Léo Colombaro
parent
3472f5ab0e
commit
d2531ac605
|
|
@ -0,0 +1,30 @@
|
|||
# ----------------------------------------------------------------------
|
||||
# | SSL policy - Deprecated |
|
||||
# ----------------------------------------------------------------------
|
||||
|
||||
# For services that don't need compatibility with legacy clients
|
||||
# (mostly WinXP), but still need to support a wide range of clients,
|
||||
# this configuration is recommended.
|
||||
#
|
||||
# Protect against the BEAST and POODLE attacks by not using SSLv3 at all.
|
||||
# If you need to support older browsers (IE6) you may need to add
|
||||
# SSLv3 to the list of protocols.
|
||||
#
|
||||
# Based on intermediate profile recommended by Mozilla.
|
||||
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
|
||||
#
|
||||
# (1) Diffie-Hellman parameter for DHE cipher suites
|
||||
# A 4096 bits or more DH parameter is recommended.
|
||||
# (!) A DH parameter generation is required to enable this directive.
|
||||
# openssl dhparam -out /etc/nginx/dhparam.pem 4096
|
||||
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam
|
||||
#
|
||||
# https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
|
||||
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html
|
||||
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA;
|
||||
ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
|
||||
|
||||
# (1)
|
||||
# ssl_dhparam /etc/nginx/dhparam.pem;
|
||||
|
|
@ -1,45 +0,0 @@
|
|||
# ----------------------------------------------------------------------
|
||||
# | SSL policy - Future |
|
||||
# ----------------------------------------------------------------------
|
||||
|
||||
# For services that want to be on the bleeding edge, the parameters
|
||||
# below sacrifice compatibility for the highest level of security & performance
|
||||
#
|
||||
# (!) TLSv1.3 and it's 0-RTT feature require NGINX >=1.15.4 and OpenSSL >=1.1.1
|
||||
# to be installed.
|
||||
#
|
||||
# (!) Don't enable `ssl_early_data` blindly! Requests sent within early data are
|
||||
# subject to replay attacks.
|
||||
#
|
||||
# (1) The NIST curves (prime256v1, secp384r1, secp521r1) are known to be weak
|
||||
# and potentially vulnerable.
|
||||
#
|
||||
# Add them back to the parameter `ssl_ecdh_curve` below to support
|
||||
# Microsoft Edge and Safari.
|
||||
#
|
||||
# https://safecurves.cr.yp.to/
|
||||
#
|
||||
# (2) Enables TLS 1.3 0-RTT, allows for faster resumption of TLS sessions.
|
||||
#
|
||||
# (!) Requests sent within early data are subject to replay attacks.
|
||||
# To protect against such attacks at the application layer, the
|
||||
# $ssl_early_data variable should be used:
|
||||
# proxy_set_header Early-Data $ssl_early_data;
|
||||
#
|
||||
# The application should return response code 425 for anything that
|
||||
# could contain user supplied data.
|
||||
#
|
||||
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/425
|
||||
#
|
||||
# https://github.com/certbot/certbot/issues/6367
|
||||
# https://github.com/mozilla/server-side-tls/issues/217
|
||||
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html
|
||||
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers EECDH+CHACHA20:EECDH+AES;
|
||||
|
||||
# (1)
|
||||
ssl_ecdh_curve X25519;
|
||||
|
||||
# (2)
|
||||
#ssl_early_data on;
