Alan Orth
0afb8a4493
The old default has not been changed in eight years and I see that there have been some discussions over the years about this. I will change this from the slightly extreme 1400 bytes to 4k (nginx def- ault is still 16k so this is more "optimal" for HTML/CSS content). See: https://github.com/igrigorik/istlsfastyet.com/issues/63
44 lines
1.4 KiB
YAML
44 lines
1.4 KiB
YAML
---
|
|
# ansible.builtin.file: roles/nginx/defaults/main.yml
|
|
|
|
# path config
|
|
nginx_confd_path: /etc/nginx/conf.d
|
|
|
|
# parent directory of vhost roots
|
|
nginx_root_prefix: "{{ web_root_prefix }}"
|
|
|
|
# 1 hour timeout
|
|
nginx_ssl_session_timeout: 1h
|
|
# 10MB -> 40,000 sessions
|
|
nginx_ssl_session_cache: shared:SSL:10m
|
|
nginx_ssl_buffer_size: 4k
|
|
nginx_ssl_dhparam: /etc/ssl/certs/dhparam.pem
|
|
nginx_ssl_protocols: TLSv1.2 TLSv1.3
|
|
|
|
# DNS resolvers for OCSP stapling (default to Cloudflare public DNS)
|
|
# See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
|
|
nginx_ssl_stapling_resolver: 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]
|
|
|
|
# HTTP Strict-Transport-Security header, recommended by Google to be ~1 year
|
|
# in seconds, see: https://hstspreload.org/
|
|
nginx_hsts_max_age: 31536000
|
|
|
|
# install acme.sh?
|
|
# true unless you're in development and using "localhost" + snakeoil certs
|
|
use_letsencrypt: true
|
|
|
|
# Directory root for Let's Encrypt certs
|
|
letsencrypt_root: /etc/ssl
|
|
|
|
# Location where to save initial acme.sh script. After installation the script
|
|
# will automatically create its home in the /root/.acme.sh directory (including
|
|
# a copy of the script itself). The initial script is not needed after.
|
|
letsencrypt_acme_script_temp: /root/acme.sh
|
|
letsencrypt_acme_home: /root/.acme.sh
|
|
|
|
# stable is 1.26.x
|
|
# mainline is 1.27.x
|
|
nginx_version: mainline
|
|
|
|
# vim: set ts=2 sw=2:
|