nginx/server: Use mozilla recommended ssl settings
This commit is contained in:
parent
55855d7c15
commit
7febf3bda5
2 changed files with 8 additions and 2 deletions
3
roles/nginx/server/meta/main.yml
Normal file
3
roles/nginx/server/meta/main.yml
Normal file
|
|
@ -0,0 +1,3 @@
|
|||
---
|
||||
dependencies:
|
||||
- {role: dhparams}
|
||||
|
|
@ -21,10 +21,13 @@ http {
|
|||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m;
|
||||
ssl_session_tickets off;
|
||||
ssl_protocols {{ tls_protocols }};
|
||||
ssl_ciphers {{ tls_ciphers }};
|
||||
ssl_dhparam {{ tls_certs }}/ffdhe3072.pem;
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||
ssl_prefer_server_ciphers off;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
|
||||
proxy_ssl_certificate {{ tls_certs }}/{{ inventory_hostname }}.crt;
|
||||
proxy_ssl_certificate_key {{ tls_private }}/{{ inventory_hostname }}.key;
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue