turn off ssl session tickets
Stolen from istlsfastyet.com's config It is probably a more logical default to turn off session tickets given the diff linked in the comment block.
This commit is contained in:
parent
08d4bbbd04
commit
d996d2da0c
|
@ -13,6 +13,15 @@ ssl_prefer_server_ciphers on;
|
|||
ssl_session_cache shared:SSL:10m; # a 1mb cache can hold about 4000 sessions, so we can hold 40000 sessions
|
||||
ssl_session_timeout 10m;
|
||||
|
||||
# nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and
|
||||
# when a restart is performed the previous key is lost, which resets all previous
|
||||
# sessions. The fix for this is to setup a manual rotation mechanism:
|
||||
# http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
|
||||
#
|
||||
# Note that you'll have to define and rotate the keys securely by yourself. In absence
|
||||
# of such infrastructure, consider turning off session tickets:
|
||||
ssl_session_tickets off;
|
||||
|
||||
# This default SSL certificate will be served whenever the client lacks support for SNI (Server Name Indication).
|
||||
# Make it a symlink to the most important certificate you have, so that users of IE 8 and below on WinXP can see your main site without SSL errors.
|
||||
#ssl_certificate /etc/nginx/default_ssl.crt;
|
||||
|
|
Loading…
Reference in New Issue