fix config

make HSTS more strict & longer
http to https redirect do use wildcard for domain
2021-10-05 01:20:25 +02:00 · 2021-10-05 01:13:52 +02:00 · 2021-10-03 03:30:56 +02:00 · 2021-10-03 03:30:27 +02:00 · 2021-10-03 03:19:13 +02:00 · 2021-07-20 07:05:11 +00:00
5 changed files with 9 additions and 12 deletions
--- a/nginx.conf
+++ b/nginx.conf
@@ -29,8 +29,7 @@ http {
 	# SSL Settings
 	##

-	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
-	ssl_prefer_server_ciphers on;
+	include /etc/nginx/snippets/ssl_options.conf;

 	##
 	# Logging Settings
--- a/sites-available/default
+++ b/sites-available/default
@@ -8,11 +8,10 @@ server {
  server_name my.domain.com;

  ssl_certificate /etc/letsencrypt/live/my.domain.com/fullchain.pem;
-	ssl_certificate_key /etc/letsencrypt/live/my.domain.com/privkey.pem;
-	include /etc/nginx/snippets/ssl_options.conf;
+  ssl_certificate_key /etc/letsencrypt/live/my.domain.com/privkey.pem;

-	client_max_body_size 5M;
-	client_body_buffer_size 256K;
+  client_max_body_size 5M;
+  client_body_buffer_size 256K;

  sendfile on;
  send_timeout 600s;
--- a/sites-available/http_2_https
+++ b/sites-available/http_2_https
@@ -2,7 +2,7 @@ server {
 	listen 80 default_server;
 	listen [::]:80 default_server ipv6only=on;

-	server_name *.de ;
+	server_name _ ;

 	include /etc/nginx/snippets/letsencrypt.conf;

--- a/sites-available/nextcloud
+++ b/sites-available/nextcloud
@@ -9,7 +9,6 @@ server {

  ssl_certificate /etc/letsencrypt/live/cloud.domain.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/cloud.domain.com/privkey.pem;
-  include /etc/nginx/snippets/ssl_options.conf;

  client_body_in_file_only clean;
  client_body_buffer_size 128K;
--- a/snippets/ssl_options.conf
+++ b/snippets/ssl_options.conf
@@ -1,15 +1,15 @@
 ssl_session_timeout 1d;
-ssl_session_cache shared:SSL:50m;
+ssl_session_cache shared:TLS:1m;
 ssl_session_tickets off;

-ssl_protocols TLSv1.2 TLSv1.3;
-ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
+ssl_protocols TLSv1.3 TLSv1.2;
+ssl_ciphers 'EECDH+AESGCM:EECDH+AES256 !aNULL:!MD5';
 ssl_prefer_server_ciphers on;
 ssl_dhparam /etc/ssl/certs/dhparam.pem;

 ssl_stapling on;
 ssl_stapling_verify on;

-add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always;
+add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
 add_header X-Frame-Options DENY;
 add_header X-Content-Type-Options nosniff;
Author	SHA1	Message	Date
6543	d7d183fdf6	fix config	2021-10-05 01:20:25 +02:00
6543	3b66195deb	make HSTS more strict & longer	2021-10-05 01:13:52 +02:00
6543	c77fce86a8	http to https redirect do use wildcard for domain	2021-10-03 03:30:56 +02:00
6543	62d947ca70	format config	2021-10-03 03:30:27 +02:00
6543	5ff7de70e7	set ssl_options snippet at global config	2021-10-03 03:19:13 +02:00
ahab	2c52a3e11a	Update ssl_options; new ciphers etc (#2 ) Update ciphers, update cache to only use TLS Closes #1 Co-authored-by: dbraeuer@bounty <d.braeuer@heinlein-support.de> Reviewed-on: 6543/nginx_config#2 Co-authored-by: ahab <obermui@schoeneberge.eu> Co-committed-by: ahab <obermui@schoeneberge.eu>	2021-07-20 07:05:11 +00:00