2014-09-13 22:16:54 +02:00
|
|
|
{% set domain_name = item.nginx_domain_name %}
|
2014-09-06 20:32:37 +02:00
|
|
|
|
2014-09-13 22:16:54 +02:00
|
|
|
# concatenated key + cert
|
|
|
|
# See: http://nginx.org/en/docs/http/configuring_https_servers.html
|
|
|
|
ssl_certificate {{ tls_key_dir }}/{{ domain_name }}.crt.pem;
|
|
|
|
ssl_certificate_key {{ tls_key_dir }}/{{ domain_name }}.crt.pem;
|
2014-09-06 20:32:37 +02:00
|
|
|
|
|
|
|
ssl_session_timeout 5m;
|
2014-12-06 20:17:52 +01:00
|
|
|
ssl_session_cache shared:SSL:1m; # 1MB -> 4,000 sessions
|
|
|
|
ssl_buffer_size 1400; # 1400 bytes to fit in one MTU
|
|
|
|
|
2014-09-06 20:32:37 +02:00
|
|
|
ssl_dhparam /etc/ssl/certs/dhparam.pem;
|
|
|
|
ssl_protocols {{ nginx_tls_protocols }};
|
|
|
|
ssl_ciphers "{{ tls_cipher_suite }}";
|
|
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
|
|
|
|
# Enable this if you want HSTS (recommended, but be careful)
|
2014-10-06 09:46:04 +02:00
|
|
|
add_header Strict-Transport-Security max-age=15768000;
|
2014-09-06 20:32:37 +02:00
|
|
|
|