling a cache (of type "shared between all Nginx workers"), we tell the client to re-use the already negotiated state.
|
||||
# Further optimization can be achieved by raising keepalive_timeout, but that shouldn't be done unless you serve primarily HTTPS.
|
||||
ssl_session_cache shared:SSL:10m; # a 1mb cache can hold about 4000 sessions, so we can hold 40000 sessions
|
||||
ssl_session_timeout 10m;
|
||||
|
||||
# This default SSL certificate will be served whenever the client lacks support for SNI (Server Name Indication).
|
||||
# Make it a symlink to the most important certificate you have, so that users of IE 8 and below on WinXP can see your main site without SSL errors.
|
||||
#ssl_certificate /etc/nginx/default_ssl.crt;
|
||||
#ssl_certificate_key /etc/nginx/default_ssl.key;
|
||||
include h5bp/directive-only/ssl.conf;
|
||||
|
||||
include sites-enabled/*;
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue