Skip to content

Commit 71dc63a

Browse files
classabbyampDuncaen
classabbyamp
authored and
Duncaen
committed
services/pkg/nginx: update ssl conf based on recommendations from mozilla
https://ssl-config.mozilla.org/#server=nginx&version=1.28.0&config=intermediate&openssl=3.5.0&hsts=false&guideline=5.7
1 parent f520a88 commit 71dc63a

File tree

1 file changed

+2
-1
lines changed

1 file changed

+2
-1
lines changed

services/pkg/nginx/ssl.conf

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,8 @@ ssl_dhparam /etc/nginx/dhparam.pem;
77

88
# intermediate configuration
99
ssl_protocols TLSv1.2 TLSv1.3;
10-
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
10+
ssl_ecdh_curve X25519:prime256v1:secp384r1;
11+
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
1112
ssl_prefer_server_ciphers off;
1213

1314
# OCSP stapling

0 commit comments

Comments
 (0)