diff --git a/conf.d/ssl.conf b/conf.d/ssl.conf new file mode 100644 index 0000000..4de6d82 --- /dev/null +++ b/conf.d/ssl.conf @@ -0,0 +1,12 @@ +ssl_prefer_server_ciphers on; +# not possible to do exclusive +ssl_protocols TLSv1 TLSv1.1 TLSv1.2; +ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'; + +ssl_dhparam /etc/ssl/private/dhparams.pem; + +# add HSTS Header +add_header Strict-Transport-Security max-age=15768000; # six months +# Use a SSL/TLS cache for SSL session resume. +ssl_session_cache shared:SSL:10m; +ssl_session_timeout 10m; diff --git a/nginx.conf b/nginx.conf index f1937aa..3174048 100644 --- a/nginx.conf +++ b/nginx.conf @@ -21,19 +21,6 @@ http { } proxy_cache_path /var/lib/nginx/cache keys_zone=statusATro01:10m; - - ssl_prefer_server_ciphers on; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive - ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES2\ -56:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-\ -SHA:CAMELLIA128-SHA:AES128-SHA'; - ssl_dhparam /etc/ssl/private/dhparams.pem; - - add_header Strict-Transport-Security max-age=15768000; # six months - ## Use a SSL/TLS cache for SSL session resume. - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 10m; - # setzt die Variable php_https abhängig davon ob es sich um eine https Verbindung handelt, ist für die Weitergabe an php map $scheme $php_https { default off; https on; }