mirror of
https://git.wownero.com/lza_menace/neroswap.git
synced 2024-08-15 01:03:24 +00:00
23 lines
812 B
Text
23 lines
812 B
Text
## SSL Certs are referenced in the actual Nginx config per-vhost
|
|
|
|
# Disable insecure SSL v2. Also disable SSLv3, as TLS 1.0 suffers a downgrade attack, allowing an attacker to force a connection to use SSLv3 and therefore disable forward secrecy.
|
|
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
# Strong ciphers for PFS
|
|
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
|
|
|
|
# Use server's preferred cipher, not the client's
|
|
# ssl_prefer_server_ciphers on;
|
|
ssl_session_cache shared:SSL:10m;
|
|
|
|
# Use ephemeral 4096 bit DH key for PFS
|
|
ssl_dhparam /etc/ssl/certs/dhparam.pem;
|
|
|
|
# Use OCSP stapling
|
|
ssl_stapling on;
|
|
ssl_stapling_verify on;
|
|
resolver 8.8.8.8 8.8.4.4 valid=300s;
|
|
resolver_timeout 5s;
|
|
|
|
# Enable HTTP Strict Transport
|
|
#add_header Strict-Transport-Security "max-age=0;";
|
|
#add_header X-Frame-Options "DENY";
|