Modernize TLS configuration

This commit is contained in:
Léo Colombaro 2021-06-14 12:43:22 +02:00
parent f6e5a123e2
commit 688348a5fd
10 changed files with 28 additions and 58 deletions

View File

@ -15,9 +15,9 @@ server {
server_name _; server_name _;
include h5bp/ssl/ssl_engine.conf; include h5bp/tls/ssl_engine.conf;
include h5bp/ssl/certificate_files.conf; include h5bp/tls/certificate_files.conf;
include h5bp/ssl/policy_intermediate.conf; include h5bp/tls/policy_balanced.conf;
return 444; return 444;
} }

View File

@ -15,9 +15,9 @@ server {
server_name www.example.com; server_name www.example.com;
include h5bp/ssl/ssl_engine.conf; include h5bp/tls/ssl_engine.conf;
include h5bp/ssl/certificate_files.conf; include h5bp/tls/certificate_files.conf;
include h5bp/ssl/policy_intermediate.conf; include h5bp/tls/policy_balanced.conf;
return 301 $scheme://example.com$request_uri; return 301 $scheme://example.com$request_uri;
} }
@ -32,9 +32,9 @@ server {
# The host name to respond to # The host name to respond to
server_name example.com; server_name example.com;
include h5bp/ssl/ssl_engine.conf; include h5bp/tls/ssl_engine.conf;
include h5bp/ssl/certificate_files.conf; include h5bp/tls/certificate_files.conf;
include h5bp/ssl/policy_intermediate.conf; include h5bp/tls/policy_balanced.conf;
# Path for static files # Path for static files
root /var/www/example.com/public; root /var/www/example.com/public;

View File

@ -1,30 +0,0 @@
# ----------------------------------------------------------------------
# | SSL policy - Deprecated |
# ----------------------------------------------------------------------
# For services that don't need compatibility with legacy clients (mostly WinXP),
# but still need to support a wide range of clients, this configuration is
# recommended.
#
# Protect against the BEAST and POODLE attacks by not using SSLv3 at all.
# If you need to support older browsers (IE6) you may need to add SSLv3 to the
# list of protocols.
#
# Based on intermediate profile recommended by Mozilla.
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
#
# (1) Diffie-Hellman parameter for DHE cipher suites
# A 4096 bits or more DH parameter is recommended.
# (!) A DH parameter generation is required to enable this directive.
# openssl dhparam -out /etc/nginx/dhparam.pem 4096
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam
#
# https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA;
ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
# (1)
# ssl_dhparam /etc/nginx/dhparam.pem;

View File

@ -1,13 +1,9 @@
# ---------------------------------------------------------------------- # ----------------------------------------------------------------------
# | SSL policy - Intermediate | # | SSL policy - Balanced |
# ---------------------------------------------------------------------- # ----------------------------------------------------------------------
# For services that don't need backward compatibility, the parameters below # For services that need to support a wide range of clients, this configuration
# provide a higher level of security. # is raisonnably balanced.
#
# (!) This policy enforces a mildly strong SSL configuration, which may raise
# errors with old clients.
# If a more compatible profile is required, use the "deprecated" policy.
# #
# (1) The NIST curves (prime256v1, secp384r1, secp521r1) are known to be weak # (1) The NIST curves (prime256v1, secp384r1, secp521r1) are known to be weak
# and potentially vulnerable but are required to support Microsoft Edge # and potentially vulnerable but are required to support Microsoft Edge

View File

@ -1,9 +1,13 @@
# ---------------------------------------------------------------------- # ----------------------------------------------------------------------
# | SSL policy - Modern | # | SSL policy - Strict |
# ---------------------------------------------------------------------- # ----------------------------------------------------------------------
# For services that want to be on the bleeding edge, the parameters below # For services that don't need backward compatibility, the parameters below
# sacrifice compatibility for the highest level of security and performance. # provide the highest level of security and performance.
#
# (!) This policy enforces a strong TLS configuration, which may raise
# errors with old clients.
# If a more compatible profile is required, use the "balanced" policy.
# #
# (!) TLSv1.3 and its 0-RTT feature require NGINX >=1.15.4 and OpenSSL >=1.1.1 # (!) TLSv1.3 and its 0-RTT feature require NGINX >=1.15.4 and OpenSSL >=1.1.1
# to be installed. # to be installed.

View File

@ -14,9 +14,9 @@ server {
server_name _; server_name _;
include h5bp/ssl/ssl_engine.conf; include h5bp/tls/ssl_engine.conf;
include h5bp/ssl/certificate_files.conf; include h5bp/tls/certificate_files.conf;
include h5bp/ssl/policy_intermediate.conf; include h5bp/tls/policy_balanced.conf;
return 444; return 444;
} }

View File

@ -4,9 +4,9 @@ server {
server_name www.secure.server.localhost; server_name www.secure.server.localhost;
include h5bp/ssl/ssl_engine.conf; include h5bp/tls/ssl_engine.conf;
include h5bp/ssl/certificate_files.conf; include h5bp/tls/certificate_files.conf;
include h5bp/ssl/policy_intermediate.conf; include h5bp/tls/policy_balanced.conf;
return 301 $scheme://secure.server.localhost$request_uri; return 301 $scheme://secure.server.localhost$request_uri;
} }
@ -17,9 +17,9 @@ server {
server_name secure.server.localhost; server_name secure.server.localhost;
include h5bp/ssl/ssl_engine.conf; include h5bp/tls/ssl_engine.conf;
include h5bp/ssl/certificate_files.conf; include h5bp/tls/certificate_files.conf;
include h5bp/ssl/policy_intermediate.conf; include h5bp/tls/policy_balanced.conf;
root /var/www/server.localhost; root /var/www/server.localhost;