31 lines
1.2 KiB
Plaintext
31 lines
1.2 KiB
Plaintext
# Shared TLS configuration
|
|
|
|
## Use strong ciphers
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256;
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_conf_command Options PrioritizeChaCha;
|
|
|
|
## Configure ssl session cache
|
|
## Improves performance but we don't wanna keep this forever
|
|
## Session ticket creation and rotation is handled by GrapheneOS's scripts:
|
|
## https://github.com/GrapheneOS/infrastructure/blob/main/nginx-create-session-ticket-keys
|
|
## https://github.com/GrapheneOS/infrastructure/blob/main/nginx-rotate-session-ticket-keys
|
|
|
|
ssl_session_cache shared:SSL:10m; # About 40000 sessions
|
|
ssl_session_timeout 1d;
|
|
ssl_session_ticket_key session-ticket-keys/4.key;
|
|
ssl_session_ticket_key session-ticket-keys/3.key;
|
|
ssl_session_ticket_key session-ticket-keys/2.key;
|
|
ssl_session_ticket_key session-ticket-keys/1.key;
|
|
|
|
## Enable OCSP Stapling
|
|
## We will use GrapheneOS's OCSP Fetcher to get the stapling file: https://github.com/GrapheneOS/infrastructure/blob/main/certbot-ocsp-fetcher
|
|
ssl_stapling on;
|
|
ssl_stapling_verify on;
|
|
|
|
## The following settings need to be declared manually per vhost:
|
|
# ssl_certificate
|
|
# ssl_certificate_key
|
|
# ssl_trusted_certificate
|
|
# ssl_stapling_file |