7x31/nginxconfig.io
1
0
Fork 0
mirror of https://github.com/digitalocean/nginxconfig.io.git synced 2025-08-09 05:38:16 +08:00
Code Issues Packages Projects Releases Wiki Activity

implemented SSL profiles (with HSTS)

Browse Source 
based on Mozilla SSL Configuration Generator and hstspreload.org
This commit is contained in:
Szekeres Bálint
2018-03-10 13:39:05 +01:00
parent 3396047a5c
commit 9e0eb0095c
5 changed files with 90 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
public/templates/commands.html
View File

@@ -1,15 +1,16 @@
<!--
✔ HTTPS --><span ng-if="isHTTPS()"><!--
✔ HTTPS --><span ng-if="isHTTPS() && !isSSLProfileModern()"><!--
--><span class="hljs-comment"># <strong>HTTPS</strong>: create Diffie-Hellman keys</span>
<span class="hljs-section">openssl dhparam</span> <span class="hljs-attribute">-dsaparam</span> <span class="hljs-attribute">-out</span> /etc/nginx/dhparam.pem <span class="hljs-number">2048</span><!--
<span class="hljs-section">openssl dhparam</span> <span class="hljs-attribute">-dsaparam</span> <span class="hljs-attribute">-out</span> /etc/nginx/dhparam.pem <span class="hljs-number">{{ isSSLProfileOld() ? 1024 : 2048 }}</span><!--
--></span><!--
--><span ng-if="isCertLetsEncrypt()">
</span></span><!--
✔ Let's Encrypt --><span ng-if="isCertLetsEncrypt()">
<span class="hljs-comment"># <strong>HTTPS</strong>: create ACME-challenge common directory</span>
✔ Let's Encrypt --><span ng-if="isCertLetsEncrypt()"><!--
--><span class="hljs-comment"># <strong>HTTPS</strong>: create ACME-challenge common directory</span>
<span class="hljs-section">sudo</span> <span class="hljs-attribute">-u</span> {{ data.user }} <span class="hljs-section">sh</span> <span class="hljs-attribute">-c</span> "<span class="hljs-section">mkdir</span> <span class="hljs-attribute">-p</span> /var/www/_letsencrypt"
<span class="hljs-comment"># <strong>HTTPS</strong>: certbot (obtain certificates)<br># disable before first run: <strong>ssl_certificate</strong>, <strong>ssl_certificate_key</strong>, <strong>ssl_trusted_certificate</strong></span>

21
public/templates/conf/_ssl.conf.html
View File

@@ -1,18 +1,21 @@
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.1.0g&hsts=yes&profile=intermediate
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_session_tickets off;<!--
✘ SSLProfileModern --><span ng-if="!isSSLProfileModern()">
# Diffie-Hellman parameter for DHE ciphersuites
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_dhparam /etc/nginx/dhparam.pem;</span>
# intermediate configuration
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
# {{ data.ssl_profile }} configuration
ssl_protocols {{ sslProfiles[ data.ssl_profile ].protocols }};
ssl_ciphers {{ sslProfiles[ data.ssl_profile ].ciphers }};
ssl_prefer_server_ciphers on;<!--
# HSTS
add_header Strict-Transport-Security "max-age=15768000" always;
HSTS--><span ng-if="isHSTS()">
# HSTS (1 year, preload)
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;</span>
# OCSP Stapling
ssl_stapling on;