|
||||
|
|
@ -2,29 +2,23 @@
|
|||
# | SSL policy - Intermediate |
|
||||
# ----------------------------------------------------------------------
|
||||
|
||||
# For services that don't need compatibility with legacy clients
|
||||
# (mostly WinXP), but still need to support a wide range of clients,
|
||||
# this configuration is recommended.
|
||||
# For services that don't need backward compatibility, the parameters
|
||||
# below provide a higher level of security.
|
||||
#
|
||||
# Protect against the BEAST and POODLE attacks by not using SSLv3 at all.
|
||||
# If you need to support older browsers (IE6) you may need to add
|
||||
# SSLv3 to the list of protocols.
|
||||
# (!) This policy enfore a strong SSL configuration, which may raise
|
||||
# errors with old clients.
|
||||
# If a more compatible profile is required, use intermediate policy.
|
||||
#
|
||||
# Based on intermediate profile recommended by Mozilla.
|
||||
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
|
||||
#
|
||||
# (1) Diffie-Hellman parameter for DHE cipher suites
|
||||
# A 4096 bits or more DH parameter is recommended.
|
||||
# (!) A DH parameter generation is required to enable this directive.
|
||||
# openssl dhparam -out /etc/nginx/dhparam.pem 4096
|
||||
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam
|
||||
# (1) The NIST curves (prime256v1, secp384r1, secp521r1) are known
|
||||
# to be weak and potentially vulnerable but are required to support
|
||||
# Microsoft Edge and Safari.
|
||||
# https://safecurves.cr.yp.to/
|
||||
#
|
||||
# https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
|
||||
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html
|
||||
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA;
|
||||
ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
|
||||
ssl_protocols TLSv1.2;
|
||||
ssl_ciphers EECDH+CHACHA20:EECDH+AES;
|
||||
|
||||
# (1)
|
||||
# ssl_dhparam /etc/nginx/dhparam.pem;
|
||||
ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
|
||||
|
|
|
|||
|
|
@ -2,23 +2,44 @@
|
|||
# | SSL policy - Modern |
|
||||
# ----------------------------------------------------------------------
|
||||
|
||||
# For services that don't need backward compatibility, the parameters
|
||||
# below provide a higher level of security.
|
||||
# For services that want to be on the bleeding edge, the parameters
|
||||
# below sacrifice compatibility for the highest level of security & performance
|
||||
#
|
||||
# (!) This policy enfore a strong SSL configuration, which may raise
|
||||
# errors with old clients.
|
||||
# If a more compatible profile is required, use intermediate policy.
|
||||
# (!) TLSv1.3 and it's 0-RTT feature require NGINX >=1.15.4 and OpenSSL >=1.1.1
|
||||
# to be installed.
|
||||
#
|
||||
# (1) The NIST curves (prime256v1, secp384r1, secp521r1) are known
|
||||
# to be weak and potentially vulnerable but are required to support
|
||||
# (!) Don't enable `ssl_early_data` blindly! Requests sent within early data are
|
||||
# subject to replay attacks.
|
||||
#
|
||||
# (1) The NIST curves (prime256v1, secp384r1, secp521r1) are known to be weak
|
||||
# and potentially vulnerable.
|
||||
#
|
||||
# Add them back to the parameter `ssl_ecdh_curve` below to support
|
||||
# Microsoft Edge and Safari.
|
||||
#
|
||||
# https://safecurves.cr.yp.to/
|
||||
#
|
||||
# https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
|
||||
# (2) Enables TLS 1.3 0-RTT, allows for faster resumption of TLS sessions.
|
||||
#
|
||||
# (!) Requests sent within early data are subject to replay attacks.
|
||||
# To protect against such attacks at the application layer, the
|
||||
# $ssl_early_data variable should be used:
|
||||
# proxy_set_header Early-Data $ssl_early_data;
|
||||
#
|
||||
# The application should return response code 425 for anything that
|
||||
# could contain user supplied data.
|
||||
#
|
||||
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/425
|
||||
#
|
||||
# https://github.com/certbot/certbot/issues/6367
|
||||
# https://github.com/mozilla/server-side-tls/issues/217
|
||||
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html
|
||||
|
||||
ssl_protocols TLSv1.2;
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers EECDH+CHACHA20:EECDH+AES;
|
||||
|
||||
# (1)
|
||||
ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
|
||||
ssl_ecdh_curve X25519;
|
||||
|
||||
# (2)
|
||||
#ssl_early_data on;
|
||||
|
|
|
|||
Loading…
Reference in New Issue