diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2015-12-15 02:15:50 +0100 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2015-12-15 02:15:55 +0100 |
commit | b483d2050147115dce151d669c537bcb1776164e (patch) | |
tree | 33261df9053cef2830b8ceb09b202b9bf3d30919 /roles/common-web/files/etc/nginx/include.d/ssl | |
parent | ea7372eb8a2fa66b08ec37b030a098998e0aa47d (diff) |
nginx: s/conf.d/include.d/
Diffstat (limited to 'roles/common-web/files/etc/nginx/include.d/ssl')
-rw-r--r-- | roles/common-web/files/etc/nginx/include.d/ssl | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/roles/common-web/files/etc/nginx/include.d/ssl b/roles/common-web/files/etc/nginx/include.d/ssl new file mode 100644 index 0000000..26a64f4 --- /dev/null +++ b/roles/common-web/files/etc/nginx/include.d/ssl @@ -0,0 +1,20 @@ +ssl on; + +# See http://nginx.org/en/docs/http/configuring_https_servers.html#optimization +keepalive_timeout 75 75; +ssl_session_timeout 5m; +ssl_session_cache shared:SSL:5m; + +# XXX: Ideally we want to get rid of TLSv1, to be immune to the BEAST +# attack. Sadly as of 2013 many clients don't support TLSv1.2, though. +# The alternative would be to reject BEAST-vulnerable ciphers from TLSv1 +# in favor of RC4, but that's not satisfactory either since RC4 has +# other weaknesses. +ssl_protocols TLSv1 TLSv1.1 TLSv1.2; +ssl_ciphers HIGH:!SSLv2:!aNULL:!eNULL:!3DES:!MD5:@STRENGTH; +ssl_dhparam /etc/ssl/private/dhparams.pem; +ssl_prefer_server_ciphers on; + +# Strict Transport Security header for enhanced security. See +# http://www.chromium.org/sts. +add_header Strict-Transport-Security "max-age=15552000"; |