|
|
@ -386,6 +386,34 @@ matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log"
|
|
|
|
matrix_ssl_pre_obtaining_required_service_name: ~
|
|
|
|
matrix_ssl_pre_obtaining_required_service_name: ~
|
|
|
|
matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds: 60
|
|
|
|
matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds: 60
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Nginx Optimize SSL Session
|
|
|
|
|
|
|
|
#
|
|
|
|
|
|
|
|
# ssl_session_cache:
|
|
|
|
|
|
|
|
# - Creating a cache of TLS connection parameters reduces the number of handshakes
|
|
|
|
|
|
|
|
# and thus can improve the performance of application.
|
|
|
|
|
|
|
|
# - Default session cache is not optimal as it can be used by only one worker process
|
|
|
|
|
|
|
|
# and can cause memory fragmentation. It is much better to use shared cache.
|
|
|
|
|
|
|
|
# - Learn More: https://nginx.org/en/docs/http/ngx_http_ssl_module.html
|
|
|
|
|
|
|
|
#
|
|
|
|
|
|
|
|
# ssl_session_timeout:
|
|
|
|
|
|
|
|
# - Nginx by default it is set to 5 minutes which is very low.
|
|
|
|
|
|
|
|
# should be like 4h or 1d but will require you to increase the size of cache.
|
|
|
|
|
|
|
|
# - Learn More:
|
|
|
|
|
|
|
|
# https://github.com/certbot/certbot/issues/6903
|
|
|
|
|
|
|
|
# https://github.com/mozilla/server-side-tls/issues/198
|
|
|
|
|
|
|
|
#
|
|
|
|
|
|
|
|
# ssl_session_tickets:
|
|
|
|
|
|
|
|
# - In case of session tickets, information about session is given to the client.
|
|
|
|
|
|
|
|
# Enabling this improve performance also make Perfect Forward Secrecy useless.
|
|
|
|
|
|
|
|
# - If you would instead like to use ssl_session_tickets by yourself, you can set
|
|
|
|
|
|
|
|
# matrix_nginx_proxy_ssl_session_tickets_off false.
|
|
|
|
|
|
|
|
# - Learn More: https://github.com/mozilla/server-side-tls/issues/135
|
|
|
|
|
|
|
|
#
|
|
|
|
|
|
|
|
# Presets are taken from Mozilla's Server Side TLS Recommended configurations
|
|
|
|
|
|
|
|
matrix_nginx_proxy_ssl_session_cache: "shared:MozSSL:10m"
|
|
|
|
|
|
|
|
matrix_nginx_proxy_ssl_session_timeout: "1d"
|
|
|
|
|
|
|
|
matrix_nginx_proxy_ssl_session_tickets_off: true
|
|
|
|
|
|
|
|
|
|
|
|
# OCSP Stapling eliminating the need for clients to contact the CA, with the aim of improving both security and performance.
|
|
|
|
# OCSP Stapling eliminating the need for clients to contact the CA, with the aim of improving both security and performance.
|
|
|
|
# OCSP stapling can provide a performance boost of up to 30%
|
|
|
|
# OCSP stapling can provide a performance boost of up to 30%
|
|
|
|
# nginx web server supports OCSP stapling since version 1.3.7.
|
|
|
|
# nginx web server supports OCSP stapling since version 1.3.7.
|
|
|
|