First!

2021-08-20 18:20:53 -04:00
parent 7fc11199a6
commit b0d5f884aa
17 changed files with 242 additions and 0 deletions
--- a/app/default/snippets/ssl.conf
+++ b/app/default/snippets/ssl.conf
@@ -0,0 +1,26 @@
+listen  80;
+listen  [::]:80;
+listen  443 ssl;
+listen  [::]:443 ssl;
+
+if ($scheme != "https") {
+	return	302 https://$host$request_uri;
+}
+
+# https://wiki.mozilla.org/Security/Server_Side_TLS
+# https://ssl-config.mozilla.org/
+ssl_certificate		ssl.cer;
+ssl_certificate_key	ssl.key;
+ssl_session_timeout	1d;
+ssl_session_cache	shared:SSL:10m;
+ssl_session_tickets	off;
+ssl_protocols		TLSv1.2 TLSv1.3;
+ssl_ciphers		ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ssl_prefer_server_ciphers	off;
+add_header		Strict-Transport-Security "max-age=63072000" always;	# HSTS (needs ngx_http_headers_module)
+ssl_stapling		on;	# OCSP stapling
+ssl_stapling_verify     on;
+
+location /.well-known/ {
+	root /var/www;
+}