25 lines
1.0 KiB
Plaintext
25 lines
1.0 KiB
Plaintext
# Hardening from https://cipherli.st/
|
|
ssl_protocols TLSv1.3; # Requires nginx >= 1.13.0 else use TLSv1.2
|
|
ssl_prefer_server_ciphers on;
|
|
# thanks, myself
|
|
# dhparam.pem generation needs to be added to ansible when nginx is
|
|
ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
|
|
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
|
|
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
|
|
ssl_session_timeout 10m;
|
|
ssl_session_cache shared:SSL:10m;
|
|
ssl_session_tickets off; # Requires nginx >= 1.5.9
|
|
#resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
|
|
#resolver_timeout 5s;
|
|
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
|
|
# X-Frame-Options disabled because nextcloud pdf preview
|
|
#add_header X-Frame-Options DENY;
|
|
add_header X-Content-Type-Options nosniff;
|
|
add_header X-XSS-Protection "1; mode=block";
|
|
add_header X-Robots-Tag none;
|
|
|
|
# Requires nginx >= 1.3.7
|
|
# Set to "on" at cipherli.st
|
|
ssl_stapling off;
|
|
ssl_stapling_verify off;
|