gaja-group
/
server-configs-nginx
mirror of https://github.com/h5bp/server-configs-nginx
2
0
Fork 0
Code Issues Releases Wiki Activity

Improve SSL directives declarations, order and descriptions

This commit is contained in:
Léo Colombaro 2018-12-02 12:47:06 +01:00
parent 5a2f750c53
commit 86d8ed33ca
No known key found for this signature in database
GPG Key ID: 687B480A6D4F735F
3 changed files with 35 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
h5bp/ssl/policy_intermediate.conf
View File

@ -17,6 +17,5 @@
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html # https://nginx.org/en/docs/http/ngx_http_ssl_module.html
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS; ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA;
ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1; ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
ssl_prefer_server_ciphers on;

4
h5bp/ssl/policy_modern.conf
View File

@ -19,6 +19,6 @@
ssl_protocols TLSv1.2; ssl_protocols TLSv1.2;
ssl_ciphers EECDH+CHACHA20:EECDH+AES; ssl_ciphers EECDH+CHACHA20:EECDH+AES;
# (1) # (1)
ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1; ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
ssl_prefer_server_ciphers on;

50
h5bp/ssl/ssl_engine.conf
View File

@ -2,30 +2,42 @@
# | SSL engine | # | SSL engine |
# ---------------------------------------------------------------------- # ----------------------------------------------------------------------
# Optimize SSL by caching session parameters for 10 minutes. This cuts down on the number of expensive SSL handshakes. # (1) Optimize SSL by caching session parameters for 10 minutes.
# The handshake is the most CPU-intensive operation, and by default it is re-negotiated on every new/parallel connection. # This cuts down on the number of expensive SSL handshakes.
# By enabling a cache (of type "shared between all Nginx workers"), we tell the client to re-use the already negotiated state. # By enabling a cache, we tell the client to re-use the already
# Further optimization can be achieved by raising keepalive_timeout, but that shouldn't be done unless you serve primarily HTTPS. # negotiated state.
# A 1Mb cache can hold about 4000 sessions, so we can hold 40000 sessions.
# #
# A 1Mb cache can hold about 4000 sessions, so we can hold 40000 sessions # (2) Use a higher keepalive timeout to reduce the need for repeated handshakes
# (!) Shouldn't be done unless you serve primarily HTTPS.
# Default is 75s
#
# (3) SSL buffer size
# Set 1400 bytes to fit in one MTU
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size
#
# (4) Disable session tickets
# Session tickets keys are not auto-rotated. Only a HUP / restart
# will do so and when a restart is performed the previous key is
# lost, which resets all previous sessions.
# Only enable session tickets if you setup a manual rotation mechanism.
# https://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets
#
# (5) Basic security improvements
# (1)
ssl_session_cache shared:SSL:10m; ssl_session_cache shared:SSL:10m;
ssl_session_timeout 24h; ssl_session_timeout 24h;
# SSL buffer size # (2)
# 1400 bytes to fit in one MTU keepalive_timeout 300s;
# (3)
# ssl_buffer_size 1400; # ssl_buffer_size 1400;
# Session tickets # (4)
#
# nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and
# when a restart is performed the previous key is lost, which resets all previous
# sessions. The fix for this is to setup a manual rotation mechanism:
# https://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
#
# Note that you'll have to define and rotate the keys securely by yourself. In absence
# of such infrastructure, consider turning off session tickets:
ssl_session_tickets off; ssl_session_tickets off;
# Use a higher keepalive timeout to reduce the need for repeated handshakes # (5)
# Default: 75s ssl_prefer_server_ciphers on;
keepalive_timeout 300s;