roles/nginx: Disable SSL session tickets
Session tickets increase performance, but decrease security, so let's just turn them off. See the following posts: - https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/ - https://www.imperialviolet.org/2013/06/27/botchingpfs.html - https://github.com/igrigorik/istlsfastyet.com/blob/master/nginx/includes/ssl.conf Signed-off-by: Alan Orth <alan.orth@gmail.com>
This commit is contained in:
parent
23d76a535f
commit
15603ba9e8
@ -14,6 +14,15 @@
|
||||
ssl_ciphers "{{ tls_cipher_suite }}";
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
# nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and
|
||||
# when a restart is performed the previous key is lost, which resets all previous
|
||||
# sessions. The fix for this is to setup a manual rotation mechanism:
|
||||
# http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
|
||||
#
|
||||
# Note that you'll have to define and rotate the keys securely by yourself. In absence
|
||||
# of such infrastructure, consider turning off session tickets:
|
||||
ssl_session_tickets off;
|
||||
|
||||
# Enable this if you want HSTS (recommended, but be careful)
|
||||
add_header Strict-Transport-Security max-age=15768000;
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user