62 lines
1.7 KiB
Plaintext
62 lines
1.7 KiB
Plaintext
# Use http2
|
|
http2 on;
|
|
|
|
# Shared TLS configuration
|
|
|
|
## Use strong ciphers
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256;
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_conf_command Options PrioritizeChaCha;
|
|
|
|
# Use strong ciphers for proxies
|
|
proxy_ssl_verify on;
|
|
proxy_ssl_server_name on;
|
|
proxy_ssl_session_reuse on;
|
|
proxy_ssl_protocols TLSv1.2 TLSv1.3;
|
|
proxy_ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256;
|
|
proxy_ssl_conf_command Options PrioritizeChaCha;
|
|
|
|
## Configure ssl session cache
|
|
## Improves performance but we don't wanna keep this forever
|
|
## Session ticket creation and rotation is handled by GrapheneOS's scripts:
|
|
## https://github.com/GrapheneOS/infrastructure/blob/main/nginx-create-session-ticket-keys
|
|
## https://github.com/GrapheneOS/infrastructure/blob/main/nginx-rotate-session-ticket-keys
|
|
|
|
ssl_session_cache shared:SSL:10m; # About 40000 sessions
|
|
ssl_session_timeout 1d;
|
|
ssl_session_ticket_key session-ticket-keys/4.key;
|
|
ssl_session_ticket_key session-ticket-keys/3.key;
|
|
ssl_session_ticket_key session-ticket-keys/2.key;
|
|
ssl_session_ticket_key session-ticket-keys/1.key;
|
|
|
|
## The following settings need to be declared manually per vhost:
|
|
## ssl_certificate
|
|
## ssl_certificate_key
|
|
## ssl_trusted_certificate
|
|
## ssl_stapling_file
|
|
|
|
# Cookie flags
|
|
proxy_cookie_flags ~ secure;
|
|
|
|
# Disable compression
|
|
## Mitigates oracle attacks
|
|
gzip off;
|
|
|
|
# Disable server tokens
|
|
server_tokens off;
|
|
|
|
server {
|
|
listen ipv4_1:80 default_server;
|
|
listen [ipv6_1]:80 default_server;
|
|
|
|
include snippets/universal_paths.conf;
|
|
|
|
# Don't send headers
|
|
add_header "" "";
|
|
|
|
location / {
|
|
return 308 https://$host$request_uri;
|
|
}
|
|
}
|