Léo Colombaro
parent
3472f5ab0e
commit
d2531ac605
|
|
@ -0,0 +1,30 @@
|
||||||
|
# ----------------------------------------------------------------------
|
||||||
|
# | SSL policy - Deprecated |
|
||||||
|
# ----------------------------------------------------------------------
|
||||||
|
|
||||||
|
# For services that don't need compatibility with legacy clients
|
||||||
|
# (mostly WinXP), but still need to support a wide range of clients,
|
||||||
|
# this configuration is recommended.
|
||||||
|
#
|
||||||
|
# Protect against the BEAST and POODLE attacks by not using SSLv3 at all.
|
||||||
|
# If you need to support older browsers (IE6) you may need to add
|
||||||
|
# SSLv3 to the list of protocols.
|
||||||
|
#
|
||||||
|
# Based on intermediate profile recommended by Mozilla.
|
||||||
|
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
|
||||||
|
#
|
||||||
|
# (1) Diffie-Hellman parameter for DHE cipher suites
|
||||||
|
# A 4096 bits or more DH parameter is recommended.
|
||||||
|
# (!) A DH parameter generation is required to enable this directive.
|
||||||
|
# openssl dhparam -out /etc/nginx/dhparam.pem 4096
|
||||||
|
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam
|
||||||
|
#
|
||||||
|
# https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
|
||||||
|
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html
|
||||||
|
|
||||||
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||||
|
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA;
|
||||||
|
ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
|
||||||
|
|
||||||
|
# (1)
|
||||||
|
# ssl_dhparam /etc/nginx/dhparam.pem;
|
||||||
|
|
@ -1,45 +0,0 @@
|
||||||
# ----------------------------------------------------------------------
|
|
||||||
# | SSL policy - Future |
|
|
||||||
# ----------------------------------------------------------------------
|
|
||||||
|
|
||||||
# For services that want to be on the bleeding edge, the parameters
|
|
||||||
# below sacrifice compatibility for the highest level of security & performance
|
|
||||||
#
|
|
||||||
# (!) TLSv1.3 and it's 0-RTT feature require NGINX >=1.15.4 and OpenSSL >=1.1.1
|
|
||||||
# to be installed.
|
|
||||||
#
|
|
||||||
# (!) Don't enable `ssl_early_data` blindly! Requests sent within early data are
|
|
||||||
# subject to replay attacks.
|
|
||||||
#
|
|
||||||
# (1) The NIST curves (prime256v1, secp384r1, secp521r1) are known to be weak
|
|
||||||
# and potentially vulnerable.
|
|
||||||
#
|
|
||||||
# Add them back to the parameter `ssl_ecdh_curve` below to support
|
|
||||||
# Microsoft Edge and Safari.
|
|
||||||
#
|
|
||||||
# https://safecurves.cr.yp.to/
|
|
||||||
#
|
|
||||||
# (2) Enables TLS 1.3 0-RTT, allows for faster resumption of TLS sessions.
|
|
||||||
#
|
|
||||||
# (!) Requests sent within early data are subject to replay attacks.
|
|
||||||
# To protect against such attacks at the application layer, the
|
|
||||||
# $ssl_early_data variable should be used:
|
|
||||||
# proxy_set_header Early-Data $ssl_early_data;
|
|
||||||
#
|
|
||||||
# The application should return response code 425 for anything that
|
|
||||||
# could contain user supplied data.
|
|
||||||
#
|
|
||||||
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/425
|
|
||||||
#
|
|
||||||
# https://github.com/certbot/certbot/issues/6367
|
|
||||||
# https://github.com/mozilla/server-side-tls/issues/217
|
|
||||||
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html
|
|
||||||
|
|
||||||
ssl_protocols TLSv1.2 TLSv1.3;
|
|
||||||
ssl_ciphers EECDH+CHACHA20:EECDH+AES;
|
|
||||||
|
|
||||||
# (1)
|
|
||||||
ssl_ecdh_curve X25519;
|
|
||||||
|
|
||||||
# (2)
|
|
||||||
#ssl_early_data on;
