Alan Orth
5c7404d228
Apparently the "always" syntax isn't used anymore (ever?), not sure where I got it from but this definitely causes HSTS to not work. See: https://mozilla.github.io/server-side-tls/ssl-config-generator/ See: https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html Signed-off-by: Alan Orth <alan.orth@gmail.com>
40 lines
1.6 KiB
Django/Jinja
40 lines
1.6 KiB
Django/Jinja
{% set domain_name = item.nginx_domain_name %}
|
|
|
|
# concatenated key + cert
|
|
# See: http://nginx.org/en/docs/http/configuring_https_servers.html
|
|
ssl_certificate {{ tls_key_dir }}/{{ domain_name }}.crt.pem;
|
|
ssl_certificate_key {{ tls_key_dir }}/{{ domain_name }}.crt.pem;
|
|
|
|
ssl_session_timeout 24h; # 24 hour timeout
|
|
ssl_session_cache shared:SSL:1m; # 1MB -> 4,000 sessions
|
|
ssl_buffer_size 1400; # 1400 bytes to fit in one MTU
|
|
|
|
ssl_dhparam /etc/ssl/certs/dhparam.pem;
|
|
ssl_protocols {{ nginx_tls_protocols }};
|
|
ssl_ciphers "{{ tls_cipher_suite }}";
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
{# don't use OCSP stapling if we're using a self-signed cert #}
|
|
{% if tls_cert is defined %}
|
|
# OCSP stapling...
|
|
ssl_stapling on;
|
|
ssl_stapling_verify on;
|
|
resolver 208.67.222.222 208.67.220.220;
|
|
{% endif %}
|
|
|
|
# nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and
|
|
# when a restart is performed the previous key is lost, which resets all previous
|
|
# sessions. The fix for this is to setup a manual rotation mechanism:
|
|
# http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
|
|
#
|
|
# Note that you'll have to define and rotate the keys securely by yourself. In absence
|
|
# of such infrastructure, consider turning off session tickets:
|
|
ssl_session_tickets off;
|
|
|
|
# enable SPDY header compression
|
|
spdy_headers_comp 6;
|
|
|
|
# Enable this if you want HSTS (recommended, but be careful)
|
|
add_header Strict-Transport-Security max-age=15768000;
|
|
|