48 lines
1.8 KiB
Nginx Configuration File
48 lines
1.8 KiB
Nginx Configuration File
# ----------------------------------------------------------------------
|
|
# | SSL engine |
|
|
# ----------------------------------------------------------------------
|
|
|
|
# (1) Optimize SSL by caching session parameters for 24 hours.
|
|
# This cuts down on the number of expensive SSL handshakes.
|
|
# By enabling a cache, we tell the client to re-use the already
|
|
# negotiated state.
|
|
# Here 10m (10 MB) in ssl_session_cache is size value (not time).
|
|
# 1 MB cache can store about 4000 sessions, so we can store 40000 sessions.
|
|
#
|
|
# (2) Use a higher keepalive timeout to reduce the need for repeated handshakes
|
|
# (!) Shouldn't be done unless you serve primarily HTTPS.
|
|
# Default is 75s
|
|
#
|
|
# (3) SSL buffer size
|
|
# Set 1400 bytes to fit in one MTU.
|
|
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size
|
|
#
|
|
# (4) Disable session tickets
|
|
# Session tickets keys are not auto-rotated. Only a HUP / restart will do
|
|
# so and when a restart is performed the previous key is lost, which resets
|
|
# all previous sessions.
|
|
# Only enable session tickets if you set up a manual rotation mechanism.
|
|
# https://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
|
|
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets
|
|
#
|
|
# (5) The TLS 1.2 and 1.3 ciphers in use in current policies are not considered
|
|
# dangerous. This directive let the client choose the one that best fits their needs.
|
|
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_prefer_server_ciphers
|
|
# https://wiki.mozilla.org/Security/Server_Side_TLS
|
|
|
|
# (1)
|
|
ssl_session_timeout 24h;
|
|
ssl_session_cache shared:SSL:10m;
|
|
|
|
# (2)
|
|
keepalive_timeout 300s;
|
|
|
|
# (3)
|
|
# ssl_buffer_size 1400;
|
|
|
|
# (4)
|
|
ssl_session_tickets off;
|
|
|
|
# (5)
|
|
ssl_prefer_server_ciphers off;
|