titanz/NGINX-Configs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Use strong ciphers for proxies

Browse Source
This commit is contained in:
Tommy
2025-01-03 07:22:40 -07:00
committed by GitHub
parent 662d06a701
commit 71a7618b1c
1 changed files with 8 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
etc/nginx/conf.d/default.conf
View File

@@ -9,6 +9,14 @@ ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-EC
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
ssl_conf_command Options PrioritizeChaCha; ssl_conf_command Options PrioritizeChaCha;
# Use strong ciphers for proxies
proxy_ssl_verify on;
proxy_ssl_server_name on;
proxy_ssl_session_reuse on;
proxy_ssl_protocols TLSv1.2 TLSv1.3;
proxy_ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256;
proxy_ssl_conf_command Options PrioritizeChaCha;
## Configure ssl session cache ## Configure ssl session cache
## Improves performance but we don't wanna keep this forever ## Improves performance but we don't wanna keep this forever
## Session ticket creation and rotation is handled by GrapheneOS's scripts: ## Session ticket creation and rotation is handled by GrapheneOS's scripts:
@@ -22,11 +30,6 @@ ssl_session_ticket_key session-ticket-keys/3.key;
ssl_session_ticket_key session-ticket-keys/2.key; ssl_session_ticket_key session-ticket-keys/2.key;
ssl_session_ticket_key session-ticket-keys/1.key; ssl_session_ticket_key session-ticket-keys/1.key;
## Enable HSTS header
proxy_hide_header Strict-Transport-Security;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
## The following settings need to be declared manually per vhost: ## The following settings need to be declared manually per vhost:
## ssl_certificate ## ssl_certificate
## ssl_certificate_key ## ssl_certificate_key