-
Notifications
You must be signed in to change notification settings - Fork 8
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
SSL advanced configuration for nginx-storage
- Loading branch information
1 parent
4d99481
commit e07bff7
Showing
4 changed files
with
36 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,32 @@ | ||
ssl_certificate /etc/ssl/secrets/nginx-storage-ssl.crt; | ||
ssl_certificate_key /etc/ssl/secrets/nginx-storage-ssl.key; | ||
|
||
# Disable SSLv3 | ||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | ||
|
||
# Enable server-side protection | ||
ssl_prefer_server_ciphers on; | ||
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; | ||
|
||
# Specify curve P-384 | ||
ssl_ecdh_curve secp384r1; | ||
|
||
# Improve ssl performence | ||
ssl_session_cache shared:SSL:10m; | ||
ssl_session_timeout 5m; | ||
|
||
# Enable OCSP stapling | ||
ssl_stapling on; | ||
ssl_stapling_verify on; | ||
|
||
# Enable HSTS | ||
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; | ||
|
||
# Advanced settings | ||
server_tokens off; | ||
add_header X-XSS-Protection "1; mode=block"; | ||
add_header X-Frame-Options DENY; | ||
add_header X-Content-Type-Options nosniff; | ||
|
||
# Add Diffie-Helman group | ||
ssl_dhparam /etc/ssl/secrets/nginx-storage-dhparam.pem; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters