summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRomain Porte <microjoe@microjoe.org>2019-10-17 15:30:07 +0200
committerRomain Porte <microjoe@microjoe.org>2019-10-17 15:30:11 +0200
commitd74f937216c9eb97711f8aa5b12f9d1c460a84b4 (patch)
treee9b89ba367f50a647b01680862a571e15d643cf9
parentd81e95e08c257ef1937425aa330321d4911a00c2 (diff)
downloadMicroJoe.nginx-d74f937216c9eb97711f8aa5b12f9d1c460a84b4.tar.gz
MicroJoe.nginx-d74f937216c9eb97711f8aa5b12f9d1c460a84b4.zip
generate dh4096, update TLS settings
-rw-r--r--files/ssl.conf18
-rw-r--r--tasks/main.yml6
2 files changed, 14 insertions, 10 deletions
diff --git a/files/ssl.conf b/files/ssl.conf
index d5b4092..de7b13b 100644
--- a/files/ssl.conf
+++ b/files/ssl.conf
@@ -1,18 +1,16 @@
+# generated 2019-10-17, https://ssl-config.mozilla.org/#server=nginx&server-version=1.17.0&config=intermediate
+
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_session_timeout 1d;
-ssl_session_cache shared:SSL:50m;
+ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
-
-# modern configuration. tweak to your needs.
-ssl_protocols TLSv1.2;
-# ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; # 90 score SSL Labs
-ssl_ciphers AES256+EECDH:!aNULL; # 100 score SSL Labs
-ssl_prefer_server_ciphers on;
-
-
ssl_dhparam /etc/nginx/dhparam4096.pem; # openssl dhparam -out dhparam4096.pem 4096
-ssl_ecdh_curve secp384r1;
+
+# intermediate configuration
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
diff --git a/tasks/main.yml b/tasks/main.yml
index 1246b09..e876fcb 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -7,6 +7,12 @@
- nginx
state: present
+- name: Generate DH param4096 key
+ command: openssl dhparam -out dhparam4096.pem 4096
+ args:
+ chdir: /etc/nginx/
+ creates: dhparam4096.pem
+
- name: Install nginx snippets
copy:
src: files/ssl.conf