Page Menu
Home
DevCentral
Search
Configure Global Search
Log In
Files
F3683598
D3251.id8436.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
2 KB
Referenced Files
None
Subscribers
None
D3251.id8436.diff
View Options
diff --git a/roles/webserver-core/nginx/files/includes/tls-modern-only b/roles/webserver-core/nginx/files/includes/tls-modern-only
new file mode 100644
--- /dev/null
+++ b/roles/webserver-core/nginx/files/includes/tls-modern-only
@@ -0,0 +1,63 @@
+# -------------------------------------------------------------
+# nginx :: configuration :: TLS
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# Description: Modern services with only TLS 1.3 support
+# Strategy: nginx 1.17.7, modern config, OpenSSL 1.1.1k
+# See also: https://ssl-config.mozilla.org/
+# License: Trivial work, not eligible for copyright.
+# Source file: roles/webserver-core/nginx/files/includes/tls-modern-only
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+
+listen 443 ssl http2;
+listen [::]:443 ssl http2;
+
+keepalive_timeout 70;
+
+ssl_session_timeout 1d;
+ssl_session_cache shared:SSL:10m;
+ssl_session_tickets off;
+
+ssl_protocols TLSv1.3;
+ssl_prefer_server_ciphers off;
+
+# -------------------------------------------------------------
+# HSTS - HTTP Strict Transport Security
+#
+# As we provide a Let's Encrypt certificate for all our services,
+# browser should be instructed to connect directly to HTTPS.
+#
+# This is low risk, as the browser only honour this request
+# as soon as it successfully connected to HTTPS without any
+# certificate issue.
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+add_header Strict-Transport-Security "max-age=63072000" always;
+
+# -------------------------------------------------------------
+# OCSP - Online Certificate Status Protocol
+#
+# To improve TLS handshake speed, and to help protecting the
+# privacy of the users connecting here, as there isn't any need
+# for them to connect to the CRL anymore, OSCP is enabled.
+#
+# The parameter `ssl_trusted_certificate` points to a bundle
+# of CA certificates, currently containing Let's Encrypt
+# intermediate and root certificates. If *any* certificate
+# is issued by another CA, their certificates must be added
+# to the bundle too.
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ssl_stapling on;
+ssl_stapling_verify on;
+
+ssl_trusted_certificate /usr/local/share/certs/ocsp-ca-certs.pem;
+
+resolver 127.0.0.1;
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Wed, Oct 23, 13:27 (19 h, 33 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2210913
Default Alt Text
D3251.id8436.diff (2 KB)
Attached To
Mode
D3251: Provide TLS 1.3 only nginx configuration
Attached
Detach File
Event Timeline
Log In to Comment