Common web configuration.

author: Guilhem Moulin <guilhem@fripost.org> 2013-12-15 22:54:56 +0100
committer: Guilhem Moulin <guilhem@fripost.org> 2015-06-07 02:51:26 +0200
commit: 540779286a899dee846784a8ffd0fdab756ac1e3 (patch)
tree: 74aa5483d2e9215306f32d1425a539ecad36ab96 /roles/common-web/files/etc/nginx/ssl
parent: faee1bbc276b63a81f3b81eae0f02bcaffabca6d (diff)
1 files changed, 19 insertions, 0 deletions
diff --git a/roles/common-web/files/etc/nginx/ssl/config b/roles/common-web/files/etc/nginx/ssl/config
new file mode 100644
index 0000000..863961b
--- /dev/null
+++ b/roles/common-web/files/etc/nginx/ssl/config
@@ -0,0 +1,19 @@
+ssl on;
+
+# See http://nginx.org/en/docs/http/configuring_https_servers.html#optimization
+keepalive_timeout 			75 75;
+ssl_session_timeout			5m;
+ssl_session_cache 			shared:SSL:5m;
+
+# XXX: Ideally we want to get rid of TLSv1, to be immune to the BEAST
+# attack. Sadly as of 2013 many clients don't support TLSv1.2, though.
+# The alternative would be to reject BEAST-vulnerable ciphers from TLSv1
+# in favor of RC4, but that's not satisfactory either since RC4 has
+# other weaknesses.
+ssl_protocols 				SSLv3 TLSv1 TLSv1.1 TLSv1.2;
+ssl_ciphers 				HIGH:!SSLv2:!aNULL:!eNULL:!3DES:!MD5:@STRENGTH;
+ssl_prefer_server_ciphers 	on;
+
+# Strict Transport Security header for enhanced security. See
+# http://www.chromium.org/sts.
+add_header Strict-Transport-Security "max-age=12960000";
author	Guilhem Moulin <guilhem@fripost.org>	2013-12-15 22:54:56 +0100
committer	Guilhem Moulin <guilhem@fripost.org>	2015-06-07 02:51:26 +0200
commit	540779286a899dee846784a8ffd0fdab756ac1e3 (patch)
tree	74aa5483d2e9215306f32d1425a539ecad36ab96 /roles/common-web/files/etc/nginx/ssl
parent	faee1bbc276b63a81f3b81eae0f02bcaffabca6d (diff)