|
|
||||||
|
|
@ -2,29 +2,23 @@
|
||||||
# | SSL policy - Intermediate |
|
# | SSL policy - Intermediate |
|
||||||
# ----------------------------------------------------------------------
|
# ----------------------------------------------------------------------
|
||||||
|
|
||||||
# For services that don't need compatibility with legacy clients
|
# For services that don't need backward compatibility, the parameters
|
||||||
# (mostly WinXP), but still need to support a wide range of clients,
|
# below provide a higher level of security.
|
||||||
# this configuration is recommended.
|
|
||||||
#
|
#
|
||||||
# Protect against the BEAST and POODLE attacks by not using SSLv3 at all.
|
# (!) This policy enfore a strong SSL configuration, which may raise
|
||||||
# If you need to support older browsers (IE6) you may need to add
|
# errors with old clients.
|
||||||
# SSLv3 to the list of protocols.
|
# If a more compatible profile is required, use intermediate policy.
|
||||||
#
|
#
|
||||||
# Based on intermediate profile recommended by Mozilla.
|
# (1) The NIST curves (prime256v1, secp384r1, secp521r1) are known
|
||||||
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
|
# to be weak and potentially vulnerable but are required to support
|
||||||
#
|
# Microsoft Edge and Safari.
|
||||||
# (1) Diffie-Hellman parameter for DHE cipher suites
|
# https://safecurves.cr.yp.to/
|
||||||
# A 4096 bits or more DH parameter is recommended.
|
|
||||||
# (!) A DH parameter generation is required to enable this directive.
|
|
||||||
# openssl dhparam -out /etc/nginx/dhparam.pem 4096
|
|
||||||
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam
|
|
||||||
#
|
#
|
||||||
# https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
|
# https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
|
||||||
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html
|
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html
|
||||||
|
|
||||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
ssl_protocols TLSv1.2;
|
||||||
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA;
|
ssl_ciphers EECDH+CHACHA20:EECDH+AES;
|
||||||
ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
|
|
||||||
|
|
||||||
# (1)
|
# (1)
|
||||||
# ssl_dhparam /etc/nginx/dhparam.pem;
|
ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
|
||||||
|
|
|
||||||
|
|
@ -2,23 +2,44 @@
|
||||||
# | SSL policy - Modern |
|
# | SSL policy - Modern |
|
||||||
# ----------------------------------------------------------------------
|
# ----------------------------------------------------------------------
|
||||||
|
|
||||||
# For services that don't need backward compatibility, the parameters
|
# For services that want to be on the bleeding edge, the parameters
|
||||||
# below provide a higher level of security.
|
# below sacrifice compatibility for the highest level of security & performance
|
||||||
#
|
#
|
||||||
# (!) This policy enfore a strong SSL configuration, which may raise
|
# (!) TLSv1.3 and it's 0-RTT feature require NGINX >=1.15.4 and OpenSSL >=1.1.1
|
||||||
# errors with old clients.
|
# to be installed.
|
||||||
# If a more compatible profile is required, use intermediate policy.
|
|
||||||
#
|
#
|
||||||
# (1) The NIST curves (prime256v1, secp384r1, secp521r1) are known
|
# (!) Don't enable `ssl_early_data` blindly! Requests sent within early data are
|
||||||
# to be weak and potentially vulnerable but are required to support
|
# subject to replay attacks.
|
||||||
|
#
|
||||||
|
# (1) The NIST curves (prime256v1, secp384r1, secp521r1) are known to be weak
|
||||||
|
# and potentially vulnerable.
|
||||||
|
#
|
||||||
|
# Add them back to the parameter `ssl_ecdh_curve` below to support
|
||||||
# Microsoft Edge and Safari.
|
# Microsoft Edge and Safari.
|
||||||
|
#
|
||||||
# https://safecurves.cr.yp.to/
|
# https://safecurves.cr.yp.to/
|
||||||
#
|
#
|
||||||
# https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
|
# (2) Enables TLS 1.3 0-RTT, allows for faster resumption of TLS sessions.
|
||||||
|
#
|
||||||
|
# (!) Requests sent within early data are subject to replay attacks.
|
||||||
|
# To protect against such attacks at the application layer, the
|
||||||
|
# $ssl_early_data variable should be used:
|
||||||
|
# proxy_set_header Early-Data $ssl_early_data;
|
||||||
|
#
|
||||||
|
# The application should return response code 425 for anything that
|
||||||
|
# could contain user supplied data.
|
||||||
|
#
|
||||||
|
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/425
|
||||||
|
#
|
||||||
|
# https://github.com/certbot/certbot/issues/6367
|
||||||
|
# https://github.com/mozilla/server-side-tls/issues/217
|
||||||
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html
|
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html
|
||||||
|
|
||||||
ssl_protocols TLSv1.2;
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
ssl_ciphers EECDH+CHACHA20:EECDH+AES;
|
ssl_ciphers EECDH+CHACHA20:EECDH+AES;
|
||||||
|
|
||||||
# (1)
|
# (1)
|
||||||
ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
|
ssl_ecdh_curve X25519;
|
||||||
|
|
||||||
|
# (2)
|
||||||
|
#ssl_early_data on;
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue