|
|
@@ -135,27 +135,33 @@ http {
|
|
|
text/x-component;
|
|
|
# text/html is always compressed by HttpGzipModule
|
|
|
|
|
|
-
|
|
|
- ### SSL ###
|
|
|
-
|
|
|
# This should be turned on if you are going to have pre-compressed copies (.gz) of
|
|
|
# static files available. If not it should be left off as it will cause extra I/O
|
|
|
# for the check. It is best if you enable this in a location{} block for
|
|
|
# a specific directory, or on an individual server{} level.
|
|
|
# gzip_static on;
|
|
|
|
|
|
- # Protect against the BEAST attack by preferring RC4-SHA when using SSLv3 and TLS protocols.
|
|
|
- # Note that TLSv1.1 and TLSv1.2 are immune to the beast attack but only work with OpenSSL v1.0.1 and higher and has limited client support.
|
|
|
- ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
|
|
|
- ssl_ciphers RC4:HIGH:!aNULL:!MD5;
|
|
|
+
|
|
|
+ ### SSL ###
|
|
|
+
|
|
|
+ # Diffie-Hellman parameter for DHE ciphersuites
|
|
|
+ ssl_dhparam /etc/ssl/private/dh2048.pem;
|
|
|
+
|
|
|
+{% if nginx_ssl_strengthened %}
|
|
|
+ ssl_protocols TLSv1.1 TLSv1.2;
|
|
|
+ ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
|
|
|
+{% else %}
|
|
|
+ ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
|
+ ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
|
|
|
+{% endif %}
|
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
|
|
- # Optimize SSL by caching session parameters for 10 minutes. This cuts down on the number of expensive SSL handshakes.
|
|
|
+ # Optimize SSL by caching session parameters for 5 minutes. This cuts down on the number of expensive SSL handshakes.
|
|
|
# The handshake is the most CPU-intensive operation, and by default it is re-negotiated on every new/parallel connection.
|
|
|
# By enabling a cache (of type "shared between all Nginx workers"), we tell the client to re-use the already negotiated state.
|
|
|
# Further optimization can be achieved by raising keepalive_timeout, but that shouldn't be done unless you serve primarily HTTPS.
|
|
|
ssl_session_cache shared:SSL:10m; # a 1mb cache can hold about 4000 sessions, so we can hold 40000 sessions
|
|
|
- ssl_session_timeout 10m;
|
|
|
+ ssl_session_timeout 5m;
|
|
|
|
|
|
# This default SSL certificate will be served whenever the client lacks support for SNI (Server Name Indication).
|
|
|
# Make it a symlink to the most important certificate you have, so that users of IE 8 and below on WinXP can see your main site without SSL errors.
|
|
|
@@ -168,12 +174,6 @@ http {
|
|
|
#passenger_root /usr;
|
|
|
#passenger_ruby /usr/bin/ruby;
|
|
|
|
|
|
-
|
|
|
- ### Naxsi ###
|
|
|
-
|
|
|
- #include /etc/nginx/naxsi_core.rules;
|
|
|
-
|
|
|
-
|
|
|
### Extended configuration ###
|
|
|
|
|
|
# More configuration parameters
|
