Page MenuHomeDevCentral

D3251.id8350.diff
No OneTemporary

D3251.id8350.diff

diff --git a/roles/webserver-core/nginx/files/includes/tls-modern-only b/roles/webserver-core/nginx/files/includes/tls-modern-only
new file mode 100644
--- /dev/null
+++ b/roles/webserver-core/nginx/files/includes/tls-modern-only
@@ -0,0 +1,63 @@
+# -------------------------------------------------------------
+# nginx :: configuration :: TLS
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# Description: Modern services with only TLS 1.3 support
+# Strategy: nginx 1.17.7, modern config, OpenSSL 1.1.1k
+# See also: https://ssl-config.mozilla.org/
+# License: Trivial work, not eligible for copyright.
+# Source file: roles/webserver-core/nginx/files/includes/tls-modern-only
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+
+listen 443 ssl http2;
+listen [::]:443 ssl http2;
+
+keepalive_timeout 70;
+
+ssl_session_timeout 1d;
+ssl_session_cache shared:SSL:10m;
+ssl_session_tickets off;
+
+ssl_protocols TLSv1.3;
+ssl_prefer_server_ciphers off;
+
+# -------------------------------------------------------------
+# HSTS - HTTP Strict Transport Security
+#
+# As we provide a Let's Encrypt certificate for all our services,
+# browser should be instructed to connect directly to HTTPS.
+#
+# This is low risk, as the browser only honour this request
+# as soon as it successfully connected to HTTPS without any
+# certificate issue.
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+add_header Strict-Transport-Security "max-age=63072000" always;
+
+# -------------------------------------------------------------
+# OCSP - Online Certificate Status Protocol
+#
+# To improve TLS handshake speed, and to help protecting the
+# privacy of the users connecting here, as there isn't any need
+# for them to connect to the CRL anymore, OSCP is enabled.
+#
+# The parameter `ssl_trusted_certificate` points to a bundle
+# of CA certificates, currently containing Let's Encrypt
+# intermediate and root certificates. If *any* certificate
+# is issued by another CA, their certificates must be added
+# to the bundle too.
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ssl_stapling on;
+ssl_stapling_verify on;
+
+ssl_trusted_certificate /usr/local/share/certs/ocsp-ca-certs.pem;
+
+resolver 127.0.0.1;

File Metadata

Mime Type
text/plain
Expires
Fri, Nov 22, 02:57 (10 h, 46 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2255626
Default Alt Text
D3251.id8350.diff (2 KB)

Event Timeline