51 lines
1.8 KiB
Nginx Configuration File
51 lines
1.8 KiB
Nginx Configuration File
# ----------------------------------------------------------------------
|
|
# | SSL policy - Strict |
|
|
# ----------------------------------------------------------------------
|
|
|
|
# For services that don't need backward compatibility, the parameters below
|
|
# provide the highest level of security and performance.
|
|
#
|
|
# (!) This policy enforces a strong TLS configuration, which may raise
|
|
# errors with old clients.
|
|
# If a more compatible profile is required, use the "balanced" policy.
|
|
#
|
|
# (!) TLSv1.3 and its 0-RTT feature require NGINX >=1.15.4 and OpenSSL >=1.1.1
|
|
# to be installed.
|
|
#
|
|
# (!) Don't enable `ssl_early_data` blindly! Requests sent within early data are
|
|
# subject to replay attacks.
|
|
#
|
|
# (1) The NIST curves (prime256v1, secp384r1, secp521r1) are known to be weak
|
|
# and potentially vulnerable.
|
|
#
|
|
# Add them back to the parameter `ssl_ecdh_curve` below to support
|
|
# Microsoft Edge and Safari.
|
|
#
|
|
# https://safecurves.cr.yp.to/
|
|
#
|
|
# (2) Enables TLS 1.3 0-RTT, allows for faster resumption of TLS sessions.
|
|
#
|
|
# (!) Requests sent within early data are subject to replay attacks.
|
|
# To protect against such attacks at the application layer, the
|
|
# `$ssl_early_data` variable should be used:
|
|
#
|
|
# proxy_set_header Early-Data $ssl_early_data;
|
|
#
|
|
# The application should return response code 425 "Too Early" for anything
|
|
# that could contain user supplied data.
|
|
#
|
|
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/425
|
|
#
|
|
# https://github.com/certbot/certbot/issues/6367
|
|
# https://github.com/mozilla/server-side-tls/issues/217
|
|
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html
|
|
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_ciphers EECDH+CHACHA20:EECDH+AES;
|
|
|
|
# (1)
|
|
ssl_ecdh_curve X25519;
|
|
|
|
# (2)
|
|
#ssl_early_data on;
|