From 8feeb28093257bca1ebd90a474f7e6768e0fd4b9 Mon Sep 17 00:00:00 2001 From: Asif Bacchus Date: Fri, 4 Jan 2019 02:21:32 -0700 Subject: [PATCH] ssl configuration --- conf.d/mozModern_ssl.conf | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 conf.d/mozModern_ssl.conf diff --git a/conf.d/mozModern_ssl.conf b/conf.d/mozModern_ssl.conf new file mode 100644 index 0000000..d89b0a1 --- /dev/null +++ b/conf.d/mozModern_ssl.conf @@ -0,0 +1,37 @@ +####### +### NGINX SSL configuration +### Generated with help from Mozilla Configuration Generator +### (https://mozilla.github.io/server-side-tls/ssl-config-generator/) +### 'Modern' profile for NGINX 1.15.8 with OpenSSL 1.1.1b HSTS optional +### Last generated: January 4, 2019 +####### + +# SSL certificates should be defined in the relevant server block + +# SSL parameters +ssl_session_timeout 1d; +ssl_session_cache shared:SSL:50m; +ssl_session_tickets off; + +# SSL ciphers +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256' +ssl_prefer_server_ciphers on; + +# Diffie-Hellman parameter for DHE cipher suites, using 4096 bits +ssl_dhparam /path/to/your_dhparam.pem; + +# HSTS -- please understand the implications of HSTS before enabling it +# do NOT implement while still testing configurations or site parameters +# (15768000 seconds = 6 months) +#add_header Strict-Transport-Security max-age=15768000; + +# OCSP Stapling +# fetch OCSP records from URL in ssl_certificate and cache them +ssl_stapling on; +ssl_stapling_verify on; + +# verify chain of trust of OCSP response using Root CA and Intermediate certs +ssl_trusted_certificate /path/to/your_CA_bundle.crt; + +# resolver should be specified in nginx.conf or in networking configuration