ssl-params.conf 1.22 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.1.0f&hsts=yes&profile=modern
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;


# modern configuration. tweak to your needs.
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;

# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;

Elias Ojala's avatar
Elias Ojala committed
17
18
19
# Replace with your own resolvers if preferred
# This example is using UncensoredDNS, see https://uncensoreddns.org/ for details.
resolver 91.239.100.100 89.233.43.71 valid=300s;
20
21
22
23
24
25
26
27
28
resolver_timeout 5s;

add_header X-Content-Type-Options nosniff;

ssl_dhparam /etc/ssl/certs/dhparam.pem;

# User-agent Blocklist
# https://wiki.lelux.fi/nginx#useragent-blocklist
#
Elias Ojala's avatar
Elias Ojala committed
29
30
31
32
33
34
35
36
37
38
# include snippets/useragent-blocklist/nginx.conf;

# Block dotfiles, except .well-known
location ~ /\.well-known {
    allow all;
}

location ~ /\. {
    deny all;
}