Alan Orth
7212b87f09
I was only setting it on the PHP block, which is for all dynamic requests (ie pages from WordPress), but it should also be the same for all static files not served from that block. Signed-off-by: Alan Orth <alan.orth@gmail.com>
38 lines
1.6 KiB
Django/Jinja
38 lines
1.6 KiB
Django/Jinja
{% set domain_name = item.nginx_domain_name %}
|
|
|
|
# concatenated key + cert
|
|
# See: http://nginx.org/en/docs/http/configuring_https_servers.html
|
|
ssl_certificate {{ tls_key_dir }}/{{ domain_name }}.crt.pem;
|
|
ssl_certificate_key {{ tls_key_dir }}/{{ domain_name }}.crt.pem;
|
|
|
|
ssl_session_timeout 24h; # 24 hour timeout
|
|
ssl_session_cache shared:SSL:1m; # 1MB -> 4,000 sessions
|
|
ssl_buffer_size 1400; # 1400 bytes to fit in one MTU
|
|
|
|
ssl_dhparam /etc/ssl/certs/dhparam.pem;
|
|
ssl_protocols {{ nginx_tls_protocols }};
|
|
ssl_ciphers "{{ tls_cipher_suite }}";
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
# OCSP stapling...
|
|
ssl_stapling on;
|
|
ssl_stapling_verify on;
|
|
resolver 109.74.192.20 109.74.193.20;
|
|
|
|
# nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and
|
|
# when a restart is performed the previous key is lost, which resets all previous
|
|
# sessions. The fix for this is to setup a manual rotation mechanism:
|
|
# http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
|
|
#
|
|
# Note that you'll have to define and rotate the keys securely by yourself. In absence
|
|
# of such infrastructure, consider turning off session tickets:
|
|
ssl_session_tickets off;
|
|
|
|
# enable SPDY header compression
|
|
spdy_headers_comp 6;
|
|
|
|
# Enable this if you want HSTS (recommended, but be careful)
|
|
# Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
|
|
# See: https://hstspreload.appspot.com/
|
|
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
|